Discussion:
CryptCATGetMemberInfo samples
(too old to reply)
Mitch Gallant
2006-03-06 05:02:50 UTC
Permalink
Does anyone have any C/C++ samples for CryptCATOpen and
related functions for dealing with cat files?

Is that documentation correct (about there not being import libraries??)
It states that the function has no associated import library .. what about
wintrust.lib?

When I invoke CryptCATGetMemberInfo on one of the Tag entries
in a cat file (NT5.cat), the function succeeds, but the CRYPTCATMEMBER.pwszFileName
returns NULL (but most other members are valid).
Why is this?

- Mitch
Alun Jones
2006-03-06 18:16:23 UTC
Permalink
Post by Mitch Gallant
Does anyone have any C/C++ samples for CryptCATOpen and
related functions for dealing with cat files?
Is that documentation correct (about there not being import libraries??)
It states that the function has no associated import library .. what about
wintrust.lib?
Any time I look at crypto documentation, I assume that the documentation is
incorrect unless it matches what I see in reality. I suspect that if the
function is exported enough that LoadLibrary / GetProcAddress work, it's
exported through the library:

C:\WINDOWS>dumpbin /exports "d:\Program Files\Microsoft Platform
SDK\Lib\WinTrust.Lib" | findstr /i cryptcatopen
Post by Mitch Gallant
When I invoke CryptCATGetMemberInfo on one of the Tag entries
in a cat file (NT5.cat), the function succeeds, but the
CRYPTCATMEMBER.pwszFileName
returns NULL (but most other members are valid).
Why is this?
I'm not sure that the cat files actually contain the file name.

Try using CryptCatEnumerateAttr to see what attributes are actually stored.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | ***@wftpd.com.
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
Mitch Gallant
2006-03-07 02:07:09 UTC
Permalink
OK, here is a very specific example for others to verify:

XP Pro SP2 and consider the following file:
crypt32.dll file (file version 5.131.2600.2180).

I calculate the SHA1 hash of this to be (hex-encoded bytes):
B9E14B84A8D39E982D192906FC0C190EDC1CCCA0

The function CryptCATAdminCalcHashFromFileHandle() however
returns a different value for the Hash of the same file:
A741494AF4FEFF83C554909322C643D0DBD2F968
and THIS value is in fact in the NT5.cat catalog.

So what exactly IS hashed by CryptCATAdminCalcHashFromFileHandle()
and used for the cat file tag value?

- Mitch
Post by Alun Jones
Post by Mitch Gallant
Does anyone have any C/C++ samples for CryptCATOpen and
related functions for dealing with cat files?
Is that documentation correct (about there not being import libraries??)
It states that the function has no associated import library .. what about
wintrust.lib?
Any time I look at crypto documentation, I assume that the documentation is
incorrect unless it matches what I see in reality. I suspect that if the
function is exported enough that LoadLibrary / GetProcAddress work, it's
C:\WINDOWS>dumpbin /exports "d:\Program Files\Microsoft Platform
SDK\Lib\WinTrust.Lib" | findstr /i cryptcatopen
Post by Mitch Gallant
When I invoke CryptCATGetMemberInfo on one of the Tag entries
in a cat file (NT5.cat), the function succeeds, but the
CRYPTCATMEMBER.pwszFileName
returns NULL (but most other members are valid).
Why is this?
I'm not sure that the cat files actually contain the file name.
Try using CryptCatEnumerateAttr to see what attributes are actually stored.
Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
Mitch Gallant
2006-03-07 13:17:36 UTC
Permalink
OK ..... thanks to a MS contact, here is some useful information on
how hashes for PE files are used in cat files:
-----------------
"A C14n pre-processing is done of the files before being hashed,
this removes the variable (per machine) bits of the data
so that the signatures can validate accross machines; remember some
bits in the pe header get modified periodically we wouldnt want the
signature to get invalidated.

Ones that are static do not have c14n done against them
which is why some match. "
--------------------

So related question to this, is there a tool or api to C14n process a PE
file? Does the resultant data represent a valid (and runable) PE file?

- Mitch
Post by Mitch Gallant
crypt32.dll file (file version 5.131.2600.2180).
B9E14B84A8D39E982D192906FC0C190EDC1CCCA0
The function CryptCATAdminCalcHashFromFileHandle() however
A741494AF4FEFF83C554909322C643D0DBD2F968
and THIS value is in fact in the NT5.cat catalog.
So what exactly IS hashed by CryptCATAdminCalcHashFromFileHandle()
and used for the cat file tag value?
- Mitch
Post by Alun Jones
Post by Mitch Gallant
Does anyone have any C/C++ samples for CryptCATOpen and
related functions for dealing with cat files?
Is that documentation correct (about there not being import libraries??)
It states that the function has no associated import library .. what about
wintrust.lib?
Any time I look at crypto documentation, I assume that the documentation is
incorrect unless it matches what I see in reality. I suspect that if the
function is exported enough that LoadLibrary / GetProcAddress work, it's
C:\WINDOWS>dumpbin /exports "d:\Program Files\Microsoft Platform
SDK\Lib\WinTrust.Lib" | findstr /i cryptcatopen
Post by Mitch Gallant
When I invoke CryptCATGetMemberInfo on one of the Tag entries
in a cat file (NT5.cat), the function succeeds, but the
CRYPTCATMEMBER.pwszFileName
returns NULL (but most other members are valid).
Why is this?
I'm not sure that the cat files actually contain the file name.
Try using CryptCatEnumerateAttr to see what attributes are actually stored.
Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
Mitch Gallant
2006-03-08 06:58:26 UTC
Permalink
Here is a C utility to calculate the SHA1 hash and the
hash for cat file entries for any file. If the file does not
exist, the utility calculates the SHA1 hash of the string in
both ASCII and UNICODE formats.
Hash values are shown as hex bytes and also in b64 encoded
form.

CatHash:
http://www.jensign.com/hash/cathash.c
Compiled with VS 2005, and digitally signed exe:
http://www.jensign.com/hash/cathash.exe

Sample output:
-------------------------------------------------------
cathash.exe
Enter filename or string to hash: crypt32.dll
File to be hashed: crypt32.dll

SHA1 hash for file 'crypt32.dll' (597504 bytes) is:
Hex: B9 E1 4B 84 A8 D3 9E 98 2D 19 29 06 FC 0C 19 0E DC 1C CC A0
B64: ueFLhKjTnpgtGSkG/AwZDtwczKA=


Cat SHA1 hash for file 'crypt32.dll' (597504 bytes) is:
Hex: A7 41 49 4A F4 FE FF 83 C5 54 90 93 22 C6 43 D0 DB D2 F9 68
B64: p0FJSvT+/4PFVJCTIsZD0NvS+Wg=
---------------------------------------------------------

- Mitch Gallant
MVP Security
OK ..... thanks to a MS contact, here is some useful information on
-----------------
"A C14n pre-processing is done of the files before being hashed,
this removes the variable (per machine) bits of the data
so that the signatures can validate accross machines; remember some
bits in the pe header get modified periodically we wouldnt want the
signature to get invalidated.
Ones that are static do not have c14n done against them
which is why some match. "
--------------------
So related question to this, is there a tool or api to C14n process a PE
file? Does the resultant data represent a valid (and runable) PE file?
- Mitch
Post by Mitch Gallant
crypt32.dll file (file version 5.131.2600.2180).
B9E14B84A8D39E982D192906FC0C190EDC1CCCA0
The function CryptCATAdminCalcHashFromFileHandle() however
A741494AF4FEFF83C554909322C643D0DBD2F968
and THIS value is in fact in the NT5.cat catalog.
So what exactly IS hashed by CryptCATAdminCalcHashFromFileHandle()
and used for the cat file tag value?
- Mitch
Post by Alun Jones
Post by Mitch Gallant
Does anyone have any C/C++ samples for CryptCATOpen and
related functions for dealing with cat files?
Is that documentation correct (about there not being import libraries??)
It states that the function has no associated import library .. what about
wintrust.lib?
Any time I look at crypto documentation, I assume that the documentation is
incorrect unless it matches what I see in reality. I suspect that if the
function is exported enough that LoadLibrary / GetProcAddress work, it's
C:\WINDOWS>dumpbin /exports "d:\Program Files\Microsoft Platform
SDK\Lib\WinTrust.Lib" | findstr /i cryptcatopen
Post by Mitch Gallant
When I invoke CryptCATGetMemberInfo on one of the Tag entries
in a cat file (NT5.cat), the function succeeds, but the
CRYPTCATMEMBER.pwszFileName
returns NULL (but most other members are valid).
Why is this?
I'm not sure that the cat files actually contain the file name.
Try using CryptCatEnumerateAttr to see what attributes are actually stored.
Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
m***@gmail.com
2012-07-31 11:35:19 UTC
Permalink
Hi mitch,

i want to do "C14n pre-processing" to some file, say sample.exe. i did not find find any relevent information on Net. Could you Share any reference?


Thanks
mumin

Jeffrey Tan[MSFT]
2006-03-07 02:32:54 UTC
Permalink
Hi Mitch ,

Thanks for your post!

Yes, just as Alun pointed out, this is a doc error, we can use the static
lib. AFAIK, the need to LoadLibrary and GetProcAddress went away as of
Win2k.

The CRYPTCATMEMBER.pwszFileName returns NULL is expected. Filename is
optional and we don¡¯t store them in NT5.cat. The usage pattern is the app
verifies a file signature by hashing the file and then queries the catalog
database to find a catalog. Filenames are not reliable since they are not
unique and can be modified after signing.

Hope this helps!

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
Alun Jones
2006-03-07 03:28:03 UTC
Permalink
Post by Jeffrey Tan[MSFT]
Yes, just as Alun pointed out, this is a doc error, we can use the static
lib. AFAIK, the need to LoadLibrary and GetProcAddress went away as of
Win2k.
.. if it was ever there in the first place. I can't envision how you would
create a DLL that exported a function, but in a way that the export didn't
make it into the import LIB - unless you somehow distributed the wrong version
of the LIB for the DLL, and in that case, you'd have the problem that the
exports might point to the wrong address.
Post by Jeffrey Tan[MSFT]
The CRYPTCATMEMBER.pwszFileName returns NULL is expected. Filename is
optional and we don¡¯t store them in NT5.cat. The usage pattern is the app
verifies a file signature by hashing the file and then queries the catalog
database to find a catalog. Filenames are not reliable since they are not
unique and can be modified after signing.
The file name member certainly doesn't add any security, but it might add a
little "red flag" if you hash a file, and it matches the hash for some file
completely unrelated (without matching the hash for the file it claims to be!)

Optional features are there to be used!

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | ***@wftpd.com.
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
Mitch Gallant
2006-03-07 13:35:43 UTC
Permalink
OK thanks. (to Alun as well).
So there are no "hints" in the cat file as to what file might be associated
with that tag (to possibly speed up a search for a match)? Of course I
realize that the filename is not a good security measure, but it would
be merely a hint, subject to proper verification by hash-comparision.

(1) When I invoke:
signtool verify /a /v somepe.exe
the tool calculates the (C14n preprocessed) hash of somepe.exe and then
brute force systematically searches for an Tag entry match in a series (/a)
of .cat files in the cat file database?

(2) The reverse process (finding out what file a specific Tag entry in a cat file
corresponds to) has no hints, so this "reverse lookup" process would be quite
slow? This is where having the filename might be useful in some situations.

Thanks,
- Mitch
Post by Jeffrey Tan[MSFT]
Hi Mitch ,
Thanks for your post!
Yes, just as Alun pointed out, this is a doc error, we can use the static
lib. AFAIK, the need to LoadLibrary and GetProcAddress went away as of
Win2k.
The CRYPTCATMEMBER.pwszFileName returns NULL is expected. Filename is
optional and we don¡¯t store them in NT5.cat. The usage pattern is the app
verifies a file signature by hashing the file and then queries the catalog
database to find a catalog. Filenames are not reliable since they are not
unique and can be modified after signing.
Hope this helps!
Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
Jeffrey Tan[MSFT]
2006-03-13 06:45:18 UTC
Permalink
Hi Mitch ,

Sorry for the late response. I was OOF these days.

You have posted several replies in this thread, I am not sure which is your
curren concern. Can you collect your current problem context and concern in
well-defined logic order in a single reply to me? Then I will concentrate
my effect more efficiently.

I look forward to hearing from you. Thanks

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
Mitch Gallant
2006-03-13 13:33:05 UTC
Permalink
Hi Jeff,

Thanks for reading all my responses to myself :-)
I don't think there are any outstanding issues now! I think I've
figured this out .. but if/when you have time, you might
read the article here:
http://www.jensign.com/hash
and if there are any errors in my comments please advise :-)

Cheers,
- Mitch Gallant
MVP Security
Post by Jeffrey Tan[MSFT]
Hi Mitch ,
Sorry for the late response. I was OOF these days.
You have posted several replies in this thread, I am not sure which is your
curren concern. Can you collect your current problem context and concern in
well-defined logic order in a single reply to me? Then I will concentrate
my effect more efficiently.
I look forward to hearing from you. Thanks
Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
Jeffrey Tan[MSFT]
2006-03-14 05:45:42 UTC
Permalink
Hi Mitch,

I am glad you have figured out yourself.

Yes, your page is really an informative page. If I got time, I certainly
will give it a review :-)

Thanks

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
Alun Jones
2006-03-14 14:46:56 UTC
Permalink
Post by Jeffrey Tan[MSFT]
Sorry for the late response. I was OOF these days.
Suggestion: don't use Microsoft-lingo outside of Microsoft. Few people get
"OOF".

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | ***@wftpd.com.
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
Mitch Gallant
2006-03-08 14:59:47 UTC
Permalink
Thanks Jeffrey.
I have updated an older C SHA1 hash calculator utility, to include the
hash value calculated for file signature tags in catalog files:
http://www.jensign.com/hash
It is intended to try to clarify exactly what the different "hash" values
mean.

Cheers,
- Mitch Gallant
MVP Security
Post by Jeffrey Tan[MSFT]
Hi Mitch ,
Thanks for your post!
Yes, just as Alun pointed out, this is a doc error, we can use the static
lib. AFAIK, the need to LoadLibrary and GetProcAddress went away as of
Win2k.
The CRYPTCATMEMBER.pwszFileName returns NULL is expected. Filename is
optional and we don¡¯t store them in NT5.cat. The usage pattern is the app
verifies a file signature by hashing the file and then queries the catalog
database to find a catalog. Filenames are not reliable since they are not
unique and can be modified after signing.
Hope this helps!
Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
Loading...