Decrypting the smart card minidriver auto-installation process

How to capture Microsoft Update traffic
  1. Install Fiddler
  2. Enable HTTPS decryption: Tools → Fiddler Options → HTTPS
  3. Force the WinHttp proxy: 
    netsh winhttp set proxy 127.0.0.1:8888
(reverse: netsh winhttp reset proxy)
  4. Add the Fiddler root CA to the computer trusted root store
Win+R → mmc.exe → Add snap-in → Certificates → add "Personal" and "Computer"
Locate the "DO NOT TRUST" certificate in Personal → Trusted Root and copy it to Computer → Trusted Root.
Protocol overview

Reference: MS-WUSP: Windows Update Services: Client-Server Protocol Specification

  1. Call SyncUpdateshttps://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wusp/6b654980-ae63-4b0d-9fae-2abb516af894
  2. Call GetExtendedUpdateInfohttps://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wusp/862adc30-a9be-4ef7-954c-13934d8c1c77
  3. Download the .cab representing the driver
Matching ATR

The SyncUpdates function sends information about all installed drivers. For unrecognized smart cards, a new <Device> element is included in the SOAP query:

<Device>
    <HardwareIDs soapenc:arrayType="xsd:string[1]">
        <string>SCFILTER\CID_805100611030</string>
    </HardwareIDs>
    <CompatibleIDs></CompatibleIDs>
    <installedDriver>
        <MatchingID xsi:nil="1"/>
        <DriverVerDate>1950-08-21</DriverVerDate>
        <DriverVerVersion>0</DriverVerVersion>
        <Class xsi:nil="1"/>
        <Manufacturer xsi:nil="1"/>
        <Provider xsi:nil="1"/>
        <Model xsi:nil="1"/>
    </installedDriver>
</Device>

Note that CID_805100611030 matches the historical bytes of the ATR (3bd6180081b1807d1f038051006110308f), as described in the Minidriver specifications v7, Appendix D.1.

Security Expertise articles

← Back to Security Expertise