Hello all.
I have the following situation: there is a USB token that contains security information to connect to bank service (2 ways authentication I think). The problem is that it is not visible if I connect to a PC within RDP session. The customer wants to overcome this problem no matters of cost (it means dirty patch hacking and so on). I dug into some libraries with IDA to understand how they work. So, what I have now:
-
It looks like scardsvr.exe monitors card insertion in a special thread that sends an IOCTL to some unnamed PnP device and sleeps waiting for response. When the response is received it powers up the card and sets internal object’s status.
-
To interact with scardsvr.exe a client must use winscard.dll which sends requests to scardsvr.exe service using COM. The first function that a client must call is SCardEstablishContext which may redirect the request to scredir.dll if we are running in RDP.
-
Some drivers connected to smart cards.
I’m not sure that the scheme is correct, but this is what I have. I have bank’s client program that is written in Java, so I patched SCardEstablishContext’s ‘retn 0x10’ instruction to int3 and set Olly as JIT-debugger. Then I ran the client both in RDP and local session with Process Monitor turned on. When I ran it into RDP session I noticed that SCardEstablishContext redirects the request to scredir.dll that in turn calls CreateFile(“\Device\RdpDr\TSCLIENT\SCARD", …); and DeviceIoControl(”\Device\RdpDr\TSCLIENT\SCARD", FSCTL_OPLOCK_BREAK_NOTIFY);. The token doesn’t appears in client’s token list, so the client still doesn’t see it in RDP session. When running the client in local session I don’t see any redirection and CreateFile/DeviceIoControl calls and the token is visible to the client. Also I noticed that when I run the client in local session, smclib.sys library calls to some registry connected function that reads parameters of the driver called ‘token’ (file eps2kt.sys). It looks like that smclib.sys calls this registry read from SmartcardDeviceControl function. I disassembled eps2kt1.sys and didn’t find anything connected to smclib.sys. It doesn’t imports it at all. So I don’t understand why smclib.sys tried to read eps2kt1.sys’s parameters. Also I failed to reproduce this situation (but will try to reproduce it later), so I can’t give more details.
The problem is that I don’t understand general direction of the ‘excavations’. What should I read to understand the problem? To which mode (user or kernel) I have to pay attention? Which drivers/libraries I have to disassemble? At which level the redirection happens and what should I patch to make the token visible from RDP session? I would appreciate any advices and details of the subsystems of the question.
Sorry for muddled description, I just don’t have more information yet to describe it more consistent.
–
Thanking In Advance,
Mikae.