Wednesday, April 18, 2007

Advapi32 patch for CSP development

Microsoft provides the use of cryptography in its operations systems by exposing an application programming interface called CAPI. It's relies on a set of dynamically-linked libraries called CSP (Cryptographic Service Provider) that actually perform all the cryptographic work. In order to be used by the system, a CSP dll must be signed by Microsoft, otherwise, CAPI will refuse to use it. The problem is that the signature process can take many days: That delay can be frustrating for a CSP developer/tester. For that, Microsoft used to ship with the CSP development kit a modified version of the advapi32 dll. This dll is responsible for the verification of the signature associated with a CSP module. The modified version bypasses this verification and thus enables the use of a development version of the CSP dll on the system where it's installed. The problem is that Windows 2000 SP2 is the last supported target for the Microsoft modified advapi32 dll!! So, for those targeting a much newer version of Windows (which is the case of 99% of CSP developers), they find themselves left with no support. Fortunately, some talented people managed to hack the advapi32 signature verification mechanism. Thus, they could provide the community with a patched version of this dll for various new versions of Windows. In the following, I will give the detail of modifications that must be applied to the advapi32 dll at the byte level. All you need for that is a good hexadecimal editor. Personally, I use HxD : it's free and you can get it from here. Once the patch dll is in your hands, you must put it on the system: of course, this can't be done while Windows is running, so you have to find another way to access the system32 directory. I suggest you to use a dual boot system. And here is the patches :
  • Windows 2000 SP4: advapi32 version = 5.0.2195.6710
    • At offset 0x17061 : change 0F to E9
    • At offset 0x17062 : change 84 to 2C
    • At offset 0x17063 : change 22 to 06
    • At offset 0x17064 : change 06 to 01
  • Windows 2000 SP4: advapi32 version = 5.0.2195.7038
    • At offset 0xEA97 : change 0F to E9
    • At offset 0xEA98 : change 84 to 93
    • At offset 0xEA99 : change 89 to 83
    • At offset 0xEA9A : change 83 to 01
    • At offset 0xEA9B : change 01 to 00
    • At offset 0xEA9C : change 00 to 90
  • Windows XP SP1 : advapi32 version = 5.1.2600.1106
    • At offset 0x8794 : change 0F to EB
    • At offset 0x8795 : change 84 to 71
    • At offset 0x8796 : change 55 to 90
    • At offset 0x8797 : change 14 to 90
    • At offset 0x8798 : change 02 to 90
    • At offset 0x8799 : change 00 to 90
  • Windows XP SP2:
    • At offset 0x17C19 : change 75 to 90
    • At offset 0x17C1A : change 0c to 90
    • At offset 0x17C21 : change 0f to 90
    • At offset 0x17C22 : change 84 to E9
  • Windows 2003 SP1: advapi32 version 5.2.3790.1830
    • At offset 0x68CD : change 0F to EB
    • At offset 0x68CE : change 84 to 42
    • At offset 0x68CF : change 62 to 90
    • At offset 0x68D0 : change 0B to 90
    • At offset 0x68D1 : change 03 to 90
    • At offset 0x68D2 : change 00 to 90
Under windows Vista, a new architecture called CNG (Crypto NextGen) was introduced. It adds the notion of card modules that exposes cryptographic features and are called by the CNG runtime. These modules don't need to be signed, thus removing the burden of the Microsoft signature process.