четверг, 16 ноября 2017 г.

crypt32.dll SIPs

in cool paper "subverting windows trust" was described mechanism of subject interface package (SIP)
Lets see how we can extract and dump them
Unfortunately list of SIPs inside crypt32.dll don't have name in .pdb. One way is to find it with help of IDA Pro from function FindDll:

  push    [ebp+nSize]                   ; nSize
  push    ebx                           ; lpDst
  push    [ebp+lpSrc]                   ; lpSrc
  call    ds:__imp__ExpandEnvironmentStringsW@12
  test    eax, eax
  jz      short loc_5CF28F50
  push    offset dll_cs

  call    ds:__imp__EnterCriticalSection@4
  mov     edi, dll_list ; linked list of SIPs
  test    edi, edi
  jz      short loc_5CF28F89

next_item:
  push    0FFFFFFFFh                    ; cchCount2
  push    dword ptr [edi+8]             ; lpString2
  push    0FFFFFFFFh                    ; cchCount1
  push    ebx                           ; lpString1
  push    1                             ; dwCmpFlags
  push    409h                          ; Locale
  call    ds:__imp__CompareStringW@24
  dec     eax
  sub     eax, 1
  jz      short loc_5CF28F41
  mov     edi, [edi+4]
  test    edi, edi
  jnz     short next_item


this address (I named it dll_list) contains head of linked list to SIPs structures like this:
struct sip_item
{
  sip_item *next;
  PVOID unk4;        // ptr to crypto32_dll_list_item
  const char *fname; // actually ends to end of sip_item
  PVOID pfn; // if function was resolved, else NULL
};

struct crypto32_dll_list_item
{
  PVOID unk;
  crypto32_dll_list_item *next;
  const wchar_t *dll_name;

  HANDLE base; // if dll was loaded - load base else NULL
  DWORD unk10;
  DWORD unk14;
  sip_item *func_items_list;
  PVOID unk20;
  PVOID unk24;
  PVOID unk28;
};


it's interesting to note that not all SIP .dll loading at initialization of SIP structures - in fact they are almost always empty and contain only names. Sample of output from lsass.exe:
 SIP: 000002669EE8CCA0 C:\Windows\System32\SecureTimeAggregator.dll base 00007FF96EE90000
  SIP data at 000002669F848B70: GetSecureTime 00007FF96EE95770 C:\Windows\System32\SecureTimeAggregator.dll
  SIP data at 000002669F84C290: AggregateSSLHandshakeTime 00007FF96EE95680 C:\Windows\System32\SecureTimeAggregator.dll
 SIP: 000002669EEA1A90 C:\Windows\System32\inetcomm.dll
  SIP data at 000002669F863C90: EssContentHintEncodeEx
  SIP data at 000002669F863DD0: EssMLHistoryEncodeEx
  SIP data at 000002669F863D90: EssSecurityLabelEncodeEx
  SIP data at 000002669F863A10: EssSignCertificateEncodeEx
  SIP data at 000002669F863D10: EssKeyExchPreferenceEncodeEx
  SIP data at 000002669F863F50: EssReceiptRequestEncodeEx
  SIP data at 000002669F863910: EssReceiptEncodeEx
  SIP data at 000002669F87B2D0: EssContentHintDecodeEx
  SIP data at 000002669F87B290: EssMLHistoryDecodeEx
  SIP data at 000002669F87B6D0: EssSecurityLabelDecodeEx
  SIP data at 000002669F87B3D0: EssSignCertificateDecodeEx
  SIP data at 000002669F87B650: EssKeyExchPreferenceDecodeEx
  SIP data at 000002669F87B190: EssReceiptRequestDecodeEx
  SIP data at 000002669F87B450: EssReceiptDecodeEx
 SIP: 000002669EEA19F0 C:\Windows\System32\cryptnet.dll base 00007FF96EE60000
  SIP data at 000002669F8633D0: CertDllVerifyRevocation 00007FF96EE65A90 C:\Windows\System32\cryptnet.dll
  SIP data at 000002669F87B390: LdapProvOpenStore
  SIP data at 000002669F87B4D0: LdapProvOpenStore

Комментариев нет:

Отправить комментарий