CRYPT32!PkiAsn1Decode函数分析的一个例子

第一部分：
0: kd> g
Breakpoint 35 hit
CRYPT32!PkiAsn1Decode:
001b:75c9af0c 55 push ebp
1: kd> kc
#
00 CRYPT32!PkiAsn1Decode
01 CRYPT32!PkiAsn1DecodeAndAllocInfo
02 CRYPT32!PkiAsn1DecodeAndAllocInfoEx
03 CRYPT32!Asn1InfoDecodeAndAllocEx
04 CRYPT32!Asn1X509CtlInfoDecodeEx
05 CRYPT32!CryptDecodeObjectEx
06 CRYPT32!AllocAndDecodeObject
07 CRYPT32!FastCreateCtlElement
08 CRYPT32!CertCreateContext
09 WINTRUST!CatUtil_CreateCTLContextFromFileName
0a WINTRUST!_CatAdminAddSingleCatalogToCache
0b WINTRUST!_CatAdminAddCatalogsToCache
0c WINTRUST!CryptCATAdminEnumCatalogFromHash
0d sfc_os!SfcValidateFileSignature
0e sfc_os!SfcGetValidationData
0f sfc_os!SfcValidateDLL
10 sfc_os!SfcQueueValidationThread
11 kernel32!BaseThreadStart

1: kd> kv
# ChildEBP RetAddr Args to Child
00 007ce4c4 75c9b50d 01236c48 007ce504 0000003a CRYPT32!PkiAsn1Decode (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\common\pkiutil\pkiasn1.cpp @ 212]
01 007ce4e4 75c9b64b 01236c48 0000003a 01c155d0 CRYPT32!PkiAsn1DecodeAndAllocInfo+0x1c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\common\pkiutil\pkiasn1.cpp @ 1037]
02 007ce508 75c4959c 01236c48 0000003a 01c155d0 CRYPT32!PkiAsn1DecodeAndAllocInfoEx+0x1f (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\common\pkiutil\pkiasn1.cpp @

1176]
03 007ce534 75c4e39c 0000003a 01c155d0 00000043 CRYPT32!Asn1InfoDecodeAndAllocEx+0x2c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\pki\certstor\wincert.cpp @ 2456]
04 007ce55c 75c49347 00000001 00000025 01c155d0 CRYPT32!Asn1X509CtlInfoDecodeEx+0x21 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\pki\certstor\wincert.cpp @ 10140]
05 007ce5c4 75c2b555 00000001 00000025 01c155d0 CRYPT32!CryptDecodeObjectEx+0x4d (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\pki\certstor\wincert.cpp @ 2223]
06 007ce5ec 75c2f05e 00000001 00000025 01c155d0 CRYPT32!AllocAndDecodeObject+0x2a (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\pki\certstor\newstor.cpp @ 1506]
07 007ce6fc 75c3337a 75ca7f98 00010001 017a0000 CRYPT32!FastCreateCtlElement+0x19e (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\pki\certstor\newstor.cpp @ 14901]
08 007ce758 76812b50 00000002 00010001 017a0000 CRYPT32!CertCreateContext+0xee (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\pki\certstor\newstor.cpp @ 15197]
09 007ce78c 7680b67f 00000f94 01c52c08 01c52c0c WINTRUST!CatUtil_CreateCTLContextFromFileName+0x108 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\common\pkiutil

\catutil.cpp @ 105]
0a 007ce7b8 7680c14f 01714ad8 01c52520 007ce7dc WINTRUST!_CatAdminAddSingleCatalogToCache+0xb4 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\pkitrust

\mscat32\catadnew.cpp @ 2670]
0b 007ce7ec 7680c899 01714ac0 016c99f0 007ce820 WINTRUST!_CatAdminAddCatalogsToCache+0xca (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\pkitrust\mscat32\catadnew.cpp @

2554]
0c 007ceab4 768373da 01714ac0 0007d3d0 00000014 WINTRUST!CryptCATAdminEnumCatalogFromHash+0x1d3 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\pkitrust

\mscat32\catadnew.cpp @ 906]
0d 007cf4b8 768378c5 01714ac0 00000d38 0011a568 sfc_os!SfcValidateFileSignature+0x22d (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\validate.c @ 299]
0e 007cf4e0 768379c5 007cf510 007cf508 00000010 sfc_os!SfcGetValidationData+0xe0 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\validate.c @ 2165]
0f 007cf724 76838a3d 0112916c 01714ac0 00000000 sfc_os!SfcValidateDLL+0xe4 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\validate.c @ 2251]
10 007cffb8 77e41be7 00000000 00000000 00000000 sfc_os!SfcQueueValidationThread+0x4ce (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\validate.c @ 1671]
11 007cffec 00000000 7683856f 00000000 00000000 kernel32!BaseThreadStart+0x34 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\win32\client\support.c @ 533]
windbg> .open -a 75c9b50d

BOOL WINAPI Asn1X509CtlInfoDecodeEx(
IN DWORD dwCertEncodingType,
IN LPCSTR lpszStructType,
IN const BYTE *pbEncoded,
IN DWORD cbEncoded,
IN DWORD dwFlags,
IN OPTIONAL PCRYPT_DECODE_PARA pDecodePara,
OUT OPTIONAL void *pvStructInfo,
IN OUT DWORD *pcbStructInfo
)
{
return Asn1InfoDecodeAndAllocEx(
CertificateTrustList_PDU, //CertificateTrustList_PDU
pbEncoded,
cbEncoded,
dwFlags,
pDecodePara,
Asn1X509CtlInfoDecodeExCallback,
pvStructInfo,
pcbStructInfo
);
}

第二部分：

1: kd> p
Breakpoint 36 hit
MSASN1!ASN1_Decode:
001b:75bf7d82 55 push ebp
1: kd> kc
#
00 MSASN1!ASN1_Decode
01 CRYPT32!PkiAsn1Decode
02 CRYPT32!PkiAsn1DecodeAndAllocInfo
03 CRYPT32!PkiAsn1DecodeAndAllocInfoEx
04 CRYPT32!Asn1InfoDecodeAndAllocEx
05 CRYPT32!Asn1X509CtlInfoDecodeEx
06 CRYPT32!CryptDecodeObjectEx
07 CRYPT32!AllocAndDecodeObject
08 CRYPT32!FastCreateCtlElement
09 CRYPT32!CertCreateContext
0a WINTRUST!CatUtil_CreateCTLContextFromFileName
0b WINTRUST!_CatAdminAddSingleCatalogToCache
0c WINTRUST!_CatAdminAddCatalogsToCache
0d WINTRUST!CryptCATAdminEnumCatalogFromHash
0e sfc_os!SfcValidateFileSignature
0f sfc_os!SfcGetValidationData
10 sfc_os!SfcValidateDLL
11 sfc_os!SfcQueueValidationThread
12 kernel32!BaseThreadStart

1: kd> dv
dec = 0x01236c48
valref = 0x007ce504
id = 0x3a                   id = 0x3a
flags = 8
pbBuf = 0x01c155d0 "0???"
cbBufSize = 0x43
1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((MSASN1!ASN1decoding_s *)0x1236c48)
((MSASN1!ASN1decoding_s *)0x1236c48)                 : 0x1236c48 [Type: ASN1decoding_s *]
[+0x000] magic            : 0x44434544 [Type: unsigned long]
[+0x004] version          : 0x0 [Type: unsigned long]
[+0x008] module           : 0x756c0 [Type: tagASN1module_t *]
[+0x00c] buf              : 0x175bcfb : 0x13 [Type: unsigned char *]
[+0x010] size             : 0x23 [Type: unsigned long]
[+0x014] len              : 0x23 [Type: unsigned long]
[+0x018] err              : ASN1_SUCCESS (0) [Type: tagASN1error_e]
[+0x01c] bit              : 0x0 [Type: unsigned long]
[+0x020] pos              : 0x175bd1e : 0x30 [Type: unsigned char *]
[+0x024] eRule            : ASN1_BER_RULE_DER (1024) [Type: ASN1encodingrule_e]
[+0x028] dwFlags          : 0x1000 [Type: unsigned long]

第三部分：

if (ASN1_BER_RULE & dec->eRule)
{
ASN1BerDecFun_t pfnBER;
/* decode value */
if (NULL != (pfnBER = dec->module->BER.apfnDecoder[id]))
{
if ((*pfnBER)(dec, 0, *valref)) // lonchanc: tag is 0 to make it compiled
{
ASN1BERDecFlush(dec);
}

1: kd> dv
dec = 0x01236c48
valref = 0x007ce504
id = 0x3a
flags = 0xe8
pbBuf = 0x01c155d0 "0???"
cbBufSize = 0x43

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((MSASN1!ASN1decoding_s *)0x1236c48)
((MSASN1!ASN1decoding_s *)0x1236c48)                 : 0x1236c48 [Type: ASN1decoding_s *]
[+0x000] magic            : 0x44434544 [Type: unsigned long]
[+0x004] version          : 0x0 [Type: unsigned long]
[+0x008] module           : 0x756c0 [Type: tagASN1module_t *]
[+0x00c] buf              : 0x1c155d0 : 0x30 [Type: unsigned char *]
[+0x010] size             : 0x43 [Type: unsigned long]
[+0x014] len              : 0x0 [Type: unsigned long]
[+0x018] err              : ASN1_SUCCESS (0) [Type: tagASN1error_e]
[+0x01c] bit              : 0x0 [Type: unsigned long]
[+0x020] pos              : 0x1c155d0 : 0x30 [Type: unsigned char *]
[+0x024] eRule            : ASN1_BER_RULE_DER (1024) [Type: ASN1encodingrule_e]
[+0x028] dwFlags          : 0x1000 [Type: unsigned long]

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((MSASN1!tagASN1module_t *)0x756c0)
((MSASN1!tagASN1module_t *)0x756c0)                 : 0x756c0 [Type: tagASN1module_t *]
[+0x000] nModuleName      : 0x39303578 [Type: unsigned long]
[+0x004] eRule            : ASN1_BER_RULE_DER (1024) [Type: ASN1encodingrule_e]
[+0x008] dwFlags          : 0x1000 [Type: unsigned long]
[+0x00c] cPDUs            : 0x40 [Type: unsigned long]
[+0x010] apfnFreeMemory   : 0x75c1d4a8 [Type: void (**)(void *)]
[+0x014] acbStructSize    : 0x75c1d5a8 : 0x8 [Type: unsigned long *]
[+0x018] PER              [Type: tagASN1PerFunArr_t]
[+0x018] BER              [Type: tagASN1BerFunArr_t]

1: kd> dd 0x75c1d3a8
75c1d3a8 75c63a28 75c63a8b 75c7ae48 75c7ae6c
75c1d3b8 75c63ad5 75c63b1f 75c63b67 75c63dc0
75c1d3c8 75c6abf0 75c67833 75c640b9 75c6418d
75c1d3d8 75c8cf27 75c642c0 75c64568 75c646a0
75c1d3e8 75c64811 75c648d9 75c67995 75c64b84
75c1d3f8 75c67bdc 75c67d12 75c64c73 75c64daa
75c1d408 75c67f99 75c65267 75c654ca 75c6af0e
75c1d418 75c682e4 75c685bd 75c6875d 75c6b072
1: kd> dd 0x75c1d3a8+80
75c1d428 75c657fc 75c65917 75c68a19 75c65a75
75c1d438 75c68b29 75c65ba8 75c65d0a 75c65e0c
75c1d448 75c65f57 75c68edc 75c69215 75c660dd
75c1d458 75c69b4f 75c69c62 75c663e4 75c66688
75c1d468 75c667a9 75c66973 75c69e7e 75c6b412
75c1d478 75c66b07 75c6a109 75c66efe 75c67038
75c1d488 75c6a37e 75c671bf 75c6b711 75c6a73a

1: kd> u 75c6b711
CRYPT32!ASN1Dec_CertificateTrustList [d:\srv03rtm\ds\security\cryptoapi\pki\certstor\x509.c @ 6201]:
75c6b711 55              push    ebp
75c6b712 8bec            mov     ebp,esp
75c6b714 83ec10          sub     esp,10h
75c6b717 8b450c          mov     eax,dword ptr [ebp+0Ch]
75c6b71a 85c0            test    eax,eax
75c6b71c 7503            jne     CRYPT32!ASN1Dec_CertificateTrustList+0x10 (75c6b721)
75c6b71e 6a10            push    10h
75c6b720 58              pop     eax

static int ASN1CALL ASN1Dec_CertificateTrustList(ASN1decoding_t dec, ASN1uint32_t tag, CertificateTrustList *val);

typedef ASN1BerDecFun_t ASN1DecFun_t;
static const ASN1DecFun_t decfntab[64] = {
(ASN1DecFun_t) ASN1Dec_EncodedObjectID,
(ASN1DecFun_t) ASN1Dec_Bits,
(ASN1DecFun_t) ASN1Dec_IntegerType,
(ASN1DecFun_t) ASN1Dec_HugeIntegerType,
(ASN1DecFun_t) ASN1Dec_OctetStringType,
(ASN1DecFun_t) ASN1Dec_EnumeratedType,
(ASN1DecFun_t) ASN1Dec_UtcTime,
(ASN1DecFun_t) ASN1Dec_AnyString,
(ASN1DecFun_t) ASN1Dec_Name,
(ASN1DecFun_t) ASN1Dec_Attributes,
(ASN1DecFun_t) ASN1Dec_RSAPublicKey,
(ASN1DecFun_t) ASN1Dec_DSSParameters,
(ASN1DecFun_t) ASN1Dec_DSSSignature,
(ASN1DecFun_t) ASN1Dec_DHParameters,
(ASN1DecFun_t) ASN1Dec_RC2CBCParameters,
(ASN1DecFun_t) ASN1Dec_SMIMECapabilities,
(ASN1DecFun_t) ASN1Dec_SubjectPublicKeyInfo,
(ASN1DecFun_t) ASN1Dec_ChoiceOfTime,
(ASN1DecFun_t) ASN1Dec_Extensions,
(ASN1DecFun_t) ASN1Dec_SignedContent,
(ASN1DecFun_t) ASN1Dec_CertificationRequestInfo,
(ASN1DecFun_t) ASN1Dec_CertificationRequestInfoDecode,
(ASN1DecFun_t) ASN1Dec_KeygenRequestInfo,
(ASN1DecFun_t) ASN1Dec_AuthorityKeyId,
(ASN1DecFun_t) ASN1Dec_AltNames,
(ASN1DecFun_t) ASN1Dec_EDIPartyName,
(ASN1DecFun_t) ASN1Dec_BasicConstraints2,
(ASN1DecFun_t) ASN1Dec_CertificatePolicies,
(ASN1DecFun_t) ASN1Dec_CertificatePolicies95,
(ASN1DecFun_t) ASN1Dec_AuthorityKeyId2,
(ASN1DecFun_t) ASN1Dec_AuthorityInfoAccess,
(ASN1DecFun_t) ASN1Dec_CRLDistributionPoints,
(ASN1DecFun_t) ASN1Dec_ContentInfo,
(ASN1DecFun_t) ASN1Dec_SeqOfAny,
(ASN1DecFun_t) ASN1Dec_TimeStampRequest,
(ASN1DecFun_t) ASN1Dec_ContentInfoOTS,
(ASN1DecFun_t) ASN1Dec_TimeStampRequestOTS,
(ASN1DecFun_t) ASN1Dec_EnhancedKeyUsage,
(ASN1DecFun_t) ASN1Dec_EnrollmentNameValuePair,
(ASN1DecFun_t) ASN1Dec_CSPProvider,
(ASN1DecFun_t) ASN1Dec_CertificatePair,
(ASN1DecFun_t) ASN1Dec_IssuingDistributionPoint,
(ASN1DecFun_t) ASN1Dec_PolicyMappings,
(ASN1DecFun_t) ASN1Dec_PolicyConstraints,
(ASN1DecFun_t) ASN1Dec_CmcAddExtensions,
(ASN1DecFun_t) ASN1Dec_CmcAddAttributes,
(ASN1DecFun_t) ASN1Dec_CertificateTemplate,
(ASN1DecFun_t) ASN1Dec_Attribute,
(ASN1DecFun_t) ASN1Dec_X942DhParameters,
(ASN1DecFun_t) ASN1Dec_X942DhOtherInfo,
(ASN1DecFun_t) ASN1Dec_CertificateToBeSigned,
(ASN1DecFun_t) ASN1Dec_CertificateRevocationListToBeSigned,
(ASN1DecFun_t) ASN1Dec_KeyAttributes,
(ASN1DecFun_t) ASN1Dec_KeyUsageRestriction,
(ASN1DecFun_t) ASN1Dec_BasicConstraints,
(ASN1DecFun_t) ASN1Dec_UserNotice,
(ASN1DecFun_t) ASN1Dec_VerisignQualifier1,
(ASN1DecFun_t) ASN1Dec_ContentInfoSeqOfAny,
(ASN1DecFun_t) ASN1Dec_CertificateTrustList,

void ASN1CALL X509_Module_Startup(void)
{
X509_Module = ASN1_CreateModule(0x10000, ASN1_BER_RULE_DER, ASN1FLAGS_NOASSERT, 64, (const ASN1GenericFun_t *) encfntab, (const ASN1GenericFun_t *) decfntab, freefntab, sizetab,

0x39303578);
}

第四部分：

1: kd> t
MSASN1!ASN1_Decode+0xd8:
001b:75bf7e5a 8b491c          mov     ecx,dword ptr [ecx+1Ch]
1: kd> p
MSASN1!ASN1_Decode+0xdb:
001b:75bf7e5d 8b5514          mov     edx,dword ptr [ebp+14h]
1: kd> p
MSASN1!ASN1_Decode+0xde:
001b:75bf7e60 8b0c0a          mov     ecx,dword ptr [edx+ecx]
1: kd> p
MSASN1!ASN1_Decode+0xe1:
001b:75bf7e63 3bcb            cmp     ecx,ebx
1: kd> r
eax=012308a8 ebx=00000000 ecx=75c6b711

第五部分：

1: kd> p
MSASN1!ASN1_Decode+0xe8:
001b:75bf7e6a ffd1            call    ecx
1: kd> r
eax=012308a8 ebx=00000000 ecx=75c6b711 edx=000000e8 esi=01236c48 edi=007ce504
eip=75bf7e6a esp=007ce488 ebp=007ce4a0 iopl=0         nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000             efl=00000206
MSASN1!ASN1_Decode+0xe8:
001b:75bf7e6a ffd1            call    ecx {CRYPT32!ASN1Dec_CertificateTrustList (75c6b711)}
1: kd> t
CRYPT32!ASN1Dec_CertificateTrustList:
001b:75c6b711 55              push    ebp
1: kd> kc
#
00 CRYPT32!ASN1Dec_CertificateTrustList
01 MSASN1!ASN1_Decode
02 CRYPT32!PkiAsn1Decode
03 CRYPT32!PkiAsn1DecodeAndAllocInfo
04 CRYPT32!PkiAsn1DecodeAndAllocInfoEx
05 CRYPT32!Asn1InfoDecodeAndAllocEx
06 CRYPT32!Asn1X509CtlInfoDecodeEx
07 CRYPT32!CryptDecodeObjectEx
08 CRYPT32!AllocAndDecodeObject
09 CRYPT32!FastCreateCtlElement
0a CRYPT32!CertCreateContext
0b WINTRUST!CatUtil_CreateCTLContextFromFileName
0c WINTRUST!_CatAdminAddSingleCatalogToCache
0d WINTRUST!_CatAdminAddCatalogsToCache
0e WINTRUST!CryptCATAdminEnumCatalogFromHash
0f sfc_os!SfcValidateFileSignature
10 sfc_os!SfcGetValidationData
11 sfc_os!SfcValidateDLL
12 sfc_os!SfcQueueValidationThread
13 kernel32!BaseThreadStart

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((CRYPT32!ASN1decoding_s *)0x1236c48)
((CRYPT32!ASN1decoding_s *)0x1236c48)                 : 0x1236c48 [Type: ASN1decoding_s *]
[+0x000] magic            : 0x44434544 [Type: unsigned long]
[+0x004] version          : 0x0 [Type: unsigned long]
[+0x008] module           : 0x756c0 [Type: tagASN1module_t *]
[+0x00c] buf              : 0x1c155d0 : 0x30 [Type: unsigned char *]       [+0x00c] buf              : 0x1c155d0 : 0x30
[+0x010] size             : 0x43 [Type: unsigned long]               [+0x010] size             : 0x43
[+0x014] len              : 0x0 [Type: unsigned long]
[+0x018] err              : ASN1_SUCCESS (0) [Type: tagASN1error_e]
[+0x01c] bit              : 0x0 [Type: unsigned long]
[+0x020] pos              : 0x1c155d0 : 0x30 [Type: unsigned char *]
[+0x024] eRule            : ASN1_BER_RULE_DER (1024) [Type: ASN1encodingrule_e]
[+0x028] dwFlags          : 0x1000 [Type: unsigned long]
1: kd> db 0x1c155d0
01c155d0 30 80 30 0c 06 0a 2b 06-01 04 01 82 37 0c 01 01 0.0...+.....7...
01c155e0 04 10 bb fd 30 fb 6f a3-d9 40 82 26 85 87 87 cd ....0.o..@.&....
01c155f0 89 4b 17 0d 32 34 30 39-31 35 30 33 34 35 30 36 .K..240915034506
01c15600 5a 30 0e 06 0a 2b 06 01-04 01 82 37 0c 01 02 05 Z0...+.....7....
01c15610 00 00 00 76 a0 6e c5 01-3b 01 0a 00 24 00 08 02 ...v.n..;...$...
01c15620 e0 45 77 01 08 a0 68 01-00 00 00 00 00 00 00 00 .Ew...h.........
01c15630 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
01c15640 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

0044:       30 0c                               ; SEQUENCE (c Bytes)
0046:       | 06 0a                            ; OBJECT_IDENTIFIER (a Bytes)
0048:       |     2b 06 01 04 01 82 37 0c 01 01
|        ; "szOID_CATALOG_LIST (1.3.6.1.4.1.311.12.1.1)"
0052:       04 10                               ; OCTET_STRING (10 Bytes)
0054:       | bb fd 30 fb 6f a3 d9 40 82 26 85 87 87 cd 89 4b ; ..0.o..@.&.....K
0064:       17 0d                               ; UTCTime (d Bytes)
0066:       | 32 34 30 39 31 35 30 33 34 35 30 36 5a           ; 240915034506Z
|     ; "15.09.2024 11:45:06"
0073:       30 0e                               ; SEQUENCE (e Bytes)
0075:       | 06 0a                            ; OBJECT_IDENTIFIER (a Bytes)
0077:       | | 2b 06 01 04 01 82 37 0c 01 02
| |     ; "szOID_CATALOG_LIST_MEMBER (1.3.6.1.4.1.311.12.1.2)"
0081:       | 05 00                            ; NULL (0 Bytes)

第六部分：

1: kd> kv
# ChildEBP RetAddr Args to Child
00 007ce480 75bf7e6c 01236c48 00000000 012308a8 CRYPT32!ASN1Dec_CertificateTrustList (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\pki\certstor\x509.c @ 6201]
01 007ce4a0 75c9af2a 01236c48 007ce504 0000003a MSASN1!ASN1_Decode+0xea (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\enduser\msasn1\perfn.c @ 643]
02 007ce4c4 75c9b50d 01236c48 007ce504 0000003a CRYPT32!PkiAsn1Decode+0x1e (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\common\pkiutil\pkiasn1.cpp @ 224]
03 007ce4e4 75c9b64b 01236c48 0000003a 01c155d0 CRYPT32!PkiAsn1DecodeAndAllocInfo+0x1c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\common\pkiutil\pkiasn1.cpp @ 1037]
04 007ce508 75c4959c 01236c48 0000003a 01c155d0 CRYPT32!PkiAsn1DecodeAndAllocInfoEx+0x1f (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\common\pkiutil\pkiasn1.cpp @

1176]
05 007ce534 75c4e39c 0000003a 01c155d0 00000043 CRYPT32!Asn1InfoDecodeAndAllocEx+0x2c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\pki\certstor\wincert.cpp @ 2456]
06 007ce55c 75c49347 00000001 00000025 01c155d0 CRYPT32!Asn1X509CtlInfoDecodeEx+0x21 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\pki\certstor\wincert.cpp @ 10140]
07 007ce5c4 75c2b555 00000001 00000025 01c155d0 CRYPT32!CryptDecodeObjectEx+0x4d (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\pki\certstor\wincert.cpp @ 2223]
08 007ce5ec 75c2f05e 00000001 00000025 01c155d0 CRYPT32!AllocAndDecodeObject+0x2a (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\pki\certstor\newstor.cpp @ 1506]
09 007ce6fc 75c3337a 75ca7f98 00010001 017a0000 CRYPT32!FastCreateCtlElement+0x19e (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\pki\certstor\newstor.cpp @ 14901]
0a 007ce758 76812b50 00000002 00010001 017a0000 CRYPT32!CertCreateContext+0xee (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\pki\certstor\newstor.cpp @ 15197]
0b 007ce78c 7680b67f 00000f94 01c52c08 01c52c0c WINTRUST!CatUtil_CreateCTLContextFromFileName+0x108 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\common\pkiutil

\catutil.cpp @ 105]
0c 007ce7b8 7680c14f 01714ad8 01c52520 007ce7dc WINTRUST!_CatAdminAddSingleCatalogToCache+0xb4 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\pkitrust

\mscat32\catadnew.cpp @ 2670]
0d 007ce7ec 7680c899 01714ac0 016c99f0 007ce820 WINTRUST!_CatAdminAddCatalogsToCache+0xca (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\pkitrust\mscat32\catadnew.cpp @

2554]
0e 007ceab4 768373da 01714ac0 0007d3d0 00000014 WINTRUST!CryptCATAdminEnumCatalogFromHash+0x1d3 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\ds\security\cryptoapi\pkitrust

\mscat32\catadnew.cpp @ 906]
0f 007cf4b8 768378c5 01714ac0 00000d38 0011a568 sfc_os!SfcValidateFileSignature+0x22d (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\validate.c @ 299]
10 007cf4e0 768379c5 007cf510 007cf508 00000010 sfc_os!SfcGetValidationData+0xe0 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\validate.c @ 2165]
11 007cf724 76838a3d 0112916c 01714ac0 00000000 sfc_os!SfcValidateDLL+0xe4 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\validate.c @ 2251]
12 007cffb8 77e41be7 00000000 00000000 00000000 sfc_os!SfcQueueValidationThread+0x4ce (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\validate.c @ 1671]
13 007cffec 00000000 7683856f 00000000 00000000 kernel32!BaseThreadStart+0x34 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\win32\client\support.c @ 533]
windbg> .open -a 75c3337a

09 007ce6fc 75c3337a 75ca7f98 00010001 017a0000 CRYPT32!FastCreateCtlElement+0x19e

1: kd> db 017a0000
017a0000 30 83 09 69 2f 06 09 2a-86 48 86 f7 0d 01 07 02 0..i/..*.H......
017a0010 a0 83 09 69 1f 30 83 09-69 1a 02 01 01 31 0b 30 ...i.0..i....1.0
017a0020 09 06 05 2b 0e 03 02 1a-05 00 30 83 09 57 31 06 ...+......0..W1.
017a0030 09 2b 06 01 04 01 82 37-0a 01 a0 83 09 57 21 30 .+.....7.....W!0
017a0040 83 09 57 1c 30 0c 06 0a-2b 06 01 04 01 82 37 0c ..W.0...+.....7.
017a0050 01 01 04 10 bb fd 30 fb-6f a3 d9 40 82 26 85 87 ......0.o..@.&..
017a0060 87 cd 89 4b 17 0d 32 34-30 39 31 35 30 33 34 35 ...K..2409150345
017a0070 30 36 5a 30 0e 06 0a 2b-06 01 04 01 82 37 0c 01 06Z0...+.....7..

第七部分：

1: kd> dv
dec = 0x01236c48
tag = 0
val = 0x012308a8
di0 = 0x00000040 "--- memory read error at address 0x00000040 ---"
t = 0x7ce504
dd = 0x00000000
di = 0x75bf8654 "???"
dd0 = 0x00000064
1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((CRYPT32!CertificateTrustList *)0x12308a8)
((CRYPT32!CertificateTrustList *)0x12308a8)                 : 0x12308a8 [Type: CertificateTrustList *]
[+0x000] bit_mask         : 0x0 [Type: unsigned short]
[+0x000] o                [Type: unsigned char [1]]
[+0x004] version          : 0 [Type: long]
[+0x008] subjectUsage     [Type: EnhancedKeyUsage]
[+0x010] listIdentifier   [Type: tagASN1octetstring_t]
[+0x018] sequenceNumber   [Type: tagASN1intx_t]
[+0x020] ctlThisUpdate    [Type: ChoiceOfTime]
[+0x030] ctlNextUpdate    [Type: ChoiceOfTime]
[+0x040] subjectAlgorithm [Type: AlgorithmIdentifier]
[+0x054] trustedSubjects [Type: TrustedSubjects]
[+0x05c] ctlExtensions    [Type: Extensions]

第八部分：

1: kd> gu
MSASN1!ASN1_Decode+0xea:
001b:75bf7e6c 85c0 test eax,eax

第八部分A：

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((CRYPT32!EnhancedKeyUsage *)0x12308b0))
(*((CRYPT32!EnhancedKeyUsage *)0x12308b0))                 [Type: EnhancedKeyUsage]
[+0x000] count            : 0x1 [Type: unsigned long]
[+0x004] value            : 0x72f70 [Type: tagASN1encodedOID_t *]
1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((CRYPT32!tagASN1encodedOID_t *)0x72f70)
((CRYPT32!tagASN1encodedOID_t *)0x72f70)                 : 0x72f70 [Type: tagASN1encodedOID_t *]
[+0x000] length           : 0xa [Type: unsigned short]
[+0x004] value            : 0x7e9d0 : 0x2b [Type: unsigned char *]
1: kd> db 0x7e9d0
0007e9d0 2b 06 01 04 01 82 37 0c-01 01 00 00 00 00 00 00 +.....7.........

第八部分B：

第八部分C：

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((CRYPT32!CertificateTrustList *)0x12308a8)
((CRYPT32!CertificateTrustList *)0x12308a8)                 : 0x12308a8 [Type: CertificateTrustList *]
[+0x000] bit_mask         : 0x40 [Type: unsigned short]
[+0x000] o                [Type: unsigned char [1]]
[+0x004] version          : 0 [Type: long]
[+0x008] subjectUsage     [Type: EnhancedKeyUsage]
[+0x010] listIdentifier   [Type: tagASN1octetstring_t]
[+0x018] sequenceNumber   [Type: tagASN1intx_t]
[+0x020] ctlThisUpdate    [Type: ChoiceOfTime]
1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((CRYPT32!ChoiceOfTime *)0x12308c8))
(*((CRYPT32!ChoiceOfTime *)0x12308c8))                 [Type: ChoiceOfTime]
[+0x000] choice           : 0x1 [Type: unsigned short]
[+0x002] u                [Type: __unnamed]
1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((CRYPT32!__unnamed *)0x12308ca))
(*((CRYPT32!__unnamed *)0x12308ca))                 [Type: __unnamed]
[+0x000] utcTime          [Type: tagASN1utctime_t]
[+0x000] generalTime      [Type: tagASN1generalizedtime_t]
1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((CRYPT32!tagASN1utctime_t *)0x12308ca))
(*((CRYPT32!tagASN1utctime_t *)0x12308ca))                 [Type: tagASN1utctime_t]
[+0x000] year             : 0x18 [Type: unsigned char]                24
[+0x001] month            : 0x9 [Type: unsigned char]                09
[+0x002] day              : 0xf [Type: unsigned char]                      15
[+0x003] hour             : 0x3 [Type: unsigned char]                03
[+0x004] minute           : 0x2d [Type: unsigned char]                45
[+0x005] second           : 0x6 [Type: unsigned char]                06
[+0x006] universal        : 0x1 [Type: unsigned char]
[+0x008] diff             : 0 [Type: short]

第九部分：

003f: 30 83 09 57 1c                            ; SEQUENCE (9571c Bytes)
0044:    30 0c                                  ; SEQUENCE (c Bytes)
0046:    | 06 0a                               ; OBJECT_IDENTIFIER (a Bytes)
0048:    |     2b 06 01 04 01 82 37 0c 01 01
|        ; "szOID_CATALOG_LIST (1.3.6.1.4.1.311.12.1.1)"
0052:    04 10                                  ; OCTET_STRING (10 Bytes)
0054:    | bb fd 30 fb 6f a3 d9 40 82 26 85 87 87 cd 89 4b ; ..0.o..@.&.....K
0064:    17 0d                                  ; UTCTime (d Bytes)
0066:    | 32 34 30 39 31 35 30 33 34 35 30 36 5a           ; 240915034506Z
|     ; "15.09.2024 11:45:06"
0073:    30 0e                                  ; SEQUENCE (e Bytes)
0075:    | 06 0a                               ; OBJECT_IDENTIFIER (a Bytes)
0077:    | | 2b 06 01 04 01 82 37 0c 01 02
| |     ; "szOID_CATALOG_LIST_MEMBER (1.3.6.1.4.1.311.12.1.2)"
0081:    | 05 00