WinDbg神断点
https://blogs.msdn.microsoft.com/alejacma/2007/10/31/cryptoapi-tracer-script/
我得多少年才能学会这种写法。
实际上也没用多少年。
************************************************************************
* CRYPTO API TRACER by ALEJANDRO CAMPOS MAGENCIO (BETA)
************************************************************************
*
* DISCLAIMER
*
* This sample script is not supported under any Microsoft standard
* support program or service.
* The sample script is provided as it is without warranty of any kind.
* Microsoft further disclaims all implied warranties including, without
* limitation, any implied warranties of merchantability or of fitness
* for a particular purpose.
* The entire risk arising out of the use or performance of the sample
* script remains with you. In no event shall Microsoft, its authors, or
* anyone else involved in the creation, production, or delivery of the
* script be liable for any damages whatsoever (including, without
* limitation, damages for loss of business profits, business
* interruption, loss of business information, or other pecuniary loss)
* arising out of the use of or inability to use the sample script, even
* if Microsoft has been advised of the possibility of such damages.
*
* PREREQUISITES:
*
* 1) Download the latest version of "Debugging Tools for Windows"
* https://www.microsoft.com/whdc/devtools/debugging/installx86.mspx
*
* 2) Install the tools in any machine, and copy the directory with the
* tools to the target machine (they don't need to be installed in the
* target machine). We will use "cdb.exe" to run the script.
*
* HOW TO TRACE an already running application:
*
* - Run the following command to attach the "cdb.exe" debugger to the
* application and run the script:
* "
* cdb.exe -pn application.exe -cf "PathToScript\script.txt"
* "
*
* Note: You may target the application by PID by using "-p PID"
* instead of "-pn application.exe".
* Note: All traces will be written to log.txt in the current
* directory. You may change the path to the log file at the end
* of the script.
*
* HOW TO FINISH the tracing:
*
* A) If the application has finished execution, enter the "q" command on
* "cdb.exe" to quit the debugger.
*
* B) If the application is still running, press "Ctrl+Break" to break
* into "cdb.exe" and pause the application. Enter the "qd" command to
* detach and quit the debugger (it won't kill the target app which
* will resume execution) or "q" to just quit (it will kill the target
* app).
*
************************************************************************
************************************************************************
* DEFAULT TRACERS
************************************************************************
* Remove * to enable
*bm Advapi32!Crypt* ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\n(%#x)\\n\\n\", @$tid; .echo CALL;kb 1; bp /t @$thread poi(@esp) \" .echo;.echo RESULT; .printf \\\"%#x\\\\n\\\\n\\\", @eax; !gle; .echo;.echo <<<<<<<<<<<<<<<<<<<<<<; G;\"; G;";
* Remove * to enable
*bm Crypt32!Crypt* ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\n(%#x)\\n\\n\", @$tid; .echo CALL;kb 1; bp /t @$thread poi(@esp) \" .echo;.echo RESULT; .printf \\\"%#x\\\\n\\\\n\\\", @eax; !gle; .echo;.echo <<<<<<<<<<<<<<<<<<<<<<; G;\"; G;";
* Remove * to enable
*bm Crypt32!Cert* ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\n(%#x)\\n\\n\", @$tid; .echo CALL;kb 1; bp /t @$thread poi(@esp) \" .echo;.echo RESULT; .printf \\\"%#x\\\\n\\\\n\\\", @eax; !gle; .echo;.echo <<<<<<<<<<<<<<<<<<<<<<; G;\"; G;";
************************************************************************
* ADVAPI32!CRYPT* TRACERS
************************************************************************
bm Advapi32!CryptAcquireContextW ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptAcquireContextW (%#x)\\n\", @$tid; .echo;.echo IN; .echo pszContainer; .if(poi(@esp+8)=0) {.echo NULL} .else {du poi(@esp+8)}; .echo;.echo pszProvider; .if(poi(@esp+c)=0) {.echo NULL} .else {du poi(@esp+c)}; .echo;.echo dwProvType; .if(poi(@esp+10)=1) {.echo PROV_RSA_FULL} .elsif(poi(@esp+10)=0x18) {.echo PROV_RSA_AES} .else {.printf \"%d\\n\", poi(@esp+10)}; .printf \"\\ndwFlags\\n%#x\\n\", poi(@esp+14); .if((poi(@esp+14)&0x0`F0000000)=0x0`F0000000) {.echo CRYPT_VERIFYCONTEXT(0xf0000000)}; .if((poi(@esp+14)&0x0`00000008)=0x0`00000008){.echo CRYPT_NEWKEYSET(0x8)}; .if((poi(@esp+14)&0x0`00000010)=0x0`00000010) {.echo CRYPT_DELETEKEYSET(0x10)}; .if((poi(@esp+14)&0x0`00000020)=0x0`00000020) {.echo CRYPT_MACHINE_KEYSET(0x20)}; .if((poi(@esp+14)&0x0`00000040)=0x0`00000040) {.echo CRYPT_SILENT(0x40)}; bp /t @$thread poi(@esp) \" .echo;.echo OUT; .if(poi(@esp-14)=0) {.echo phProv;.echo NULL} .else {.echo hProv; .if(poi(poi(@esp-14))=0) {.echo NULL} .else {.printf \\\"%#x\\\\n\\\", poi(poi(@esp-14))} }; .echo;.echo RESULT; .if(@eax=1) {.printf \\\"CryptAcquireContextW (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptAcquireContextW (%#x) FAILED\\\\n\\\", @$tid;!gle}; .echo;.echo <<<<<<<<<<<<<<<<<<<<<<; G;\"; G;";
bm Advapi32!CryptAcquireContextA ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptAcquireContextA (%#x)\\n\", @$tid; .echo;.echo IN; .echo pszContainer; .if(poi(@esp+8)=0) {.echo NULL} .else {da poi(@esp+8)}; .echo;.echo pszProvider; .if(poi(@esp+c)=0) {.echo NULL} .else {da poi(@esp+c)}; .echo;.echo dwProvType; .if(poi(@esp+10)=1) {.echo PROV_RSA_FULL} .elsif(poi(@esp+10)=24) {.echo PROV_RSA_AES} .else {.printf \"%d\\n\", poi(@esp+10)}; .printf \"\\ndwFlags\\n%#x\\n\", poi(@esp+14); .if((poi(@esp+14)&0x0`F0000000)=0x0`F0000000){.echo CRYPT_VERIFYCONTEXT(0xf0000000)}; .if((poi(@esp+14)&0x0`00000008)=0x0`00000008){.echo CRYPT_NEWKEYSET(0x8)}; .if((poi(@esp+14)&0x0`00000010)=0x0`00000010) {.echo CRYPT_DELETEKEYSET(0x10)}; .if((poi(@esp+14)&0x0`00000020)=0x0`00000020) {.echo CRYPT_MACHINE_KEYSET(0x20)}; .if((poi(@esp+14)&0x0`00000040)=0x0`00000040) {.echo CRYPT_SILENT(0x40)}; bp /t @$thread poi(@esp) \" .echo;.echo OUT; .if(poi(@esp-14)=0) {.echo phProv;.echo NULL} .else {.echo hProv; .if(poi(poi(@esp-14))=0) {.echo NULL} .else {.printf \\\"%#x\\\\n\\\", poi(poi(@esp-14))} }; .echo;.echo RESULT; .if(@eax=1) {.printf \\\"CryptAcquireContextA (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptAcquireContextA (%#x) FAILED\\\\n\\\", @$tid;!gle}; .echo;.echo <<<<<<<<<<<<<<<<<<<<<<; G;\"; G;";
bm Advapi32!CryptGetProvParam ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptGetProvParam (%#x)\\n\", @$tid; .echo;.echo IN; .printf \"hProv\\n%#x\\n\\n\", poi(@esp+4); .echo dwParam; .if(poi(@esp+8)=0x16) {.echo PP_ENUMALGS_EX} .else {.printf \"%#x\\n\", poi(@esp+8)}; .echo;.echo pbData; .if(poi(@esp+c)=0) {.echo NULL} .else {.printf \"%#x\\n\", poi(@esp+c)}; .printf \"\\ndwDataLen\\n%d\\n\", poi(poi(@esp+10)); .printf \"\\ndwFlags\\n%#x\\n\", poi(@esp+14); bp /t @$thread poi(@esp) \" .echo;.echo OUT; .if((poi(@esp-c)!=0) & (poi(poi(@esp-8))!=0)) {r $t0=(poi(poi(@esp-8))+3)/4; .echo bData; dd poi(@esp-c) l@$t0; .echo}; .printf \\\"dwDataLen\\\\n%d\\\\n\\\", poi(poi(@esp-8)); .echo;.echo RESULT; .if(@eax=1) {.printf \\\"CryptGetProvParam (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptGetProvParam (%#x) FAILED\\\\n\\\", @$tid;!gle}; .echo;.echo <<<<<<<<<<<<<<<<<<<<<<; G;\"; G;";
bm Advapi32!CryptGenRandom ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptGenRandom (%#x)\\n\", @$tid; .echo;.echo IN; .printf \"hProv\\n%#x\\n\\n\", poi(@esp+4); .printf \"dwLen\\n%d\\n\", poi(@esp+8); r $t0=(poi(@esp+8)+3)/4; .echo;.echo bBuffer; dd poi(@esp+c) l@$t0; bp /t @$thread poi(@esp) \" .echo;.echo OUT; r $t0=(poi(@esp-8)+3)/4; .echo bBuffer; dd poi(@esp-4) l@$t0; .echo;.echo RESULT; .if(@eax=1) {.printf \\\"CryptGenRandom (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptGenRandom (%#x) FAILED\\\\n\\\", @$tid;!gle}; .echo;.echo <<<<<<<<<<<<<<<<<<<<<<; G;\"; G;";
bm Advapi32!CryptReleaseContext ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptReleaseContext (%#x)\\n\", @$tid; .echo;.echo IN; .printf \"hProv\\n%#x\\n\\n\", poi(@esp+4); .printf \"dwFlags\\n%#x\\n\", poi(@esp+8); bp /t @$thread poi(@esp) \" .echo;.echo RESULT; .if(@eax=1) {.printf \\\"CryptReleaseContext (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptReleaseContext (%#x) FAILED\\\\n\\\", @$tid;!gle}; .echo;.echo <<<<<<<<<<<<<<<<<<<<<<; G;\"; G;";
bm Advapi32!CryptCreateHash ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptCreateHash (%#x)\\n\", @$tid; .echo;.echo IN; .printf \"hProv\\n%#x\\n\\n\", poi(@esp+4); .echo Algid; .if(poi(@esp+8)=0x00008004) {.echo CALG_SHA} .elsif(poi(@esp+8)=0x00008003) {.echo CALG_MD5} .else {.printf \"%#x\\n\", poi(@esp+8)}; .printf \"\\nhKey\\n%#x\\n\\n\", poi(@esp+c); .printf \"dwFlags\\n%#x\\n\", poi(@esp+10); bp /t @$thread poi(@esp) \" .echo;.echo OUT; .printf \\\"hHash\\\\n%#x\\\\n\\\", poi(poi(@esp-4)); .echo;.echo RESULT; .if(@eax=1) {.printf \\\"CryptCreateHash (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptCreateHash (%#x) FAILED\\\\n\\\", @$tid;!gle}; .echo;.echo <<<<<<<<<<<<<<<<<<<<<<; G;\"; G;";
bm Advapi32!CryptHashData ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptHashData (%#x)\\n\", @$tid; .echo;.echo IN; .printf \"hHash\\n%#x\\n\\n\", poi(@esp+4); r $t0=(poi(@esp+c)+3)/4; .echo bData;dd poi(@esp+8) l@$t0; .printf \"\\ndwDataLen\\n%d\\n\\n\", poi(@esp+c); .printf \"dwFlags\\n%#x\\n\", poi(@esp+10); bp /t @$thread poi(@esp) \" .echo;.echo RESULT; .if(@eax=1) {.printf \\\"CryptHashData (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptHashData (%#x) FAILED\\\\n\\\", @$tid;!gle}; .echo;.echo <<<<<<<<<<<<<<<<<<<<<<; G;\"; G;";
bm Advapi32!CryptDestroyHash ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptDestroyHash (%#x)\\n\", @$tid; .echo;.echo IN; .printf \"hHash\\n%#x\\n\", poi(@esp+4); bp /t @$thread poi(@esp) \" .echo;.echo RESULT; .if(@eax=1) {.printf \\\"CryptDestroyHash (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptDestroyHash (%#x) FAILED\\\\n\\\", @$tid;!gle}; .echo;.echo <<<<<<<<<<<<<<<<<<<<<<; G;\"; G;";
bm Advapi32!CryptGetHashParam ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptGetHashParam (%#x)\\n\", @$tid; .echo;.echo IN; .printf \"hHash\\n%#x\\n\", poi(@esp+4); .echo;.echo dwParam; .if(poi(@esp+8)=0x1) {.echo HP_ALGID} .elsif(poi(@esp+8)=0x2) {.echo HP_HASHVAL} .elsif(poi(@esp+8)=0x4) {.echo HP_HASHSIZE} .else {.printf \"%#x\\n\", poi(@esp+8)}; .echo;.echo pbData; .if(poi(@esp+c)=0) {.echo NULL} .else {.printf \"%#x\\n\", poi(@esp+c)}; .printf \"\\ndwDataLen\\n%d\\n\", poi(poi(@esp+10)); .printf \"\\ndwFlags\\n%#x\\n\", poi(@esp+14); bp /t @$thread poi(@esp) \" .echo;.echo OUT; .if((poi(@esp-c)!=0) & (poi(poi(@esp-8))!=0)) {r $t0=(poi(poi(@esp-8))+3)/4; .echo bData; dd poi(@esp-c) l@$t0; .echo}; .printf \\\"dwDataLen\\\\n%d\\\\n\\\", poi(poi(@esp-8)); .echo;.echo RESULT; .if(@eax=1) {.printf \\\"CryptGetHashParam (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptGetHashParam (%#x) FAILED\\\\n\\\", @$tid;!gle}; .echo;.echo <<<<<<<<<<<<<<<<<<<<<<; G;\"; G;";
bm Advapi32!CryptGetUserKey ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptGetUserKey (%#x)\\n\", @$tid; .echo;.echo IN; .printf \"hProv\\n%#x\\n\\n\", poi(@esp+4); .echo dwKeySpec; .if(poi(@esp+8)=0x1) {.echo AT_KEYEXCHANGE} .elsif(poi(@esp+8)=0x2) {.echo AT_SIGNATURE} .else {.printf \"%#x\\n\", poi(@esp+8)}; bp /t @$thread poi(@esp) \" .echo;.echo OUT; .printf \\\"hUserKey\\\\n%#x\\\\n\\\", poi(poi(@esp-4)); .echo;.echo RESULT; .if(@eax=1) {.printf \\\"CryptGetUserKey (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptGetUserKey (%#x) FAILED\\\\n\\\", @$tid;!gle}; .echo;.echo <<<<<<<<<<<<<<<<<<<<<<; G;\"; G;";
bm Advapi32!CryptGenKey ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptGenKey (%#x)\\n\", @$tid; .echo;.echo IN; .printf \"hProv\\n%#x\\n\\n\", poi(@esp+4); .echo Algid; .if(poi(@esp+8)=0x1) {.echo AT_KEYEXCHANGE} .elsif(poi(@esp+8)=0x2) {.echo AT_SIGNATURE} .elsif(poi(@esp+8)=0x00008004) {.echo CALG_SHA} .else {.printf \"%#x\\n\", poi(@esp+8)}; .printf \"\\ndwFlags\\n%#x\\n\", poi(@esp+c); r $t0=(poi(@esp+c))>>10; .printf \"Key Size(%d)\\n\", @$t0; .if((poi(@esp+c)&0x0`00000001)=0x0`00000001) {.echo CRYPT_EXPORTABLE(0x1)}; bp /t @$thread poi(@esp) \" .echo;.echo OUT; .printf \\\"hKey\\\\n%#x\\\\n\\\", poi(poi(@esp-4)); .echo;.echo RESULT; .if(@eax=1) {.printf \\\"CryptGenKey (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptGenKey (%#x) FAILED\\\\n\\\", @$tid;!gle}; .echo;.echo <<<<<<<<<<<<<<<<<<<<<<; G;\"; G;";
bm Advapi32!CryptGetKeyParam ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptGetKeyParam (%#x)\\n\", @$tid; .echo;.echo IN; .printf \"hKey\\n%#x\\n\\n\", poi(@esp+4); .echo dwParam; .if(poi(@esp+8)=0x7) {.echo KP_ALGID} .elsif(poi(@esp+8)=0x9) {.echo KP_KEYLEN} .else {.printf \"%#x\\n\", poi(@esp+8)}; .echo;.echo pbData; .if(poi(@esp+c)=0) {.echo NULL} .else {.printf \"%#x\\n\", poi(@esp+c)}; .printf \"\\ndwDataLen\\n%d\\n\", poi(poi(@esp+10)); .printf \"\\ndwFlags\\n%#x\\n\", poi(@esp+14); bp /t @$thread poi(@esp) \" .echo;.echo OUT; .if((poi(@esp-c)!=0) & (poi(poi(@esp-8))!=0)) {r $t0=(poi(poi(@esp-8))+3)/4; .echo bData; dd poi(@esp-c) l@$t0; .echo}; .printf \\\"dwDataLen\\\\n%d\\\\n\\\", poi(poi(@esp-8)); .echo;.echo RESULT; .if(@eax=1) {.printf \\\"CryptGetKeyParam (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptGetKeyParam (%#x) FAILED\\\\n\\\", @$tid;!gle}; .echo;.echo <<<<<<<<<<<<<<<<<<<<<<; G;\"; G;";
bm Advapi32!CryptDestroyKey ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptDestroyKey (%#x)\\n\", @$tid; .echo;.echo IN; .printf \"hKey\\n%#x\\n\", poi(@esp+4); bp /t @$thread poi(@esp) \" .echo;.echo RESULT; .if(@eax=1) {.printf \\\"CryptDestroyKey (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptDestroyKey (%#x) FAILED\\\\n\\\", @$tid;!gle}; .echo;.echo <<<<<<<<<<<<<<<<<<<<<<; G;\"; G;";
bm Advapi32!CryptEncrypt ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptEncrypt (%#x)\\n\", @$tid; .echo;.echo IN; .printf \"hKey\\n%#x\\n\\n\", poi(@esp+4); .printf \"hHash\\n%#x\\n\\n\", poi(@esp+8); .echo Final; .if(poi(@esp+c)=0) {.echo FALSE} .else {.echo TRUE}; .echo;.echo dwFlags; .if(poi(@esp+10)=0x40) {.echo CRYPT_OAEP} .else {.printf \"%#x\\n\", poi(@esp+10)}; .echo; .if((poi(@esp+14)!=0) & (poi(poi(@esp+18))!=0)) {r $t0=(poi(poi(@esp+18))+3)/4; .echo bData; dd poi(@esp+14) l@$t0} .elsif(poi(@esp+14)=0) {.echo pbData;.echo NULL} .else {.printf \"pbData\\n%#x\\n\", poi(@esp+14)}; .echo; .printf \"dwDataLen\\n%d\\n\\n\", poi(poi(@esp+18)); .printf \"dwBufLen\\n%d\\n\", poi(@esp+1c); bp /t @$thread poi(@esp) \" .echo;.echo OUT; .if((poi(@esp-c)!=0) & (poi(poi(@esp-8))!=0)) {r $t0=(poi(poi(@esp-8))+3)/4; .echo bData; dd poi(@esp-c) l@$t0; .echo}; .printf \\\"dwDataLen\\\\n%d\\\\n\\\", poi(poi(@esp-8)); .echo;.echo RESULT; .if(@eax=1) {.printf \\\"CryptEncrypt (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptEncrypt (%#x) FAILED\\\\n\\\", @$tid;!gle}; .echo;.echo <<<<<<<<<<<<<<<<<<<<<<; G;\"; G;";
bm Advapi32!CryptDecrypt ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptDecrypt (%#x)\\n\", @$tid; .echo;.echo IN; .printf \"hKey\\n%#x\\n\\n\", poi(@esp+4); .printf \"hHash\\n%#x\\n\\n\", poi(@esp+8); .echo Final; .if(poi(@esp+c)=0) {.echo FALSE} .else {.echo TRUE}; .echo;.echo dwFlags; .if(poi(@esp+10)=0x40) {.echo CRYPT_OAEP} .else {.printf \"%#x\\n\", poi(@esp+10)}; .echo; .if((poi(@esp+14)!=0) & (poi(poi(@esp+18))!=0)) {r $t0=(poi(poi(@esp+18))+3)/4; .echo bData; dd poi(@esp+14) l@$t0; .echo} .elsif(poi(@esp+14)=0) {.echo pbData;.echo NULL;.echo}; .printf \"dwDataLen\\n%d\\n\\n\", poi(poi(@esp+18)); bp /t @$thread poi(@esp) \" .echo;.echo OUT; .if((poi(@esp-8)!=0) & (poi(poi(@esp-4))!=0)) {r $t0=(poi(poi(@esp-4))+3)/4; .echo bData; dd poi(@esp-8) l@$t0; .echo}; .printf \\\"dwDataLen\\\\n%d\\\\n\\\", poi(poi(@esp-4)); .echo;.echo RESULT; .if(@eax=1) {.printf \\\"CryptDecrypt (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptDecrypt (%#x) FAILED\\\\n\\\", @$tid;!gle}; .echo;.echo <<<<<<<<<<<<<<<<<<<<<<; G;\"; G;";
bm Advapi32!CryptSetHashParam ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptSetHashParam (%#x)\\n\", @$tid; .echo;.echo IN; .printf \"hHash\\n%#x\\n\", poi(@esp+4); .echo;.echo dwParam; .if(poi(@esp+8)=0x2) {.echo HP_HASHVAL} .elsif(poi(@esp+8)=0x5) {.echo HP_HMAC_INFO} .else {.printf \"%#x\\n\", poi(@esp+8)}; .echo; .if(poi(@esp+c)=0) {.echo pbData;.echo NULL} .else {.echo bData;dd poi(@esp+c)}; .printf \"\\ndwFlags\\n%#x\\n\", poi(@esp+10); bp /t @$thread poi(@esp) \" .echo;.echo RESULT; .if(@eax=1) {.printf \\\"CryptSetHashParam (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptSetHashParam (%#x) FAILED\\\\n\\\", @$tid;!gle}; .echo;.echo <<<<<<<<<<<<<<<<<<<<<<; G;\"; G;";
bm Advapi32!CryptSignHashW ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\CryptSignHashW (%#x)\\n\", @$tid; .echo;.echo IN; .printf \"hHash\\n%#x\\n\", poi(@esp+4); .echo;.echo dwKeySpec; .if (poi(@esp+8)=0x1) {.echo AT_KEYEXCHANGE} .elsif (poi(@esp+8)=0x2) {.echo AT_SIGNATURE} .else {.printf \"%#x\\n\", poi(@esp+8)}; .echo;.echo sDescription; .if (poi(@esp+c)=0) {.echo NULL} .else {du poi(@esp+c)}; .printf \"dwFlags\\n%#x\\n\", poi(@esp+10); .echo;.echo pbSignature; .if (poi(@esp+14)=0) {.echo NULL} .else {.printf \"%#x\\n\", poi(@esp+14)}; .printf \"\\ndwSigLen\\n%d\\n\", poi(poi(@esp+18)); bp /t @$thread poi(@esp) \" .echo;.echo OUT; .if((poi(@esp-8)!=0) & (poi(poi(@esp-4))!=0)) {r $t0=(poi(poi(@esp-4))+3)/4; .echo bSignature; dd poi(@esp-8) l@$t0; .echo}; .printf \\\"dwSigLen\\\\n%d\\\\n\\\", poi(poi(@esp-4)); .echo;.echo RESULT; .if(@eax=1) {.printf \\\"CryptSignHashW (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptSignHashW (%#x) FAILED\\\\n\\\", @$tid;!gle}; .echo;.echo <<<<<<<<<<<<<<<<<<<<<<; G;\"; G;";
bm Advapi32!CryptSignHashA ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptSignHashA (%#x)\\n\", @$tid; .echo;.echo IN; .printf \"hHash\\n%#x\\n\", poi(@esp+4); .echo;.echo dwKeySpec; .if (poi(@esp+8)=0x1) {.echo AT_KEYEXCHANGE} .elsif (poi(@esp+8)=0x2) {.echo AT_SIGNATURE} .else {.printf \"%#x\\n\", poi(@esp+8)}; .echo;.echo sDescription; .if (poi(@esp+c)=0) {.echo NULL} .else {da poi(@esp+c)}; .printf \"\\ndwFlags\\n%#x\\n\", poi(@esp+10); .echo;.echo pbSignature; .if (poi(@esp+14)=0) {.echo NULL} .else {.printf \"%#x\\n\", poi(@esp+14)}; .printf \"\\ndwSigLen\\n%d\\n\", poi(poi(@esp+18)); bp /t @$thread poi(@esp) \" .echo;.echo OUT; .if((poi(@esp-8)!=0) & (poi(poi(@esp-4))!=0)) {r $t0=(poi(poi(@esp-4))+3)/4; .echo bSignature; dd poi(@esp-8) l@$t0; .echo}; .printf \\\"dwSigLen\\\\n%d\\\\n\\\", poi(poi(@esp-4)); .echo;.echo RESULT; .if(@eax=1) {.printf \\\"CryptSignHashA (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptSignHashA (%#x) FAILED\\\\n\\\", @$tid;!gle}; .echo;.echo <<<<<<<<<<<<<<<<<<<<<<; G;\"; G;";
bm Advapi32!CryptVerifySignatureW ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptVerifySignatureW (%#x)\\n\", @$tid; .echo;.echo IN; .printf \"hHash\\n%#x\\n\\n\", poi(@esp+4); .if((poi(@esp+8)!=0) & (poi(@esp+c)!=0)) {r $t0=(poi(@esp+c)+3)/4; .echo bSignature; dd poi(@esp+8) l@$t0;} .elsif(poi(@esp+8)=0) {.echo pbSignature;.echo NULL;} .else {.printf \"pbSignature\\n%#x\\n\", poi(@esp+8)}; .printf \"\\ndwSigLen\\n%d\\n\\n\", poi(@esp+c); .printf \"hPubKey\\n%#x\\n\", poi(@esp+10); .echo;.echo sDescription; .if (poi(@esp+14)=0) {.echo NULL} .else {du poi(@esp+14)}; .printf \"\\ndwFlags\\n%#x\\n\", poi(@esp+18); bp /t @$thread poi(@esp) \" .echo;.echo RESULT; .if(@eax=1) {.printf \\\"CryptVerifySignatureW (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptVerifySignatureW (%#x) FAILED\\\\n\\\", @$tid;!gle}; .echo;.echo <<<<<<<<<<<<<<<<<<<<<<; G;\"; G;";
bm Advapi32!CryptVerifySignatureA ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptVerifySignatureA (%#x)\\n\", @$tid; .echo;.echo IN; .printf \"hHash\\n%#x\\n\\n\", poi(@esp+4); .if((poi(@esp+8)!=0) & (poi(@esp+c)!=0)) {r $t0=(poi(@esp+c)+3)/4; .echo bSignature; dd poi(@esp+8) l@$t0;} .elsif(poi(@esp+8)=0) {.echo pbSignature;.echo NULL;} .else {.printf \"pbSignature\\n%#x\\n\", poi(@esp+8)}; .printf \"\\ndwSigLen\\n%d\\n\\n\", poi(@esp+c); .printf \"hPubKey\\n%#x\\n\", poi(@esp+10); .echo;.echo sDescription; .if (poi(@esp+14)=0) {.echo NULL} .else {da poi(@esp+14)}; .printf \"\\ndwFlags\\n%#x\\n\", poi(@esp+18); bp /t @$thread poi(@esp) \" .echo;.echo RESULT; .if(@eax=1) {.printf \\\"CryptVerifySignatureA (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptVerifySignatureA (%#x) FAILED\\\\n\\\", @$tid;!gle}; .echo;.echo <<<<<<<<<<<<<<<<<<<<<<; G;\"; G;";
bm Advapi32!CryptImportKey ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptImportKey (%#x)\\n\", @$tid; .echo;.echo IN; .printf \"hProv\\n%#x\\n\\n\", poi(@esp+4); .if((poi(@esp+8)!=0) & (poi(@esp+c)!=0)) {r $t0=(poi(@esp+c)+3)/4; .echo bData; dd poi(@esp+8) l@$t0;} .elsif(poi(@esp+8)=0) {.echo pbData;.echo NULL;} .else {.printf \"pbData\\n%#x\\n\", poi(@esp+8)}; .printf \"\\ndwDataLen\\n%d\\n\\n\", poi(@esp+c); .printf \"hPubKey\\n%#x\\n\\n\", poi(@esp+10); .printf \"dwFlags\\n%#x\\n\", poi(@esp+14); .if((poi(@esp+14)&0x0`00000001)=0x0`00000001) {.echo CRYPT_EXPORTABLE(0x1)}; bp /t @$thread poi(@esp) \" .echo;.echo OUT; .printf \\\"hKey\\\\n%#x\\\\n\\\", poi(poi(@esp-4)); .echo;.echo RESULT; .if(@eax=1) {.printf \\\"CryptImportKey (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptImportKey (%#x) FAILED\\\\n\\\", @$tid;!gle}; .echo;.echo <<<<<<<<<<<<<<<<<<<<<<; G;\"; G;";
bm Advapi32!CryptExportKey ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptExportKey (%#x)\\n\", @$tid; .echo;.echo IN; .printf \"hKey\\n%#x\\n\\n\", poi(@esp+4); .printf \"hExpKey\\n%#x\\n\\n\", poi(@esp+8); .echo dwBlobType; .if(poi(@esp+c)=0x7) {.echo PRIVATEKEYBLOB} .else {.printf \"%#x\\n\", poi(@esp+c)}; .printf \"\\ndwFlags\\n%#x\\n\", poi(@esp+10); .if((poi(@esp+10)&0x0`00000040)=0x0`00000040) {.echo CRYPT_OAEP(0x40)}; .echo;.echo pbData; .if(poi(@esp+14)=0) {.echo NULL} .else {.printf \"%#x\\n\", poi(@esp+14)}; .printf \"\\ndwDataLen\\n%d\\n\", poi(poi(@esp+18)); bp /t @$thread poi(@esp) \" .echo;.echo OUT; .if((poi(@esp-8)!=0) & (poi(poi(@esp-4))!=0)) {r $t0=(poi(poi(@esp-4))+3)/4; .echo bData; dd poi(@esp-8) l@$t0; .echo}; .printf \\\"dwDataLen\\\\n%d\\\\n\\\", poi(poi(@esp-4)); .echo;.echo RESULT; .if(@eax=1) {.printf \\\"CryptExportKey (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptExportKey (%#x) FAILED\\\\n\\\", @$tid;!gle}; .echo;.echo <<<<<<<<<<<<<<<<<<<<<<; G;\"; G;";
************************************************************************
* CRYPT32!CRYPT* TRACERS
************************************************************************
bm Crypt32!CryptProtectData ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptProtectData (%#x)\\n\", @$tid; .echo;.echo IN; .if (poi(@esp+4)=0) {.echo pDataIn;.echo NULL} .else {.printf \"pDataIn->cbData\\n%d\\n\\n\", poi(poi(@esp+4)); r $t0=(poi(poi(@esp+4))+3)/4;.if(@$t0 > 40){r $t0=40}; .echo pDataIn->pbData;dd poi(poi(@esp+4)+4) l@$t0}; .echo;.echo szDataDescr; .if(poi(@esp+8)=0) {.echo NULL} .else {du poi(@esp+8)}; .echo; .if (poi(@esp+c)=0) {.echo pOptionalEntropy;.echo NULL} .else { .printf \"pOptionalEntropy->cbData\\n%d\\n\", poi(poi(@esp+c)); r $t0=(poi(poi(@esp+c))+3)/4;.if(@$t0 > 40){r $t0=40}; .echo;.echo pOptionalEntropy->pbData;dd poi(poi(@esp+c)+4) l@$t0}; .echo;.echo vReserved; .if (poi(@esp+10)=0) {.echo NULL} .else {.printf\"%#x\\n\", poi(@esp+10)}; .echo; .if (poi(@esp+14)=0) {.echo pPromptStruct;.echo NULL} .else {.printf \"pPromptStruct->cbSize\\n%d\\n\\n\", poi(poi(@esp+14)); .printf \"pPromptStruct->dwPromptFlags\\n%#x\\n\", poi(poi(@esp+14)+4); .if((poi(poi(@esp+14)+4)&0x0`00000001)=0x0`00000001) {.echo CRYPTPROTECT_PROMPT_ON_UNPROTECT(0x1)}; .if((poi(poi(@esp+14)+4)&0x0`00000002)=0x0`00000002) {.echo CRYPTPROTECT_PROMPT_ON_PROTECT(0x2)}; .printf \"\\npPromptStruct->hwndApp\\n%#x\\n\\n\", poi(poi(@esp+14)+8); .echo pPromptStruct->szPrompt; .if(poi(poi(@esp+14)+c)=0) {.echo NULL} .else {du poi(poi(@esp+14)+c)} }; .echo; .printf \"dwFlags\\n%#x\\n\", poi(@esp+18); .if((poi(@esp+18)&0x0`00000004)=0x0`00000004) {.echo CRYPTPROTECT_LOCAL_MACHINE(0x4)}; .if((poi(@esp+18)&0x0`00000001)=0x0`00000001) {.echo CRYPTPROTECT_UI_FORBIDDEN(0x1)}; .if((poi(@esp+18)&0x0`00000010)=0x0`00000010) {.echo CRYPTPROTECT_AUDIT(0x10)}; .if((poi(@esp+18)&0x0`00000040)=0x0`00000040) {.echo CRYPTPROTECT_VERIFY_PROTECTION(0x40)}; bp /t @$thread poi(@esp) \" .echo;.echo OUT; .if (poi(@esp-4)=0) {.echo pDataOut;.echo NULL} .else {.printf \\\"pDataOut->cbData\\\\n%d\\\\n\\\", poi(poi(@esp-4)); r $t0=(poi(poi(@esp-4))+3)/4;.if(@$t0 > 40){r $t0=40}; .echo;.echo pDataOut->pbData;dd poi(poi(@esp-4)+4) l@$t0}; .echo;.echo RESULT; .if(@eax=1) {.printf \\\"CryptProtectData (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptProtectData (%#x) FAILED\\\\n\\\", @$tid;!gle}; .echo;.echo <<<<<<<<<<<<<<<<<<<<<<; G;\"; G;";
bm Crypt32!CryptUnprotectData ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptUnprotectData (%#x)\\n\", @$tid; .echo;.echo IN; .if (poi(@esp+4)=0) {.echo pDataIn;.echo NULL} .else {.printf \"pDataIn->cbData\\n%d\\n\\n\", poi(poi(@esp+4)); r $t0=(poi(poi(@esp+4))+3)/4;.if(@$t0 > 40){r $t0=40}; .echo pDataIn->pbData;dd poi(poi(@esp+4)+4) l@$t0}; .echo; .if (poi(@esp+c)=0) {.echo pOptionalEntropy;.echo NULL} .else { .printf \"pOptionalEntropy->cbData\\n%d\\n\", poi(poi(@esp+c)); r $t0=(poi(poi(@esp+c))+3)/4;.if(@$t0 > 40){r $t0=40}; .echo;.echo pOptionalEntropy->pbData;dd poi(poi(@esp+c)+4) l@$t0}; .echo;.echo vReserved; .if (poi(@esp+10)=0) {.echo NULL} .else {.printf\"%#x\\n\", poi(@esp+10)}; .echo; .if (poi(@esp+14)=0) {.echo pPromptStruct;.echo NULL} .else {.printf \"pPromptStruct->cbSize\\n%d\\n\\n\", poi(poi(@esp+14)); .printf \"pPromptStruct->dwPromptFlags\\n%#x\\n\", poi(poi(@esp+14)+4); .if((poi(poi(@esp+14)+4)&0x0`00000001)=0x0`00000001) {.echo CRYPTPROTECT_PROMPT_ON_UNPROTECT(0x1)}; .if((poi(poi(@esp+14)+4)&0x0`00000002)=0x0`00000002) {.echo CRYPTPROTECT_PROMPT_ON_PROTECT(0x2)}; .printf \"\\npPromptStruct->hwndApp\\n%#x\\n\\n\", poi(poi(@esp+14)+8); .echo pPromptStruct->szPrompt; .if(poi(poi(@esp+14)+c)=0) {.echo NULL} .else {du poi(poi(@esp+14)+c)} }; .echo; .printf \"dwFlags\\n%#x\\n\", poi(@esp+18); .if((poi(@esp+18)&0x0`00000001)=0x0`00000001) {.echo CRYPTPROTECT_UI_FORBIDDEN(0x1)}; bp /t @$thread poi(@esp) \" .echo;.echo OUT; .if(poi(@esp-18)=0) {.echo ppszDataDescr;.echo NULL} .else {.echo szDataDescr; .if(poi(poi(@esp-18))=0) {.echo NULL} .else {du poi(poi(@esp-18))} }; .echo; .if (poi(@esp-4)=0) {.echo pDataOut;.echo NULL} .else {.printf \\\"pDataOut->cbData\\\\n%d\\\\n\\\", poi(poi(@esp-4)); r $t0=(poi(poi(@esp-4))+3)/4;.if(@$t0 > 40){r $t0=40}; .echo;.echo pDataOut->pbData;dd poi(poi(@esp-4)+4) l@$t0}; .echo;.echo RESULT; .if(@eax=1) {.printf \\\"CryptUnprotectData (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptUnprotectData (%#x) FAILED\\\\n\\\", @$tid;!gle}; .echo;.echo <<<<<<<<<<<<<<<<<<<<<<; G;\"; G;";
bm Crypt32!CryptMemAlloc ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptMemAlloc (%#x)\\n\", @$tid; .echo;.echo IN; .printf \"cbSize\\n%d\\n\", poi(@esp+4); bp /t @$thread poi(@esp) \" .echo;.echo RESULT; .printf \\\"%#x\\\\n\\\\n\\\", @eax; .if(@eax!=0) {.printf \\\"CryptMemAlloc (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptMemAlloc (%#x) FAILED\\\\n\\\", @$tid;!gle}; .echo;.echo <<<<<<<<<<<<<<<<<<<<<<; G;\"; G;";
bm Crypt32!CryptMemFree ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptMemFree (%#x)\\n\", @$tid; .echo;.echo IN; .printf \"pv\\n%#x\\n\", poi(@esp+4); bp /t @$thread poi(@esp) \" .echo;.echo RESULT; .printf \\\"CryptMemFree (%#x) SUCCEEDED\\\\n\\\", @$tid; .echo;.echo <<<<<<<<<<<<<<<<<<<<<<; G;\"; G;";
************************************************************************
* CRYPT32!CERT* TRACERS
************************************************************************
bm Crypt32!CertOpenStore ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCertOpenStore (%#x)\\n\", @$tid; .echo;.echo IN; .echo lpszStoreProvider; .if(poi(@esp+4)=0) {.echo NULL} .elsif(poi(@esp+4)=0x1) {.echo CERT_STORE_PROV_MSG} .elsif(poi(@esp+4)=0x2) {.echo CERT_STORE_PROV_MEMORY} .elsif(poi(@esp+4)=0xa) {.echo CERT_STORE_PROV_SYSTEM_W} .elsif(poi(@esp+4)=0xb) {.echo CERT_STORE_PROV_COLLECTION} .elsif(poi(@esp+4)=0xd) {.echo CERT_STORE_PROV_SYSTEM_REGISTRYW} .else {da poi(@esp+4)}; .echo; .printf \"dwMsgAndCertEncodingType\\n%#x\\n\", poi(@esp+8); .if((poi(@esp+8)&0x0`00000001)=0x0`00000001) {.echo X509_ASN_ENCODING(0x1)}; .if((poi(@esp+8)&0x0`00010000)=0x0`00010000) {.echo PKCS_7_ASN_ENCODING(0x10000)}; .echo; .echo hCryptProv; .if(poi(@esp+c)=0) {.echo NULL} .else {.printf \"%#x\\n\", poi(@esp+c)}; .echo; .printf \"dwFlags\\n%#x\\n\", poi(@esp+10); .if((poi(@esp+10)&0x0`00000001)=0x0`00000001) {.echo CERT_STORE_NO_CRYPT_RELEASE_FLAG(0x1)}; .if((poi(@esp+10)&0x0`00000004)=0x0`00000004) {.echo CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG(0x4)}; .if((poi(@esp+10)&0x0`00000080)=0x0`00000080) {.echo CERT_STORE_SHARE_CONTEXT_FLAG(0x80)}; .if((poi(@esp+10)&0x0`00000400)=0x0`00000400) {.echo CERT_STORE_UPDATE_KEYID_FLAG(0x400)}; .if((poi(@esp+10)&0x0`00001000)=0x0`00001000) {.echo CERT_STORE_MAXIMUM_ALLOWED_FLAG(0x1000)}; .if((poi(@esp+10)&0x0`FFFF0000)=0x0`00010000) {.echo CERT_SYSTEM_STORE_CURRENT_USER(0x10000)} .elsif((poi(@esp+10)&0x0`FFFF0000)=0x0`00020000) {.echo CERT_SYSTEM_STORE_LOCAL_MACHINE(0x20000)} .elsif((poi(@esp+10)&0x0`FFFF0000)=0x0`00040000) {.echo CERT_SYSTEM_STORE_CURRENT_SERVICE(0x40000)} .elsif((poi(@esp+10)&0x0`FFFF0000)=0x0`00050000) {.echo CERT_SYSTEM_STORE_SERVICES(0x50000)} .elsif((poi(@esp+10)&0x0`FFFF0000)=0x0`00060000) {.echo CERT_SYSTEM_STORE_USERS(0x60000)} .elsif((poi(@esp+10)&0x0`FFFF0000)=0x0`00070000) {.echo CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY(0x70000)} .elsif((poi(@esp+10)&0x0`FFFF0000)=0x0`00080000) {.echo CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY(0x80000)} .elsif((poi(@esp+10)&0x0`FFFF0000)=0x0`00090000) {.echo CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE(0x90000)}; .echo; .if(poi(@esp+14)=0) {.echo pvPara; .echo NULL} .else {.echo vPara; dd poi(@esp+14)}; bp /t @$thread poi(@esp) \" .echo;.echo RESULT; .if(@eax!=0) {.printf \\\"%#x\\\\n\\\\nCertOpenStore (%#x) SUCCEEDED\\\\n\\\", @eax, @$tid;} .else {.printf \\\"NULL\\\\n\\\\nCertOpenStore (%#x) FAILED\\\\n\\\", @$tid; !gle}; .echo;.echo <<<<<<<<<<<<<<<<<<<<<<; G;\"; G;";
************************************************************************
* LET'S GO AND TRACE!!!
************************************************************************
* Don't want any output but my own
*
!sym quiet;
.srcnoisy 0;
sxi ld
.outmask- 0xFFFFFFEE $$ .outmask /d restores the output mask to default
* Create the log and begin
*
.logopen "log.txt";
G
