Nice piece of code from lsasrv:
This table used in SrvPrepKeyIso & LsapInitCNGAuditing functions:
SrvPrepKeyIso:
LsapInitCNGAuditing:
Lets see how this audit table is used.
keyiso.dll
keyiso.dll!KeyIsoSetAuditingInterface is just forwarded export to NCRYPTPROV.SetAuditingInterface, so look inside ncryptprov.dll. It first checks SE_TCB_PRIVILEGE for current process and then store ptr into g_pAuditingFuncs
KspCryptAuditKeyFileOperation - call function in table g_pAuditingFuncs with offset 8
SPCryptImportKey, SPCryptSetKeyProperty, KspCryptAuditKeyMigrationOperation - offset C
KspCryptAuditVerificationFailure - offset 10
SPCryptFinalizeKey, KspCryptAuditCryptOperation - offset 14
ncrypt.dll
ncrypt.dll!NCryptSetAuditingInterface checks SE_TCB_PRIVILEGE for current process and this is all
bcrypt.dll
bcrypt.dll!BCryptSetAuditingInterface checks SE_TCB_PRIVILEGE for current process and this is all
_GetCngAuditFunctions@4 proc near ; CODE XREF: SrvPrepKeyIso(x)+33p
; LsapInitCNGAuditing()+Dp
test ecx, ecx
jz short loc_5095F661
mov dword ptr [ecx], offset _AuditFunctionTable
xor eax, eax
retn
_AuditFunctionTable:
_AuditFunctionTable db 1
db 0
db 0
db 0
dd offset _CngAdtSelfTest@12 ; offset 4
dd offset _CngAdtKeyFileOperation@32 ; offset 8
dd offset _CngAdtKeyMigrationOperation@28 ; offset C
dd offset _CngAdtVerificationFailure@24 ; offset 10
dd offset _CngAdtCryptOperation@28 ; offset 14
dd offset _CngAdtPrimitiveFailure@16 ; offset 18
This table used in SrvPrepKeyIso & LsapInitCNGAuditing functions:
SrvPrepKeyIso:
push offset aKeyisosetaudit ; "KeyIsoSetAuditingInterface"
push [ebp+hModule]
call ds:__imp__GetProcAddress@8
mov esi, eax
test esi, esi
jz short loc_5095F609
lea ecx, [ebp+var_8]
call _GetCngAuditFunctions@4
test eax, eax
js short loc_5095F609
push [ebp+var_8]
mov ecx, esi
call ds:___guard_check_icall_fptr ; _guard_check_icall_nop(x)
call esi ;
keyiso.dll!KeyIsoSetAuditingInterface
LsapInitCNGAuditing:
lea ecx, [ebp+var_4]
call _GetCngAuditFunctions@4
test eax, eax
js short loc_5095F64B
push [ebp+var_4]
call ds:__imp__BCryptSetAuditingInterface@4 ; bcrypt.dll!BCryptSetAuditingInterface
test eax, eax
js short loc_5095F64B
push [ebp+var_4]
call ds:__imp__NCryptSetAuditingInterface@4 ; ncrypt.dll!NCryptSetAuditingInterface
Lets see how this audit table is used.
keyiso.dll
keyiso.dll!KeyIsoSetAuditingInterface is just forwarded export to NCRYPTPROV.SetAuditingInterface, so look inside ncryptprov.dll. It first checks SE_TCB_PRIVILEGE for current process and then store ptr into g_pAuditingFuncs
KspCryptAuditKeyFileOperation - call function in table g_pAuditingFuncs with offset 8
SPCryptImportKey, SPCryptSetKeyProperty, KspCryptAuditKeyMigrationOperation - offset C
KspCryptAuditVerificationFailure - offset 10
SPCryptFinalizeKey, KspCryptAuditCryptOperation - offset 14
ncrypt.dll
ncrypt.dll!NCryptSetAuditingInterface checks SE_TCB_PRIVILEGE for current process and this is all
bcrypt.dll
bcrypt.dll!BCryptSetAuditingInterface checks SE_TCB_PRIVILEGE for current process and this is all