Decrypting the smart card minidriver auto-installation process
How to capture Microsoft Update traffic ?
- Install fiddler
- Enable HTTPS decryption (tools -> fiddler options -> https)
-
force the WinHttp proxy
netsh winhttp set proxy 127.0.0.1:8888
(reverse: netsh winhttp reset proxy)
- add the fiddler root CA to the “computer trusted root store”
windows+R -> mmc.exe -> add snap-in -> certificates -> add “personnal” and “computer” locate the “DO NOT TRUST” certificate in personnal -> trusted root and copy it to computer -> trusted root
Protocol overview
- call “http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/SyncUpdates“
- call “http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/GetExtendedUpdateInfo“
- download the .cab representing the driver
Reference : MS-WUSP: Windows Update Services: Client-Server Protocol Specification
Matching ATR
The SyncUpdates function send all the informations about the drivers installed. However, a new device is include in the Soap query :
<Device> <HardwareIDs soapenc:arrayType="xsd:string[1]"> <string>SCFILTER\CID_805100611030</string> </HardwareIDs> <CompatibleIDs></CompatibleIDs> <installedDriver> <MatchingID xsi:nil="1"/> <DriverVerDate>1950-08-21</DriverVerDate> <DriverVerVersion>0</DriverVerVersion> <Class xsi:nil="1"/> <Manufacturer xsi:nil="1"/> <Provider xsi:nil="1"/> <Model xsi:nil="1"/> </installedDriver> </Device>
Please note that the CID_805100611030 match the historical Bytes of the ATR of the smart card (3bd6180081b1807d1f038051006110308f) as described in the Minidriver specifications v7, Appendix D.1