While reversing a certain executable, I needed to figure out what data it sends over SSL/TLS. It's not using standard WinHttp functions but custom Schannel/SSPI implementation that's similar to CURL.
One of the steps in the process is to obtain SecurityFunctionTable using code like this:
pInitSecurityInterface = (INIT_SECURITY_INTERFACE)GetProcAddress( g_hSecurity, "InitSecurityInterfaceA" );
if(pInitSecurityInterface == NULL) {
printf( "Error 0x%x reading InitSecurityInterface entry point.\n", GetLastError() );
return FALSE;
}
g_pSSPI = pInitSecurityInterface(); // call InitSecurityInterfaceA(void);
if(g_pSSPI == NULL) {
printf("Error 0x%x reading security interface.\n", GetLastError());
return FALSE;
}
And then you can use the obtained SECURITY_FUNCTION_TABLE to call different SSPI functions.
Sure, InitSecurityInterface and the SECURITY_FUNCTION_TABLE structure are described on MSDN (just the start of structure is shown for brevity):
So, I added the corresponding structure definition to IDA and tried to analyze the calls. It made no sense whatsoever.
What's happening here?
After some head scratching, I searched WDK for SECURITY_FUNCTION_TABLE definition. And here it is:
I wonder where the Reserved1 field has gone... 😉
Fix the structure definition in IDA and magically all the calls make perfect sense:
Morale of the story - MSDN is great for quick reference but having a full Windows SDK/WDK installed is priceless.
Morale #2 - always carefully check IDA standard structures. Apparently, IDA doesn't have SECURITY_FUNCTION_TABLE defined - but it does have proper definition for SecurityFunctionTable.