Ask for the PIN of the card using the PIN Windows Dialog

Custom PIN Dialog
Custom PIN dialog invoked by BaseCSP
Reverse engineering

When asking for the PIN, the BaseCSP component calls CredUIPromptForWindowsCredentials with KERB_CERTIFICATE_LOGON and CREDUIWIN_IN_CRED_ONLY.

DWORD WINAPI CredUIPromptForWindowsCredentials(
    __in_opt     PCREDUI_INFO pUiInfo,
    __in         DWORD dwAuthError,
    __inout      ULONG *pulAuthPackage,
    __in_opt     LPCVOID pvInAuthBuffer,
    __in         ULONG ulInAuthBufferSize,
    __out        LPVOID *ppvOutAuthBuffer,
    __out        ULONG *pulOutAuthBufferSize,
    __inout_opt  BOOL *pfSave,
    __in         DWORD dwFlags
);
Arguments (in order)
  • A PCREDUI_INFO for the labels (conforms to the specifications)
  • 0
  • 0xffffeb34 (always the same)
  • See below for KERB_CERTIFICATE_LOGON and the memory dump
  • The size of the KERB_CERTIFICATE_LOGON
  • Output variable
  • Output variable
  • NULL
  • 0x20 (CREDUIWIN_IN_CRED_ONLY)
Structures
KERB_CERTIFICATE_LOGON
KERB_CERTIFICATE_LOGON structure
KERB_CERTIFICATE_LOGON memory layout
KERB_SMARTCARD_CSP_INFO
KERB_SMARTCARD_CSP_INFO structure
KERB_SMARTCARD_CSP_INFO memory layout

The flag changes every time a smart card is inserted. In this example, its value is 0x50001.

Formula: (1 | dwActivityCount << 16) where dwActivityCount = (dwState >> 16) and dwState is from SCardStatus. First insertion: 0x10001. Second: 0x30001. Third: 0x50001

Behaviour
  • If CREDUIWIN_IN_CRED_ONLY is not set, an error about smart card removal is shown when the PIN is validated.
  • The PIN is verified directly within the PIN dialog — only a valid PIN can be returned.
  • The PIN is then retrievable as an ANSI buffer in the Pin field (which is a UNICODE_STRING).
Memory dump & call stack
Memory dump
Memory dump of the KERB_CERTIFICATE_LOGON buffer
Call stack
Call stack at the CredUIPromptForWindowsCredentials invocation

Security Expertise articles

← Back to Security Expertise