|
Last update: 19.11.2012
|
PC/SC APDU inspection and manipulation tool (APDUPlay)The project APDUPlay is based on ApduView tool which allows you to log communication realized via PC/SC interface (winscard.dll library). If you are interested only in log of transmitted data, you can readily use APDUView project (although APDYPlay project provides information about communication in more structured way more suitable for later post processing and add some additional information).Note: The APDUPlay tool is available for download including source codes, yet documentation still lack a bit behind :(. Still, it was requested several times and I hope it will be useful. How to use it?1. Copy Winscard.dll from your system folder (see note below to select correct version) to folder with target application and rename it to original.dll2. Copy Winscard.dll from APDUPlay project to folder with target application (see download below) 3. Run application and inspect resulting files winscard_log.txt and winscard_rules_log.txt 4. (Optional) Change configuration file winscard_rules.txt to modify default behaviour (see below) APDUPlay project provides winscard.dll library that is stub used instead of original winscard.dll provided by Microsoft. For correct usage, you need to find Microsoft's library and copy it to folder with application you are trying to control with APDUPlay. If you are using Windows XP or Windows 7 32bit, you can find it at c:\Windows\winscard.dll If you are using Windows 7 64bit, you can find it at c:\Windows\SysWOW64\winscard.dll NOTE: If you will use (wrongly) 64bit version of library winscard.dll, it will fail with "The procedure entry point original.g_rgSCardT1Pci could not be located in the dynamic link library WinSCard.dll." Please send me any comments or found bugs to the mail written at the footer of this page. I take no responsibility for usage of this software. Download binaries here : APDUPlay_bin.zip. Download source code here : APDUPlay_sources.zip. The APDUPlay project is providing following functionality:
Log content and additional information about exchanged PC/SC communicationAPDUPlay tool can be used to log information about transmitted APDU commands between reader and smart card. Most applications in the system access the reader and smart card via PC/SC interface, which is realized by SCardxxx function in Windows API. These functions are available in winscard.dll library. The logging is based on an interception of PC/SC API calls by inserting fake winscard.dll library into system (usually into working directory of target application) and redirecting this call to original winscard.dll library. The original library should be renamed to original.dll a positioned in same directory as fake library is. Application will load fake winscard.dll which in turn load original.dll library. Having control over fake library, one can log, modify and otherwise control communication between smart card and reader.WARNING: all data including possible keys, PINs or other sensitive data will be logged to file! Usage: Copy fake winscard.dll and original library (renamed to original.dll) into actual directory of application you are targeting. Set key LOG_EXCHANGED_APDU=1 in file winscard_rules.txt to enable APDU logging. Resulting log will be written into winscard_log.txt file. Usage: Set key LOG_FUNCTIONS_CALLS=1 in file winscard_rules.txt to enable PC/SC function calls logging. Resulting log will be written into winscard_rules_log.txt file. Example: LOG_EXCHANGED_APDU = 1. The following output will be produced for GnuPG gpg --card-edit command (edited for length): [begin] SCardTransmit (handle 0xEA010000)# apduCounter:0# totalBytesINCounter:1# transmitted:00 a4 04 00 06 d2 76 00 01 24 01 responseTime:15# SCardTransmit result:0x0# received:90 00 SCardTransmit (handle 0xEA010000)# apduCounter:1# totalBytesINCounter:12# transmitted:00 ca 00 4f 00 responseTime:16# SCardTransmit result:0x0# received:d2 76 00 01 24 01 01 01 ff ff 00 00 00 01 00 00 90 00 SCardTransmit (handle 0xEA010000)# apduCounter:2# totalBytesINCounter:17# transmitted:00 ca 00 c4 00 responseTime:15# SCardTransmit result:0x0# received:01 20 20 20 03 03 03 90 00 [end]Example: LOG_FUNCTIONS_CALLS = 1. The following output will be produced: ######################################### Rules file found: some_path\winscard_rules.txt SCardEstablishContext() called -> hContext:0xcd010000 SCardListReadersA called -> Found readers: SCardListReadersA called -> Found readers: Gemplus USB Key Smart Card Reader 0, Schlumberger e-gate 0, SCardConnectA(hContext:0xcd010000,Gemplus USB Key Smart Card Reader 0,hCard:0xea010000) called SCardStatusA called SCardTransmit called responseTimeLibrary:15# ............................................... SCardTransmit called responseTimeLibrary:16# ............................................... ... SCardReleaseContext(hContext:0xcd010000) called Manipulate communication in real timeModified library allows to selectively modifying data exchanged between card and reader based on predefined data pattern. Bytes in APDU header or data section may be changed, whole APDU can be blocked or replaced with completely new or additional communication can be inserted.Potential usage might be to test if application is robust against replay, selective forwarding or data modification attacks etc. Following manipulations are currently supported:
Usage: set key MODIFY_APDU_BY_RULES= to enable/disable packet real-time modification. Create one or more [RULExxx] sections with description of modification(s). [RULE1] ... unique name for the rule, starting with string RULE followed by unique number within this file MATCH= ... key starting with key MATCH followed by number, starting from 1 (can be more of them), MATCH1, MATCH2.... Match pattern consists from following values, separated by symbol ';': value in= specifies match on input (in=1;) vs. response apdu (in=0;) value t= specifies ordinary number of apdu packet in history buffer. E.g. t=0 specifies matching on current apdu currently in transmission. t=1 specifies apdu transmitted just before current apdu, t=7 specifies apdu transmitted 7 packets back value cla= specifies value of CLA byte in APDU header (hexadecimal). E.g., cla=88 means CLA == 0x88 value ins= specifies value of INS byte in APDU header (hexadecimal). value p1= specifies value of P1 byte in APDU header (hexadecimal). value p2= specifies value of P2 byte in APDU header (hexadecimal). value lc= specifies value of LC byte in APDU header (hexadecimal). value le= specifies value of LE byte in APDU header (hexadecimal). value dataX= specifies value of one or more bytes in data section of APDU command (hexadecimal), starting with Xth byte. E.g., data0=11 0F 31; will match on APDU packet with data part of APDU starting with bytes 0x11 0xf0 0x31 E.g., data1=11 0F 31; will match on APDU packet with arbitrary first byte in data part of packet, second to fourth data bytes equal to 0x11 0xf0 0x31 ACTION= key specifying the action taken when incoming apdu matches the pattern specified in MATCH keys APDUIN= key specifying, when should be this rule evaluated. If true (1), this rule will be evaluated on all incoming apdu packets. If false (0) it will be evaluated on response apdu. DELAY= key specifying delay in millisecond that will be introduced before the action is taken. Use for example when packet to smart card is dropped and replaced with forged response apdu, but application is monitoring expected computational time, therefore quick forget response would be detected. USAGE= if true (1), this rule will be used, if false (0) it will be skipped. Used as switch to quickly turn RULE on or off without inserting/removing rule description from the script fileExample: [RULE4] # rule number 4 MATCH1=in=1;t=0;cla=00;ins=a4;# match is on apdu from reader to smart card (in=1), actual apdu (t=0), cla == 0x00, ins == 0xa4 (any SELECT command) ACTION=in=0;data0=90 00;le=02; # replace response apdu by status OK 90 00 with 2 bytes length (le=2) (reader will thought that smart card application was successfully selected) APDUIN=0# try to match this rule when response apdu (smart card->reader) is in transmission DELAY=100 # add 100ms delay USAGE=1 # this rule is active (default) Redirect communication via socket to other device/computerThe tool allows you to redirect communication via socket to other device/computer. This is a quite special feature and you will probably don't need it. You may be interested to use this feature if you like to redirect the PC/SC traffic to other computer. We are working with power analysis device to monitor power consumption of smart card so usual redirect was to our measurement device where smart card was actually inserted in - not the computer with application using the smart card.Usage: set keys in REDIRECT, IP and PORT in section [SCSAT04] of file winscard_rules_scsat04.txt. REDIRECT=1 enables the redirection, IP=192.168.1.90 specifies the redirection target device and PORT=4001 specifies the socket port where target device is listening. Example: [SCSAT04] REDIRECT=1 IP=192.168.1.90 PORT=4001 Reorder list of detected smart card readers in systemThe APDUPlay tool can reorder the list of readers detected in system as given by API function SCardListReaders(). This feature is handy when dealing with application which can't handle more then one reader in system and connect always to first reader returned by SCardListReaders() call.Usage: set key READER_ORDERED_FIRST in file winscard_rules.txt to the exact name of the reader you like to have ordered first. Example: READER_ORDERED_FIRST = Schlumberger e-gate 0 Visualization of captured data in structured way by GraphVizAPDU data captured by the tool can be visualized to provide better overview of more complex interactions. For visualizing, GraphViz package is used.
SEARCH: received:(61.[0-9A-Z][0-9A-Z])# ([a-zA-Z0-9: ()# ]*?)received: REPLACE: received:3b) Remove information about handle SEARCH: (SCardTransmit.*?#) REPLACE:3c) Create main content of the visualization file for Graphviz (www.graphviz.org). Will create connection in form APDUIN_HEADER->APDUIN_DATA->APDUOUT SEARCH: apduCounter:(.*?)# transmitted:([0-9A-Z][0-9A-Z] [0-9A-Z][0-9A-Z] [0-9A-Z][0-9A-Z] [0-9A-Z][0-9A-Z]) (.*?)# responseTime:(.*?)# received:(.*?)# REPLACE: "\2" -> "\3" [label="[ac=\1]"]; "\3" -> "\5" [label="[ac=\1, time=\4]"];3d) Create header for Graphviz file SEARCH: \[begin\] REPLACE: digraph winscard { rankdir=LR; size="6,6"; node [color=lightblue2, style=filled];3e) End GraphViz file SEARCH: \[end\] REPLACE: } Please, report any bugs or suggestions to my mail (see footer of the page). Thank you! |
OpenPGP key : 0x89CEB31C |