Structure of each provider can be partially recovered from function FindSecurityPackage:
struct _rpc_loaded_provider{ DWORD unk1; PVOID unk2; PSecurityFunctionTable table; PVOID unk3; PVOID unk4; }; // size of struct 0x14 for x86 and 0x28 for x64
It's interesting that the function of InitSecurityFunctionTable patches the contents of SECURITY_FUNCTION_TABLE. Sample of output from w8.1:
Module: C:\Windows\system32\RPCRT4.dll at 00007FFE16D90000 rpcrt4.dll!GlobalRpcServer: 000000E5C25C98C0 LoadedProviders at 00007FFE16EAB0F4: 2
ProviderList at 00007FFE16EAB248: 000000E5C25D5710
item size 28:
00000000 0B 00 00 00-01 20 00 00|30 86 61 C2-E5 00 00 00 ..... ..0†aΒε...
00000010 20 5A 96 14-FE 7F 00 00|50 FA 5D C2-E5 00 00 00 Z–.ώ..Pϊ]Βε...
00000020 80 0A 60 C2-E5 00 00 00|01 00 00 00-00 00 00 00 €.`Βε...........
00000030 50 F3 5F C2-E5 00 00 00|A0 FB DE 13-FE 7F 00 00 Pσ_Βε... ϋή.ώ..
00000040 10 5E 61 C2-E5 00 00 00|70 AF 60 C2-E5 00 00 00 .^aΒε...p―`Βε...
SecurityProvider[0]: 00007FFE14965A20 C:\Windows\system32\SspiCli.dll
SecurityFunctionTable at 00007FFE14965A20:
00000000 01 00 00 00-00 00 00 00|30 9F 94 14-FE 7F 00 00 ........0Ÿ”.ώ..
00000010 00 6F 94 14-FE 7F 00 00|10 6A 94 14-FE 7F 00 00 .o”.ώ...j”.ώ..
00000020 70 6B 94 14-FE 7F 00 00|00 00 00 00-00 00 00 00 pk”.ώ..........
00000030 60 7E 94 14-FE 7F 00 00|10 F1 94 14-FE 7F 00 00 `~”.ώ...ρ”.ώ..
00000040 40 09 96 14-FE 7F 00 00|30 81 94 14-FE 7F 00 00 @.–.ώ..0”.ώ..
00000050 40 16 95 14-FE 7F 00 00|40 78 94 14-FE 7F 00 00 @.•.ώ..@x”.ώ..
00000060 40 DE 94 14-FE 7F 00 00|30 E0 94 14-FE 7F 00 00 @ή”.ώ..0ΰ”.ώ..
00000070 80 04 95 14-FE 7F 00 00|30 03 95 14-FE 7F 00 00 €.•.ώ..0.•.ώ..
00000080 50 28 94 14-FE 7F 00 00|F0 E8 94 14-FE 7F 00 00 P(”.ώ..πθ”.ώ..
00000090 80 21 94 14-FE 7F 00 00|50 23 94 14-FE 7F 00 00 €!”.ώ..P#”.ώ..
000000A0 D0 09 96 14-FE 7F 00 00|60 0B 96 14-FE 7F 00 00 Π.–.ώ..`.–.ώ..
000000B0 50 07 96 14-FE 7F 00 00|00 00 00 00-00 00 00 00 P.–.ώ..........
000000C0 F0 FE 94 14-FE 7F 00 00|80 21 94 14-FE 7F 00 00 πώ”.ώ..€!”.ώ..
000000D0 50 23 94 14-FE 7F 00 00|00 00 00 00-00 00 00 00 P#”.ώ..........
000000E0 00 00 00 00-00 00 00 00 ........
EnumerateSecurityPackages: 00007FFE14949F30 C:\Windows\system32\SspiCli.dll
QueryCredentialsAttributes: 00007FFE14946F00 C:\Windows\system32\SspiCli.dll
AcquireCredentialsHandle: 00007FFE14946A10 C:\Windows\system32\SspiCli.dll
FreeCredentialsHandle: 00007FFE14946B70 C:\Windows\system32\SspiCli.dll
InitializeSecurityContext: 00007FFE14947E60 C:\Windows\system32\SspiCli.dll
AcceptSecurityContext: 00007FFE1494F110 C:\Windows\system32\SspiCli.dll
CompleteAuthToken: 00007FFE14960940 C:\Windows\system32\SspiCli.dll
DeleteSecurityContext: 00007FFE14948130 C:\Windows\system32\SspiCli.dll
ApplyControlToken: 00007FFE14951640 C:\Windows\system32\SspiCli.dll
QueryContextAttributes: 00007FFE14947840 C:\Windows\system32\SspiCli.dll
ImpersonateSecurityContext: 00007FFE1494DE40 C:\Windows\system32\SspiCli.dll
RevertSecurityContext: 00007FFE1494E030 C:\Windows\system32\SspiCli.dll
MakeSignature: 00007FFE14950480 C:\Windows\system32\SspiCli.dll
VerifySignature: 00007FFE14950330 C:\Windows\system32\SspiCli.dll
FreeContextBuffer: 00007FFE14942850 C:\Windows\system32\SspiCli.dll
QuerySecurityPackageInfo: 00007FFE1494E8F0 C:\Windows\system32\SspiCli.dll
ExportSecurityContext: 00007FFE149609D0 C:\Windows\system32\SspiCli.dll
ImportSecurityContext: 00007FFE14960B60 C:\Windows\system32\SspiCli.dll
AddCredentials: 00007FFE14960750 C:\Windows\system32\SspiCli.dll
QuerySecurityContextToken: 00007FFE1494FEF0 C:\Windows\system32\SspiCli.dll
EncryptMessage: 00007FFE14942180 C:\Windows\system32\SspiCli.dll
DecryptMessage: 00007FFE14942350 C:\Windows\system32\SspiCli.dll
SecurityProvider[1]: 00007FFE13DEFBA0 C:\Windows\system32\netlogon.DLL
SecurityFunctionTable at 00007FFE13DEFBA0:
00000000 01 00 00 00-00 00 00 00|B0 07 D7 13-FE 7F 00 00 ........°.Χ.ώ..
00000010 00 00 00 00-00 00 00 00|90 DE D3 13-FE 7F 00 00 ........ήΣ.ώ..
00000020 F0 73 D6 13-FE 7F 00 00|00 00 00 00-00 00 00 00 πsΦ.ώ..........
00000030 00 F4 D5 13-FE 7F 00 00|70 DF D3 13-FE 7F 00 00 .τΥ.ώ..pίΣ.ώ..
00000040 40 FE E2 16-FE 7F 00 00|80 73 D4 13-FE 7F 00 00 @ώβ.ώ..€sΤ.ώ..
00000050 40 FE E2 16-FE 7F 00 00|D0 DD D3 13-FE 7F 00 00 @ώβ.ώ..ΠέΣ.ώ..
00000060 60 DF D3 13-FE 7F 00 00|60 DF D3 13-FE 7F 00 00 `ίΣ.ώ..`ίΣ.ώ..
00000070 30 2F DD 13-FE 7F 00 00|F0 2F DD 13-FE 7F 00 00 0/έ.ώ..π/έ.ώ..
00000080 10 2F DD 13-FE 7F 00 00|E0 07 D7 13-FE 7F 00 00 ./έ.ώ..ΰ.Χ.ώ..
00000090 00 D1 D3 13-FE 7F 00 00|F0 D6 D3 13-FE 7F 00 00 .ΡΣ.ώ..πΦΣ.ώ..
000000A0 40 FE E2 16-FE 7F 00 00|40 FE E2 16-FE 7F 00 00 @ώβ.ώ..@ώβ.ώ..
000000B0 40 FE E2 16-FE 7F 00 00|00 00 00 00-00 00 00 00 @ώβ.ώ..........
000000C0 40 FE E2 16-FE 7F 00 00|40 FE E2 16-FE 7F 00 00 @ώβ.ώ..@ώβ.ώ..
000000D0 40 FE E2 16-FE 7F 00 00|00 00 00 00-00 00 00 00 @ώβ.ώ..........
000000E0 00 00 00 00-00 00 00 00 ........
EnumerateSecurityPackages: 00007FFE13D707B0 C:\Windows\system32\netlogon.DLL
AcquireCredentialsHandle: 00007FFE13D3DE90 C:\Windows\system32\netlogon.DLL
FreeCredentialsHandle: 00007FFE13D673F0 C:\Windows\system32\netlogon.DLL
InitializeSecurityContext: 00007FFE13D5F400 C:\Windows\system32\netlogon.DLL
AcceptSecurityContext: 00007FFE13D3DF70 C:\Windows\system32\netlogon.DLL
CompleteAuthToken: 00007FFE16E2FE40 C:\Windows\system32\RPCRT4.dll
DeleteSecurityContext: 00007FFE13D47380 C:\Windows\system32\netlogon.DLL
ApplyControlToken: 00007FFE16E2FE40 C:\Windows\system32\RPCRT4.dll
QueryContextAttributes: 00007FFE13D3DDD0 C:\Windows\system32\netlogon.DLL
ImpersonateSecurityContext: 00007FFE13D3DF60 C:\Windows\system32\netlogon.DLL
RevertSecurityContext: 00007FFE13D3DF60 C:\Windows\system32\netlogon.DLL
MakeSignature: 00007FFE13DD2F30 C:\Windows\system32\netlogon.DLL
VerifySignature: 00007FFE13DD2FF0 C:\Windows\system32\netlogon.DLL
FreeContextBuffer: 00007FFE13DD2F10 C:\Windows\system32\netlogon.DLL
QuerySecurityPackageInfo: 00007FFE13D707E0 C:\Windows\system32\netlogon.DLL
ExportSecurityContext: 00007FFE16E2FE40 C:\Windows\system32\RPCRT4.dll
ImportSecurityContext: 00007FFE16E2FE40 C:\Windows\system32\RPCRT4.dll
AddCredentials: 00007FFE16E2FE40 C:\Windows\system32\RPCRT4.dll
QuerySecurityContextToken: 00007FFE16E2FE40 C:\Windows\system32\RPCRT4.dll
EncryptMessage: 00007FFE16E2FE40 C:\Windows\system32\RPCRT4.dll
DecryptMessage: 00007FFE16E2FE40 C:\Windows\system32\RPCRT4.dllunder w10 format of rpc_loaded_provider was changed - it now contains whole SECURITY_FUNCTION_TABLE:
struct _rpc_loaded_provider_w10{ DWORD unk1; PVOID unk2;SECURITY_FUNCTION_TABLE tab;
...
}; // size of structure 0x120 for x64 and 0x90 for x86
Remark that again function InitSecurityFunctionTable does not copy all fields of the structure
SECURITY_FUNCTION_TABLE - for example it leaves uninitialized holes for fields Reserved2, Reserved8, SetContextAttributesW and ChangeAccountPasswordW. Sample of output from w10 build 16241:
Module: C:\Windows\System32\RPCRT4.dll at 75690000 rpcrt4.dll!GlobalRpcServer: 02E25958 LoadedProviders at 757489AC: 2
ProviderList at 757489B4: 02E61290
item size 90:
00000000 0C 00 00 00-F8 18 E6 02|00 00 00 00-C0 A6 54 74 ....ш.ж.....А¦Tt
00000010 D0 5C 54 74-30 70 54 74|80 6F 54 74-00 00 00 00 Р\Tt0pTtЂoTt....
00000020 60 82 54 74-A0 A1 55 74|10 A7 55 74-20 7B 54 74 `‚Tt ЎUt.§Ut {Tt
00000030 B0 4D 54 74-40 5C 54 74|80 A8 55 74-F0 AC 55 74 °MTt@\TtЂЁUtр¬Ut
00000040 50 AA 55 74-10 AF 55 74|10 D4 54 74-D0 D9 54 74 PЄUt.ЇUt.ФTtРЩTt
00000050 E0 8A 54 74-D0 8B 54 74|00 A8 55 74-A0 A9 55 74 аЉTtР‹Tt.ЁUt ©Ut
00000060 D0 A5 55 74-00 00 00 00|40 AC 55 74-E0 8A 54 74 РҐUt....@¬UtаЉTt
00000070 D0 8B 54 74-00 00 00 00|00 00 00 00-00 00 00 00 Р‹Tt............
00000080 70 85 54 74-B0 5B 54 74|78 C4 E1 02-18 B8 E1 02 p…Tt°[TtxДб..ёб.
00000090 01 00 00 00-C8 2F E3 02|00 00 00 00-40 29 EB 73 ....И/г.....@)лs
000000A0 40 DF 6E 75-E0 D3 ED 73|80 D8 ED 73-00 00 00 00 @ЯnuаУнsЂШнs....
000000B0 D0 D8 ED 73-C0 CD ED 73|50 DF 6E 75-20 D8 ED 73 РШнsАНнsPЯnu Шнs
000000C0 50 DF 6E 75-20 EF ED 73|70 31 EB 73-70 31 EB 73 PЯnu пнsp1лsp1лs
000000D0 90 DE ED 73-80 F1 ED 73|60 D8 ED 73-10 F0 ED 73 ђЮнsЂснs`Шнs.рнs
000000E0 E0 F0 ED 73-30 F1 ED 73|70 DF 6E 75-70 DF 6E 75 арнs0снspЯnupЯnu
000000F0 20 DF 6E 75-00 00 00 00|50 DF 6E 75-70 DF 6E 75 Яnu....PЯnupЯnu
00000100 70 DF 6E 75-00 00 00 00|00 00 00 00-00 00 00 00 pЯnu............
00000110 00 00 00 00-00 00 00 00|50 C4 E1 02-48 2F E3 02 ........PДб.H/г.
SecurityProvider[0]:
SecurityFunctionTable at 02E61298:
EnumerateSecurityPackages: 7454A6C0 C:\Windows\system32\SspiCli.dll
QueryCredentialsAttributes: 74545CD0 C:\Windows\system32\SspiCli.dll
AcquireCredentialsHandle: 74547030 C:\Windows\system32\SspiCli.dll
FreeCredentialsHandle: 74546F80 C:\Windows\system32\SspiCli.dll
InitializeSecurityContext: 74548260 C:\Windows\system32\SspiCli.dll
AcceptSecurityContext: 7455A1A0 C:\Windows\system32\SspiCli.dll
CompleteAuthToken: 7455A710 C:\Windows\system32\SspiCli.dll
DeleteSecurityContext: 74547B20 C:\Windows\system32\SspiCli.dll
ApplyControlToken: 74544DB0 C:\Windows\system32\SspiCli.dll
QueryContextAttributes: 74545C40 C:\Windows\system32\SspiCli.dll
ImpersonateSecurityContext: 7455A880 C:\Windows\system32\SspiCli.dll
RevertSecurityContext: 7455ACF0 C:\Windows\system32\SspiCli.dll
MakeSignature: 7455AA50 C:\Windows\system32\SspiCli.dll
VerifySignature: 7455AF10 C:\Windows\system32\SspiCli.dll
FreeContextBuffer: 7454D410 C:\Windows\system32\SspiCli.dll
QuerySecurityPackageInfo: 7454D9D0 C:\Windows\system32\SspiCli.dll
ExportSecurityContext: 7455A800 C:\Windows\system32\SspiCli.dll
ImportSecurityContext: 7455A9A0 C:\Windows\system32\SspiCli.dll
AddCredentials: 7455A5D0 C:\Windows\system32\SspiCli.dll
QuerySecurityContextToken: 7455AC40 C:\Windows\system32\SspiCli.dll
EncryptMessage: 74548AE0 C:\Windows\system32\SspiCli.dll
DecryptMessage: 74548BD0 C:\Windows\system32\SspiCli.dll
SecurityProvider[1]:
SecurityFunctionTable at 02E61328:
EnumerateSecurityPackages: 73EB2940 C:\Windows\system32\netlogon.DLL
QueryCredentialsAttributes: 756EDF40 C:\Windows\System32\RPCRT4.dll
AcquireCredentialsHandle: 73EDD3E0 C:\Windows\system32\netlogon.DLL
FreeCredentialsHandle: 73EDD880 C:\Windows\system32\netlogon.DLL
InitializeSecurityContext: 73EDD8D0 C:\Windows\system32\netlogon.DLL
AcceptSecurityContext: 73EDCDC0 C:\Windows\system32\netlogon.DLL
CompleteAuthToken: 756EDF50 C:\Windows\System32\RPCRT4.dll
DeleteSecurityContext: 73EDD820 C:\Windows\system32\netlogon.DLL
ApplyControlToken: 756EDF50 C:\Windows\System32\RPCRT4.dll
QueryContextAttributes: 73EDEF20 C:\Windows\system32\netlogon.DLL
ImpersonateSecurityContext: 73EB3170 C:\Windows\system32\netlogon.DLL
RevertSecurityContext: 73EB3170 C:\Windows\system32\netlogon.DLL
MakeSignature: 73EDDE90 C:\Windows\system32\netlogon.DLL
VerifySignature: 73EDF180 C:\Windows\system32\netlogon.DLL
FreeContextBuffer: 73EDD860 C:\Windows\system32\netlogon.DLL
QuerySecurityPackageInfo: 73EDF010 C:\Windows\system32\netlogon.DLL
ExportSecurityContext: 756EDF70 C:\Windows\System32\RPCRT4.dll
ImportSecurityContext: 756EDF70 C:\Windows\System32\RPCRT4.dll
AddCredentials: 756EDF20 C:\Windows\System32\RPCRT4.dll
QuerySecurityContextToken: 756EDF50 C:\Windows\System32\RPCRT4.dll
EncryptMessage: 756EDF70 C:\Windows\System32\RPCRT4.dll
DecryptMessage: 756EDF70 C:\Windows\System32\RPCRT4.dll
Комментариев нет:
Отправить комментарий