We seen lot of interesting strings in this file. Most of them were related to cryptography strings, user-agent, socks, etc. We further done our analysis in the code level:
It actually looks for active window and last active popup (Determines which pop-up window owned by the specified window was most recently active). It retrieves information about the specified window station or desktop object. And this 'GetProcessWindowStation' retrieves a handle to the current window station for the calling process.
It is calling loadlibrary subroutine to call the socket api to bind and get ready for transmitting data.
Once it done with that and it looks for GetProcAddress.
It actually looks for active window and last active popup (Determines which pop-up window owned by the specified window was most recently active). It retrieves information about the specified window station or desktop object. And this 'GetProcessWindowStation' retrieves a handle to the current window station for the calling process.
This particular piece of code extensively using cryptography functions.
The CryptAcquireContext function is used to acquire a handle to a particular key container within a particular cryptographic service provider (CSP). This returned handle is used in calls to CryptoAPI functions that use the selected CSP.
This function first attempts to find a CSP with the characteristics described in the dwProvType and pszProvider parameters. If the CSP is found, the function attempts to find a key container within the CSP that matches the name specified by the pszContainer parameter. To acquire the context and the key container of a private key associated with the public key of a certificate, use CryptAcquireCertificatePrivateKey.
With the appropriate setting of dwFlags, this function can also create and destroy key containers and can provide access to a CSP with a temporary key container if access to a private key is not required.
CSP: Cryptographic service provider.
In this case, it is Microsoft cryptographic service provider.
Microsoft base cryptor key:
00000005911C 00000045A51C 0 LibTomMath
000000059204 00000045A604 0 /dev/random
000000059210 00000045A610 0 /dev/urandom
000000059220 00000045A620 0 Microsoft Base Cryptographic Provider v1.0
000000059250 00000045A650 0 11839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650
0000000592D8 00000045A6D8 0 C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66
000000059360 00000045A760 0 1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409
0000000593E8 00000045A7E8 0 51953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00
000000059470 00000045A870 0 1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
0000000594F4 00000045A8F4 0 ECC-521
0000000594FC 00000045A8FC 0 ECC-384
Functions such as CryptEncrypt, CryptDestroyKey, and CryptReleaseContext.
- The CryptEncrypt function encrypts data. The algorithm used to encrypt the data is designated by the key held by the CSP module and is referenced by the hKey parameter.
- The CryptDestroyKey function releases the handle referenced by the hKey parameter. After a key handle has been released, it is no longer valid and cannot be used again. If the handle refers to a session key, or to a public key that has been imported into the cryptographic service provider (CSP) through CryptImportKey, this function destroys the key and frees the memory that the key used. Many CSPs overwrite the memory where the key was held before freeing it. However, the underlying public/private key pair is not destroyed by this function. Only the handle is destroyed.
- The CryptReleaseContext function releases the handle of a cryptographic service provider (CSP) and a key container. At each call to this function, the reference count on the CSP is reduced by one. When the reference count reaches zero, the context is fully released and it can no longer be used by any function in the application. An application calls this function after finishing the use of the CSP. After this function is called, the released CSP handle is no longer valid. This function does not destroy key containers or key pairs.
This is about curl version, it is actually using curl 7.49.1.
This hex value 6362696C2F6C727539342E37312E6F72705F7978 is equivalent to cbil/lru94.71?.
This is nothing but curl lib 7.49.1.
No comments:
Post a Comment