CRYPT32!PkiAsn1Decode函数分析之id = 0x12的一个例子

1: kd> g

Breakpoint 35 hit

CRYPT32!PkiAsn1Decode:

001b:75c9af0c 55 push ebp

1: kd> kc

00 CRYPT32!PkiAsn1Decode

01 CRYPT32!PkiAsn1DecodeAndAllocInfo

02 CRYPT32!PkiAsn1DecodeAndAllocInfoEx

03 CRYPT32!Asn1InfoDecodeAndAllocEx

04 CRYPT32!Asn1X509ExtensionsDecodeEx

05 CRYPT32!CryptDecodeObjectEx

06 CRYPT32!AllocAndDecodeObject

07 CRYPT32!FastCreateCtlElement

08 CRYPT32!CertCreateContext

09 WINTRUST!CatUtil_CreateCTLContextFromFileName

0a WINTRUST!_CatAdminAddSingleCatalogToCache

0b WINTRUST!_CatAdminAddCatalogsToCache

0c WINTRUST!CryptCATAdminEnumCatalogFromHash

0d sfc_os!SfcValidateFileSignature

0e sfc_os!SfcGetValidationData

0f sfc_os!SfcValidateDLL

10 sfc_os!SfcQueueValidationThread

11 kernel32!BaseThreadStart

1: kd> dv

pDec = 0x01236c48

ppvAsn1Info = 0x007ce4fc

id = 0x12

pbEncoded = 0x0183572a "0402???"

cbEncoded = 0x36

1: kd> dv

pDec = 0x01236c48

ppvAsn1Info = 0x007ce4fc

id = 0x12

pbEncoded = 0x0183572a "0402???"

cbEncoded = 0x36

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((CRYPT32!ASN1decoding_s *)0x1236c48)

((CRYPT32!ASN1decoding_s *)0x1236c48) : 0x1236c48 [Type: ASN1decoding_s *]

+0x000\] magic : 0x44434544 \[Type: unsigned long

+0x004\] version : 0x0 \[Type: unsigned long

+0x008\] module : 0x756c0 \[Type: tagASN1module_t \*

+0x00c\] buf : 0x1c155d0 : 0x30 \[Type: unsigned char \*

+0x010\] size : 0x43 \[Type: unsigned long

+0x014\] len : 0x43 \[Type: unsigned long

+0x018\] err : ASN1_SUCCESS (0) \[Type: tagASN1error_e

+0x01c\] bit : 0x0 \[Type: unsigned long

+0x020\] pos : 0x1c15613 : 0x76 \[Type: unsigned char \*

+0x024\] eRule : ASN1_BER_RULE_DER (1024) \[Type: ASN1encodingrule_e

+0x028\] dwFlags : 0x1000 \[Type: unsigned long

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((CRYPT32!tagASN1module_t *)0x756c0)

((CRYPT32!tagASN1module_t *)0x756c0) : 0x756c0 [Type: tagASN1module_t *]

+0x000\] nModuleName : 0x39303578 \[Type: unsigned long

+0x004\] eRule : ASN1_BER_RULE_DER (1024) \[Type: ASN1encodingrule_e

+0x008\] dwFlags : 0x1000 \[Type: unsigned long

+0x00c\] cPDUs : 0x40 \[Type: unsigned long

+0x010\] apfnFreeMemory : 0x75c1d4a8 \[Type: void (\*\*)(void \*)

+0x014\] acbStructSize : 0x75c1d5a8 : 0x8 \[Type: unsigned long \*

+0x018\] PER \[Type: tagASN1PerFunArr_t

+0x018\] BER \[Type: tagASN1BerFunArr_t

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((CRYPT32!tagASN1BerFunArr_t *)0x756d8))

(*((CRYPT32!tagASN1BerFunArr_t *)0x756d8)) [Type: tagASN1BerFunArr_t]

+0x000\] apfnEncoder : 0x75c1d2a8 \[Type: long (\*\*)(ASN1encoding_s \*,unsigned long,void \*)

+0x004\] apfnDecoder : 0x75c1d3a8 \[Type: long (\*\*)(ASN1decoding_s \*,unsigned long,void \*)

1: kd> dd 0x75c1d3a8

75c1d3a8 75c63a28 75c63a8b 75c7ae48 75c7ae6c

75c1d3b8 75c63ad5 75c63b1f 75c63b67 75c63dc0

75c1d3c8 75c6abf0 75c67833 75c640b9 75c6418d

75c1d3d8 75c8cf27 75c642c0 75c64568 75c646a0

75c1d3e8 75c64811 75c648d9 75c67995 75c64b84

75c1d3f8 75c67bdc 75c67d12 75c64c73 75c64daa

75c1d408 75c67f99 75c65267 75c654ca 75c6af0e

75c1d418 75c682e4 75c685bd 75c6875d 75c6b072

1: kd> u 75c67995

CRYPT32!ASN1Dec_Extensions [d:\srv03rtm\ds\security\cryptoapi\pki\certstor\x509.c @ 1861]:

75c67995 55 push ebp

75c67996 8bec mov ebp,esp

75c67998 51 push ecx

75c67999 51 push ecx

75c6799a 8b450c mov eax,dword ptr [ebp+0Ch]

75c6799d 53 push ebx

75c6799e 33db xor ebx,ebx

75c679a0 3bc3 cmp eax,ebx

1: kd> dv

dec = 0x01236c48

valref = 0x007ce4fc

id = 0x12

flags = 0x48

pbBuf = 0x0183572a "0402???"

cbBufSize = 0x36

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((MSASN1!ASN1decoding_s *)0x1236c48)

((MSASN1!ASN1decoding_s *)0x1236c48) : 0x1236c48 [Type: ASN1decoding_s *]

+0x000\] magic : 0x44434544 \[Type: unsigned long

+0x004\] version : 0x0 \[Type: unsigned long

+0x008\] module : 0x756c0 \[Type: tagASN1module_t \*

+0x00c\] buf : 0x183572a : 0x30 \[Type: unsigned char \*

+0x010\] size : 0x36 \[Type: unsigned long

+0x014\] len : 0x0 \[Type: unsigned long

+0x018\] err : ASN1_SUCCESS (0) \[Type: tagASN1error_e

+0x01c\] bit : 0x0 \[Type: unsigned long

+0x020\] pos : 0x183572a : 0x30 \[Type: unsigned char \*

+0x024\] eRule : ASN1_BER_RULE_DER (1024) \[Type: ASN1encodingrule_e

+0x028\] dwFlags : 0x1000 \[Type: unsigned long

1: kd> db 0x183572a

0183572a 30 34 30 32 06 0a 2b 06-01 04 01 82 37 0c 02 01 0402..+.....7...

0183573a 04 24 30 22 1e 0c 00 4f-00 53 00 41 00 74 00 74 .$0"...O.S.A.t.t

0183574a 00 72 02 04 10 01 00 01-04 0c 32 00 3a 00 35 00 .r........2.:.5.

0183575a 2e 00 32 00 00 00

1: kd> p

MSASN1!ASN1_Decode+0xe8:

001b:75bf7e6a ffd1 call ecx

1: kd> bp 75bf7e6a

1: kd> r

eax=0007eb20 ebx=00000000 ecx=75c67995 edx=00000048 esi=01236c48 edi=007ce4fc

eip=75bf7e6a esp=007ce480 ebp=007ce498 iopl=0 nv up ei pl nz na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206

MSASN1!ASN1_Decode+0xe8:

001b:75bf7e6a ffd1 call ecx {CRYPT32!ASN1Dec_Extensions (75c67995)}

1: kd> t

CRYPT32!ASN1Dec_Extensions:

001b:75c67995 55 push ebp

1: kd> dv

dec = 0x01236c48

tag = 0

val = 0x0007eb20

t = 8

dd = 0x00000000

di = 0x007ce4fc " ???"

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((CRYPT32!Extensions *)0x7eb20)

((CRYPT32!Extensions *)0x7eb20) : 0x7eb20 [Type: Extensions *]

+0x000\] count : 0x0 \[Type: unsigned long

+0x004\] value : 0x0 \[Type: Extension \*

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((CRYPT32!Extensions *)0x7eb20)

((CRYPT32!Extensions *)0x7eb20) : 0x7eb20 [Type: Extensions *]

+0x000\] count : 0x1 \[Type: unsigned long

+0x004\] value : 0x72f18 \[Type: Extension \*

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((CRYPT32!Extension *)0x72f18)

((CRYPT32!Extension *)0x72f18) : 0x72f18 [Type: Extension *]

+0x000\] bit_mask : 0x0 \[Type: unsigned short

+0x000\] o \[Type: unsigned char \[1\]

+0x004\] extnId \[Type: tagASN1encodedOID_t

+0x00c\] critical : 0x0 \[Type: unsigned char

+0x010\] extnValue \[Type: tagASN1octetstring_t

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((CRYPT32!tagASN1octetstring_t *)0x72f28))

(*((CRYPT32!tagASN1octetstring_t *)0x72f28)) [Type: tagASN1octetstring_t]

+0x000\] length : 0x24 \[Type: unsigned long

+0x004\] value : 0x183573c : 0x30 \[Type: unsigned char \*

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((CRYPT32!unsigned char *)0x183573c)

((CRYPT32!unsigned char *)0x183573c) : 0x183573c : 0x30 [Type: unsigned char *]

0x30 [Type: unsigned char]

1: kd> db 0x183573c

0183573c 30 22 1e 0c 00 4f 00 53-00 41 00 74 00 74 00 72 0"...O.S.A.t.t.r //"OSAttr"

0183574c 02 04 10 01 00 01 04 0c-32 00 3a 00 35 00 2e 00 ........2.:.5...

0183575c 32 00 00 00 a0 82 10 44-30 82 03 19 30 82 02 01 2......D0...0...

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((CRYPT32!Extension *)0x72f18)

((CRYPT32!Extension *)0x72f18) : 0x72f18 [Type: Extension *]

+0x000\] bit_mask : 0x0 \[Type: unsigned short

+0x000\] o \[Type: unsigned char \[1\]

+0x004\] extnId \[Type: tagASN1encodedOID_t

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((CRYPT32!tagASN1encodedOID_t *)0x72f1c))

(*((CRYPT32!tagASN1encodedOID_t *)0x72f1c)) [Type: tagASN1encodedOID_t]

+0x000\] length : 0xa \[Type: unsigned short

+0x004\] value : 0x1232a90 : 0x2b \[Type: unsigned char \*

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((CRYPT32!unsigned char *)0x1232a90)

((CRYPT32!unsigned char *)0x1232a90) : 0x1232a90 : 0x2b [Type: unsigned char *]

0x2b [Type: unsigned char]

1: kd> db 0x1232a90

01232a90 2b 06 01 04 01 82 37 0c-02 01 00 00 5a 00 00 00 +.....7.....Z... //"CAT_NAMEVALUE_OBJID (1.3.6.1.4.1.311.12.2.1)"

01232aa0 ba 00 03 00 b5 01 0c 01-60 28 c9 76 44 28 c9 76 ........`(.vD(.v

2b 06 01 04 01 82 37 0c 02 01

95728: | a0 36 ; CONTEXT_SPECIFIC (0) (36 Bytes)

9572a: | 30 34 ; SEQUENCE (34 Bytes)

9572c: | 30 32 ; SEQUENCE (32 Bytes)

9572e: | 06 0a ; OBJECT_IDENTIFIER (a Bytes)

95730: | | 2b 06 01 04 01 82 37 0c 02 01

| | ; "CAT_NAMEVALUE_OBJID (1.3.6.1.4.1.311.12.2.1)"

9573a: | 04 24 ; OCTET_STRING (24 Bytes)

9573c: | 30 22 ; SEQUENCE (22 Bytes)

9573e: | 1e 0c ; BMPString (c Bytes)

95740: | | 00 4f 00 53 00 41 00 74 00 74 00 72 ; .O.S.A.t.t.r

| | ; "OSAttr"

9574c: | 02 04 ; INTEGER (4 Bytes)

9574e: | | 10 01 00 01

95752: | 04 0c ; OCTET_STRING (c Bytes)

95754: | 32 00 3a 00 35 00 2e 00 32 00 00 00

1: kd> ?9573a

Evaluate expression: 612154 = 0009573a