hakril
diff --git a/‎ctypes_generation/definitions/defines/wintrust_crypt_def.txt‎
Lines changed: 52 additions & 1 deletion b/‎ctypes_generation/definitions/defines/wintrust_crypt_def.txt‎
Lines changed: 52 additions & 1 deletion
diff --git a/‎ctypes_generation/definitions/functions/crypto_wintrust.txt‎
Lines changed: 24 additions & 0 deletions b/‎ctypes_generation/definitions/functions/crypto_wintrust.txt‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎ctypes_generation/definitions/functions/ncrypt.txt‎
Lines changed: 14 additions & 0 deletions b/‎ctypes_generation/definitions/functions/ncrypt.txt‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎ctypes_generation/definitions/simple_types.txt‎
Lines changed: 2 additions & 0 deletions b/‎ctypes_generation/definitions/simple_types.txt‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎ctypes_generation/definitions/structures/crypto.txt‎
Lines changed: 9 additions & 1 deletion b/‎ctypes_generation/definitions/structures/crypto.txt‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎docs/source/windef_generated.rst‎
Lines changed: 35 additions & 0 deletions b/‎docs/source/windef_generated.rst‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎docs/source/winfuncs_generated.rst‎
Lines changed: 8 additions & 0 deletions b/‎docs/source/winfuncs_generated.rst‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎docs/source/winstructs_generated.rst‎
Lines changed: 40 additions & 0 deletions b/‎docs/source/winstructs_generated.rst‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎tests/test_rpc.py‎
Lines changed: 39 additions & 0 deletions b/‎tests/test_rpc.py‎
Lines changed: 39 additions & 0 deletions
@@ -387,6 +387,38 @@
 #define CRYPT_ARCHIVABLE        0x00004000
 #define CRYPT_FORCE_KEY_PROTECTION_HIGH 0x00008000
 
+#define CERT_RDN_ANY_TYPE 0
+#define CERT_RDN_ENCODED_BLOB 1
+#define CERT_RDN_OCTET_STRING 2
+#define CERT_RDN_NUMERIC_STRING 3
+#define CERT_RDN_PRINTABLE_STRING 4
+#define CERT_RDN_TELETEX_STRING 5
+#define CERT_RDN_T61_STRING 5
+#define CERT_RDN_VIDEOTEX_STRING 6
+#define CERT_RDN_IA5_STRING 7
+#define CERT_RDN_GRAPHIC_STRING 8
+#define CERT_RDN_VISIBLE_STRING 9
+#define CERT_RDN_ISO646_STRING 9
+#define CERT_RDN_GENERAL_STRING 10
+#define CERT_RDN_UNIVERSAL_STRING 11
+#define CERT_RDN_INT4_STRING 11
+#define CERT_RDN_BMP_STRING 12
+#define CERT_RDN_UNICODE_STRING 12
+#define CERT_RDN_UTF8_STRING 13
+#define CERT_RDN_TYPE_MASK 0xff
+#define CERT_RDN_FLAGS_MASK 0xff000000
+#define CERT_RDN_ENABLE_T61_UNICODE_FLAG 0x80000000
+#define CERT_RDN_ENABLE_UTF8_UNICODE_FLAG 0x20000000
+#define CERT_RDN_FORCE_UTF8_UNICODE_FLAG 0x10000000
+#define CERT_RDN_DISABLE_CHECK_TYPE_FLAG 0x40000000
+#define CERT_RDN_DISABLE_IE4_UTF8_FLAG 0x1000000
+
+#define CRYPT_DECODE_NOCOPY_FLAG 0x1
+#define CRYPT_DECODE_TO_BE_SIGNED_FLAG 0x2
+#define CRYPT_DECODE_SHARE_OID_STRING_FLAG 0x4
+#define CRYPT_DECODE_NO_SIGNATURE_BYTE_REVERSAL_FLAG 0x8
+#define CRYPT_DECODE_ALLOC_FLAG 0x8000
+#define CRYPT_UNICODE_NAME_DECODE_DISABLE_IE4_UTF8_FLAG CERT_RDN_DISABLE_IE4_UTF8_FLAG
 
 #define CRYPT_ENCODE_DECODE_NONE            0
 #define X509_CERT                           (1)
@@ -582,4 +614,23 @@
 #define CMSG_CTRL_MAIL_LIST_DECRYPT      18
 #define CMSG_CTRL_VERIFY_SIGNATURE_EX    19
 #define CMSG_CTRL_ADD_CMS_SIGNER_INFO    20
-#define CMSG_CTRL_ENABLE_STRONG_SIGNATURE 21
+#define CMSG_CTRL_ENABLE_STRONG_SIGNATURE 21
+
+
+//+-------------------------------------------------------------------------
+//  The following flag should be set in the above dwFlags to enable
+//  a CertSetCertificateContextProperty(CERT_KEY_CONTEXT_PROP_ID) after a
+//  CryptAcquireContext is done in the Sign or Decrypt Message functions.
+//
+//  The following define must not collide with any of the
+//  CryptAcquireContext dwFlag defines.
+//--------------------------------------------------------------------------
+#define CERT_SET_KEY_PROV_HANDLE_PROP_ID    0x00000001
+#define CERT_SET_KEY_CONTEXT_PROP_ID        0x00000001
+
+// Special dwKeySpec indicating a CNG NCRYPT_KEY_HANDLE instead of a CAPI1
+// HCRYPTPROV
+#define CERT_NCRYPT_KEY_SPEC                0xFFFFFFFF
+
+
+#define CERT_REQUEST_V1     0
@@ -617,4 +617,28 @@ BOOL CryptGetOIDFunctionValue(
 BOOL CertCloseStore(
   HCERTSTORE hCertStore,
   DWORD      dwFlags
+);
+
+BOOL CryptSignAndEncodeCertificate(
+  [in]      BCRYPT_KEY_HANDLE           hBCryptKey,
+  [in]      DWORD                       dwKeySpec,
+  [in]      DWORD                       dwCertEncodingType,
+  [in]      LPCSTR                      lpszStructType,
+  [in]      PVOID                       pvStructInfo,
+  [in]      PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm,
+  [in]      PVOID                       pvHashAuxInfo,
+  [out]     BYTE                        *pbEncoded,
+  [in, out] DWORD                       *pcbEncoded
+);
+
+BOOL CryptSignCertificate(
+  [in]      BCRYPT_KEY_HANDLE           hBCryptKey,
+  [in]      DWORD                       dwKeySpec,
+  [in]      DWORD                       dwCertEncodingType,
+  [in]      BYTE                  *pbEncodedToBeSigned,
+  [in]      DWORD                       cbEncodedToBeSigned,
+  [in]      PCRYPT_ALGORITHM_IDENTIFIER pSignatureAlgorithm,
+  [in]      PVOID                       pvHashAuxInfo,
+  [out]     BYTE                        *pbSignature,
+  [in, out] DWORD                       *pcbSignature
 );
@@ -0,0 +1,14 @@
+SECURITY_STATUS NCryptOpenKey(
+  [in]  NCRYPT_PROV_HANDLE hProvider,
+  [out] NCRYPT_KEY_HANDLE  *phKey,
+  [in]  LPCWSTR            pszKeyName,
+  [in]  DWORD              dwLegacyKeySpec,
+  [in]  DWORD              dwFlags
+);
+
+
+SECURITY_STATUS NCryptOpenStorageProvider(
+  [out]          NCRYPT_PROV_HANDLE *phProvider,
+  [in, optional] LPCWSTR            pszProviderName,
+  [in]           DWORD              dwFlags
+);
@@ -86,6 +86,7 @@ PWINDBG_EXTENSION_APIS32 = PVOID
 PWINDBG_EXTENSION_APIS64 = PVOID
 FILEOP_FLAGS = WORD
 NET_API_STATUS = DWORD
+SECURITY_STATUS = LONG // Return type of ncrypt functions
 
 
 // 2 custom PFW defintions for bitness-forces structures
@@ -94,6 +95,7 @@ PVOID64 = DWORD64
 
 NCRYPT_HANDLE = ULONG_PTR
 NCRYPT_PROV_HANDLE = ULONG_PTR
+BCRYPT_KEY_HANDLE = ULONG_PTR
 NCRYPT_KEY_HANDLE = ULONG_PTR
 NCRYPT_HASH_HANDLE = ULONG_PTR
 NCRYPT_SECRET_HANDLE  = ULONG_PTR
 
@@ -715,4 +715,12 @@ typedef struct _STRUCT_PLAINTEXTKEYBLOB {
   BLOBHEADER hdr;
   DWORD      dwKeySize;
   BYTE       rgbKeyData[0];
-} STRUCT_PLAINTEXTKEYBLOB, *PSTRUCT_PLAINTEXTKEYBLOB;
+} STRUCT_PLAINTEXTKEYBLOB, *PSTRUCT_PLAINTEXTKEYBLOB;
+
+typedef struct _CERT_REQUEST_INFO {
+  DWORD                dwVersion;
+  CERT_NAME_BLOB       Subject;
+  CERT_PUBLIC_KEY_INFO SubjectPublicKeyInfo;
+  DWORD                cAttribute;
+  PCRYPT_ATTRIBUTE     rgAttribute;
+} CERT_REQUEST_INFO, *PCERT_REQUEST_INFO;
@@ -3344,6 +3344,37 @@ WinDef
 .. autodata:: CRYPT_SGCKEY
 .. autodata:: CRYPT_ARCHIVABLE
 .. autodata:: CRYPT_FORCE_KEY_PROTECTION_HIGH
+.. autodata:: CERT_RDN_ANY_TYPE
+.. autodata:: CERT_RDN_ENCODED_BLOB
+.. autodata:: CERT_RDN_OCTET_STRING
+.. autodata:: CERT_RDN_NUMERIC_STRING
+.. autodata:: CERT_RDN_PRINTABLE_STRING
+.. autodata:: CERT_RDN_TELETEX_STRING
+.. autodata:: CERT_RDN_T61_STRING
+.. autodata:: CERT_RDN_VIDEOTEX_STRING
+.. autodata:: CERT_RDN_IA5_STRING
+.. autodata:: CERT_RDN_GRAPHIC_STRING
+.. autodata:: CERT_RDN_VISIBLE_STRING
+.. autodata:: CERT_RDN_ISO646_STRING
+.. autodata:: CERT_RDN_GENERAL_STRING
+.. autodata:: CERT_RDN_UNIVERSAL_STRING
+.. autodata:: CERT_RDN_INT4_STRING
+.. autodata:: CERT_RDN_BMP_STRING
+.. autodata:: CERT_RDN_UNICODE_STRING
+.. autodata:: CERT_RDN_UTF8_STRING
+.. autodata:: CERT_RDN_TYPE_MASK
+.. autodata:: CERT_RDN_FLAGS_MASK
+.. autodata:: CERT_RDN_ENABLE_T61_UNICODE_FLAG
+.. autodata:: CERT_RDN_ENABLE_UTF8_UNICODE_FLAG
+.. autodata:: CERT_RDN_FORCE_UTF8_UNICODE_FLAG
+.. autodata:: CERT_RDN_DISABLE_CHECK_TYPE_FLAG
+.. autodata:: CERT_RDN_DISABLE_IE4_UTF8_FLAG
+.. autodata:: CRYPT_DECODE_NOCOPY_FLAG
+.. autodata:: CRYPT_DECODE_TO_BE_SIGNED_FLAG
+.. autodata:: CRYPT_DECODE_SHARE_OID_STRING_FLAG
+.. autodata:: CRYPT_DECODE_NO_SIGNATURE_BYTE_REVERSAL_FLAG
+.. autodata:: CRYPT_DECODE_ALLOC_FLAG
+.. autodata:: CRYPT_UNICODE_NAME_DECODE_DISABLE_IE4_UTF8_FLAG
 .. autodata:: CRYPT_ENCODE_DECODE_NONE
 .. autodata:: X509_CERT
 .. autodata:: X509_CERT_TO_BE_SIGNED
@@ -3482,6 +3513,10 @@ WinDef
 .. autodata:: CMSG_CTRL_VERIFY_SIGNATURE_EX
 .. autodata:: CMSG_CTRL_ADD_CMS_SIGNER_INFO
 .. autodata:: CMSG_CTRL_ENABLE_STRONG_SIGNATURE
+.. autodata:: CERT_SET_KEY_PROV_HANDLE_PROP_ID
+.. autodata:: CERT_SET_KEY_CONTEXT_PROP_ID
+.. autodata:: CERT_NCRYPT_KEY_SPEC
+.. autodata:: CERT_REQUEST_V1
 .. autodata:: WSADESCRIPTION_LEN
 .. autodata:: WSASYS_STATUS_LEN
 .. autodata:: WSAPROTOCOL_LEN
 
@@ -326,6 +326,10 @@ Functions
 
 .. function:: CertCloseStore(hCertStore, dwFlags)
 
+.. function:: CryptSignAndEncodeCertificate(hBCryptKey, dwKeySpec, dwCertEncodingType, lpszStructType, pvStructInfo, pSignatureAlgorithm, pvHashAuxInfo, pbEncoded, pcbEncoded)
+
+.. function:: CryptSignCertificate(hBCryptKey, dwKeySpec, dwCertEncodingType, pbEncodedToBeSigned, cbEncodedToBeSigned, pSignatureAlgorithm, pvHashAuxInfo, pbSignature, pcbSignature)
+
 .. function:: OpenVirtualDisk(VirtualStorageType, Path, VirtualDiskAccessMask, Flags, Parameters, Handle)
 
 .. function:: AttachVirtualDisk(VirtualDiskHandle, SecurityDescriptor, Flags, ProviderSpecificFlags, Parameters, Overlapped)
@@ -592,6 +596,10 @@ Functions
 
 .. function:: UnmapViewOfFile(lpBaseAddress)
 
+.. function:: NCryptOpenKey(hProvider, phKey, pszKeyName, dwLegacyKeySpec, dwFlags)
+
+.. function:: NCryptOpenStorageProvider(phProvider, pszProviderName, dwFlags)
+
 .. function:: NetQueryDisplayInformation(ServerName, Level, Index, EntriesRequested, PreferredMaximumLength, ReturnedEntryCount, SortedBuffer)
 
 .. function:: NetUserEnum(servername, level, filter, bufptr, prefmaxlen, entriesread, totalentries, resume_handle)
 
@@ -247,6 +247,8 @@ Simple types
 
 .. autoclass:: NET_API_STATUS
 
+.. autoclass:: SECURITY_STATUS
+
 .. autoclass:: PVOID32
 
 .. autoclass:: PVOID64
@@ -255,6 +257,8 @@ Simple types
 
 .. autoclass:: NCRYPT_PROV_HANDLE
 
+.. autoclass:: BCRYPT_KEY_HANDLE
+
 .. autoclass:: NCRYPT_KEY_HANDLE
 
 .. autoclass:: NCRYPT_HASH_HANDLE
@@ -21113,6 +21117,42 @@ _STRUCT_PLAINTEXTKEYBLOB
 
         :class:`BYTE` ``[0]``
 
+_CERT_REQUEST_INFO
+''''''''''''''''''
+.. class:: CERT_REQUEST_INFO
+
+    Alias for :class:`_CERT_REQUEST_INFO`
+
+.. class:: PCERT_REQUEST_INFO
+
+    Pointer to :class:`_CERT_REQUEST_INFO`
+
+.. class:: _CERT_REQUEST_INFO
+
+    .. attribute:: dwVersion
+
+        :class:`DWORD`
+
+
+    .. attribute:: Subject
+
+        :class:`CERT_NAME_BLOB`
+
+
+    .. attribute:: SubjectPublicKeyInfo
+
+        :class:`CERT_PUBLIC_KEY_INFO`
+
+
+    .. attribute:: cAttribute
+
+        :class:`DWORD`
+
+
+    .. attribute:: rgAttribute
+
+        :class:`PCRYPT_ATTRIBUTE`
+
 _EXCEPTION_DEBUG_INFO
 '''''''''''''''''''''
 .. class:: EXCEPTION_DEBUG_INFO
 
@@ -157,3 +157,42 @@ def test_rpc_response_as_view():
     # Flags = 7 ?
     resp2 = client.call(iid, Proc9_RPC_FWEnumFirewallRules, params=rawpolstore + b"\x00\x00\x03\x00\xff\xff\xff\x7f\x07\x00")
     assert client.last_response_was_view
+
+# This cannot work as is: as juste calling NtAlpcDeleteSectionView does not works.
+# We need to disconnect from the port or (guess) reuse the message (based on ID ?) so that the serv known we are done with the message and can suppress it.
+# More alpc client/serer test need to be done
+
+# def test_rpc_response_as_view_is_unmapped():
+#     """Test that when a RCP client response as a view, it is unmapped and does not take place in memory ater the call
+#     It's not private memory, but it take some place in the AS : which can be problematic in 32b python"""
+#     # The logic we use : make a LOT of call to an API known to send response as a view. And monitor the evolution of WorkingSetSize
+#     client = windows.rpc.find_alpc_endpoint_and_connect(FIREWALL_RPC_IID, sid=gdef.WinLocalSid)
+#     client.__class__ = DbgRpcClient
+#     iid = client.bind(FIREWALL_RPC_IID)
+#
+#     # https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fasp/230d1ae7-b42e-4d9c-b997-b1463aaa0ded
+#     # !\x02\x02\x00\x01\x00\x00\x00\x00\x00\x00\x00
+#     # Binaryversion : 0x022f
+#     # FW_STORE_TYPE_LOCAL
+#     # FW_POLICY_ACCESS_RIGHT_READ
+#     # Flags = 0
+#     resp1 = client.call(iid, Proc0_RPC_FWOpenPolicyStore, params=b"!\x02\x02\x00\x01\x00\x00\x00\x00\x00\x00\x00")
+#     rawpolstore = resp1[:20]
+#     assert not client.last_response_was_view
+#     initial_ws_size = windows.current_process.memory_info.WorkingSetSize
+#     ws_sizes = []
+#
+#     for i in range(100):
+#         # Proc9_RPC_FWEnumFirewallRules
+#         # \x00\x00\x03\x00\xff\xff\xff\x7f\x07\x00
+#         # https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fasp/36cddff4-c427-4863-a58d-3d913a12b221
+#         # FW_PROFILE_TYPE_ALL : 0x7FFFFFFF
+#         # FW_RULE_STATUS_CLASS_OK +  FW_RULE_STATUS_PARTIALLY_IGNORED = 0x00010000 + 0x00020000
+#         # Flags = 7 ?
+#         resp2 = client.call(iid, Proc9_RPC_FWEnumFirewallRules, params=rawpolstore + b"\x00\x00\x03\x00\xff\xff\xff\x7f\x07\x00")
+#         assert client.last_response_was_view
+#         ws_sizes.append(windows.current_process.memory_info.WorkingSetSize - initial_ws_size)
+#         print("WorkingSetSize: {0}".format(windows.current_process.memory_info.WorkingSetSize))
+#     assert max(ws_sizes) - min(ws_sizes) < (1024 ** 2) # We should not vary more than 1 MO ?
+#     # Check if not all ws_size is not 4k bigger that the last one
+#     assert not all((ws_sizes[i+1] - ws_sizes[i] > 0x1000) for i in range(len(ws_sizes) - 1))