Trace APDU on Windows - My Smart Logon

To Trace APDU on Windows, most on them (SCardSpy, APDU Play, …) requires the local replacement of Winscard.dll by another one and then forward the SCard* (SCardTransmit) calls to the original dll.

This solution is not easy to maintain because some functions have been added (SCardReadCache / SCardWriteCache) and these functions are not available on each OS. Moreover, you need a x64/x86 version.

1) Using APDUTrace

This program developed internally insert a kernel filter driver in the smart card reader driver stack. It can start a live tracing session or a permanent logging solution (including boot time tracing). Both x86 and x64 are handled in a single program and the operating systems compatible are Windows XP to Windows 10. It can capture the shared VMWare smart card reader.

Download

apdutrace

Because it captures APDU at the lowest level possible, processus names are not included. The traffic captured is the traffic are the reader see it.

apdutrace live tracing

2) Using API Monitor

As an alternative, API Monitor can be used to trace the calls and display the APDU and its result, even on a running lsass.exe ! It is working on x64 and x86.

Note: lsass.exe crashes when API Monitor is disconnected.

For that, the API definition needs to changed.

In scard.h.xml, add the following variable:

      <!– [SCARD_DISPOSITION] –>
      <Variable Name=”[SCARD_DISPOSITION]” Type=”Alias” Base=”LONG”>
        <Display Name=”LONG” />
        <Enum>
          <Set Name=”SCARD_LEAVE_CARD”                    Value=”0″ />
          <Set Name=”SCARD_RESET_CARD”              Value=”1″ />
          <Set Name=”SCARD_UNPOWER_CARD”                   Value=”2″ />
          <Set Name=”SCARD_EJECT_CARD”              Value=”3″ />
        </Enum>
      </Variable>

In winscard.xml, transform the 3 functions:

=> you will be able to track card reset & command sent and received