in cool paper"subverting windows trust" was described mechanism of subject interface package (SIP)
Lets see how we can extract and dump them
Unfortunately list of SIPs inside crypt32.dll don't have name in .pdb. One way is to find it with help of IDA Pro from function FindDll:
this address (I named it dll_list) contains head of linked list to SIPs structures like this:
it's interesting to note that not all SIP .dll loading at initialization of SIP structures - in fact they are almost always empty and contain only names. Sample of output from lsass.exe:
Lets see how we can extract and dump them
Unfortunately list of SIPs inside crypt32.dll don't have name in .pdb. One way is to find it with help of IDA Pro from function FindDll:
push [ebp+nSize] ; nSize
push ebx ; lpDst
push [ebp+lpSrc] ; lpSrc
call ds:__imp__ExpandEnvironmentStringsW@12
test eax, eax
jz short loc_5CF28F50
push offset dll_cs
call ds:__imp__EnterCriticalSection@4
mov edi, dll_list ; linked list of SIPs
test edi, edi
jz short loc_5CF28F89
next_item:
push 0FFFFFFFFh ; cchCount2
push dword ptr [edi+8] ; lpString2
push 0FFFFFFFFh ; cchCount1
push ebx ; lpString1
push 1 ; dwCmpFlags
push 409h ; Locale
call ds:__imp__CompareStringW@24
dec eax
sub eax, 1
jz short loc_5CF28F41
mov edi, [edi+4]
test edi, edi
jnz short next_item
this address (I named it dll_list) contains head of linked list to SIPs structures like this:
struct sip_item
{
sip_item *next;
PVOID unk4; // ptr to crypto32_dll_list_item
const char *fname; // actually ends to end of sip_item
PVOID pfn; // if function was resolved, else NULL
};
struct crypto32_dll_list_item
{
PVOID unk;
crypto32_dll_list_item *next;
const wchar_t *dll_name;
HANDLE base; // if dll was loaded - load base else NULL
DWORD unk10;
DWORD unk14;
sip_item *func_items_list;
PVOID unk20;
PVOID unk24;
PVOID unk28;
};
it's interesting to note that not all SIP .dll loading at initialization of SIP structures - in fact they are almost always empty and contain only names. Sample of output from lsass.exe:
SIP: 000002669EE8CCA0 C:\Windows\System32\SecureTimeAggregator.dll base 00007FF96EE90000
SIP data at 000002669F848B70: GetSecureTime 00007FF96EE95770 C:\Windows\System32\SecureTimeAggregator.dll
SIP data at 000002669F84C290: AggregateSSLHandshakeTime 00007FF96EE95680 C:\Windows\System32\SecureTimeAggregator.dll
SIP: 000002669EEA1A90 C:\Windows\System32\inetcomm.dll
SIP data at 000002669F863C90: EssContentHintEncodeEx
SIP data at 000002669F863DD0: EssMLHistoryEncodeEx
SIP data at 000002669F863D90: EssSecurityLabelEncodeEx
SIP data at 000002669F863A10: EssSignCertificateEncodeEx
SIP data at 000002669F863D10: EssKeyExchPreferenceEncodeEx
SIP data at 000002669F863F50: EssReceiptRequestEncodeEx
SIP data at 000002669F863910: EssReceiptEncodeEx
SIP data at 000002669F87B2D0: EssContentHintDecodeEx
SIP data at 000002669F87B290: EssMLHistoryDecodeEx
SIP data at 000002669F87B6D0: EssSecurityLabelDecodeEx
SIP data at 000002669F87B3D0: EssSignCertificateDecodeEx
SIP data at 000002669F87B650: EssKeyExchPreferenceDecodeEx
SIP data at 000002669F87B190: EssReceiptRequestDecodeEx
SIP data at 000002669F87B450: EssReceiptDecodeEx
SIP: 000002669EEA19F0 C:\Windows\System32\cryptnet.dll base 00007FF96EE60000
SIP data at 000002669F8633D0: CertDllVerifyRevocation 00007FF96EE65A90 C:\Windows\System32\cryptnet.dll
SIP data at 000002669F87B390: LdapProvOpenStore
SIP data at 000002669F87B4D0: LdapProvOpenStore