CryptoAPI Tracer script

Article
10/31/2007
Hi, welcome back,
As I promised in my previous post, How to trace CryptoAPI calls, I'm posting the complete script I'm developing to trace all CryptoAPI calls being made by an application. This script shows the In & Out parameters being passed to the API, the result of calling the API, and in case of error, the error number and message that the API returned.
This script is a Beta version. I'm missing many APIs, and what I call in the script "DEFAULT TRACERS" are there to catch any API starting by Crypt* and Cert* and remind me which ones I'm missing in case I need them. Currently those default tracers are disabled. Additionally, when flags are passed to an API I try to show those flags in clear text, but I'm still missing many of them. MSDN and Platform SDK will help me complete the script. I just need time. A lot of time. There are many APIs, many parameters, many flags.
But with current version of the script I've solved many, many cases related to CryptoAPI issues very, very easily. The APIs I have already included are the most commonly used by my customers, .NET and CAPICOM.
 ************************************************************************
* CRYPTO API TRACER by ALEJANDRO CAMPOS MAGENCIO (BETA)
************************************************************************
*
* DISCLAIMER
*
* This sample script is not supported under any Microsoft standard 
* support program or service. 
* The sample script is provided as it is without warranty of any kind.
* Microsoft further disclaims all implied warranties including, without 
* limitation, any implied warranties of merchantability or of fitness 
* for a particular purpose.
* The entire risk arising out of the use or performance of the sample 
* script remains with you. In no event shall Microsoft, its authors, or 
* anyone else involved in the creation, production, or delivery of the 
* script be liable for any damages whatsoever (including, without 
* limitation, damages for loss of business profits, business 
* interruption, loss of business information, or other pecuniary loss) 
* arising out of the use of or inability to use the sample script, even 
* if Microsoft has been advised of the possibility of such damages.
*
* PREREQUISITES:
*
* 1) Download the latest version of "Debugging Tools for Windows"
*    https://www.microsoft.com/whdc/devtools/debugging/installx86.mspx
*
* 2) Install the tools in any machine, and copy the directory with the 
*    tools to the target machine (they don't need to be installed in the 
*    target machine). We will use "cdb.exe" to run the script.
*
* HOW TO TRACE an already running application:
*
* -  Run the following command to attach the "cdb.exe" debugger to the 
*    application and run the script:
*    "
*    cdb.exe -pn application.exe -cf "PathToScript\script.txt"
*    "
*
*    Note: You may target the application by PID by using "-p PID" 
*          instead of "-pn application.exe".
*    Note: All traces will be written to log.txt in the current 
*          directory. You may change the path to the log file at the end 
*          of the script.
*
* HOW TO FINISH the tracing:
*
* A) If the application has finished execution, enter the "q" command on 
*    "cdb.exe" to quit the debugger.
*
* B) If the application is still running, press "Ctrl+Break" to break
*    into "cdb.exe" and pause the application. Enter the "qd" command to
*    detach and quit the debugger (it won't kill the target app which 
*    will resume execution) or "q" to just quit (it will kill the target 
*    app).
*
************************************************************************

************************************************************************
* DEFAULT TRACERS 
************************************************************************

* Remove * to enable 
*bm Advapi32!Crypt* ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\n(%#x)\\n\\n\", @$tid;    .echo CALL;kb 1;    bp /t @$thread poi(@esp) \"    .echo;.echo RESULT; .printf \\\"%#x\\\\n\\\\n\\\", @eax; !gle;    .echo;.echo <<<<<<<<<<<<<<<<<<<<<<;    G;\";    G;";

* Remove * to enable 
*bm Crypt32!Crypt* ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\n(%#x)\\n\\n\", @$tid;    .echo CALL;kb 1;    bp /t @$thread poi(@esp) \"    .echo;.echo RESULT; .printf \\\"%#x\\\\n\\\\n\\\", @eax; !gle;    .echo;.echo <<<<<<<<<<<<<<<<<<<<<<;    G;\";    G;";

* Remove * to enable 
*bm Crypt32!Cert* ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\n(%#x)\\n\\n\", @$tid;    .echo CALL;kb 1;    bp /t @$thread poi(@esp) \"    .echo;.echo RESULT; .printf \\\"%#x\\\\n\\\\n\\\", @eax; !gle;    .echo;.echo <<<<<<<<<<<<<<<<<<<<<<;    G;\";    G;";

************************************************************************
* ADVAPI32!CRYPT* TRACERS
************************************************************************

bm Advapi32!CryptAcquireContextW ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptAcquireContextW (%#x)\\n\", @$tid;    .echo;.echo IN;    .echo pszContainer; .if(poi(@esp+8)=0) {.echo NULL} .else {du poi(@esp+8)};    .echo;.echo pszProvider; .if(poi(@esp+c)=0) {.echo NULL} .else {du poi(@esp+c)};    .echo;.echo dwProvType; .if(poi(@esp+10)=1) {.echo PROV_RSA_FULL} .elsif(poi(@esp+10)=0x18) {.echo PROV_RSA_AES} .else {.printf \"%d\\n\", poi(@esp+10)};    .printf \"\\ndwFlags\\n%#x\\n\", poi(@esp+14); .if((poi(@esp+14)&0x0`F0000000)=0x0`F0000000) {.echo CRYPT_VERIFYCONTEXT(0xf0000000)}; .if((poi(@esp+14)&0x0`00000008)=0x0`00000008){.echo CRYPT_NEWKEYSET(0x8)}; .if((poi(@esp+14)&0x0`00000010)=0x0`00000010) {.echo CRYPT_DELETEKEYSET(0x10)}; .if((poi(@esp+14)&0x0`00000020)=0x0`00000020) {.echo CRYPT_MACHINE_KEYSET(0x20)}; .if((poi(@esp+14)&0x0`00000040)=0x0`00000040) {.echo CRYPT_SILENT(0x40)};     bp /t @$thread poi(@esp) \"    .echo;.echo OUT;    .if(poi(@esp-14)=0) {.echo phProv;.echo NULL} .else {.echo hProv; .if(poi(poi(@esp-14))=0) {.echo NULL} .else {.printf \\\"%#x\\\\n\\\", poi(poi(@esp-14))} };    .echo;.echo RESULT;    .if(@eax=1) {.printf \\\"CryptAcquireContextW (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptAcquireContextW (%#x) FAILED\\\\n\\\", @$tid;!gle};    .echo;.echo <<<<<<<<<<<<<<<<<<<<<<;    G;\";    G;";

bm Advapi32!CryptAcquireContextA ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptAcquireContextA (%#x)\\n\", @$tid;    .echo;.echo IN;    .echo pszContainer; .if(poi(@esp+8)=0) {.echo NULL} .else {da poi(@esp+8)};    .echo;.echo pszProvider; .if(poi(@esp+c)=0) {.echo NULL} .else {da poi(@esp+c)};    .echo;.echo dwProvType; .if(poi(@esp+10)=1) {.echo PROV_RSA_FULL} .elsif(poi(@esp+10)=24) {.echo PROV_RSA_AES} .else {.printf \"%d\\n\", poi(@esp+10)};    .printf \"\\ndwFlags\\n%#x\\n\", poi(@esp+14); .if((poi(@esp+14)&0x0`F0000000)=0x0`F0000000){.echo CRYPT_VERIFYCONTEXT(0xf0000000)}; .if((poi(@esp+14)&0x0`00000008)=0x0`00000008){.echo CRYPT_NEWKEYSET(0x8)}; .if((poi(@esp+14)&0x0`00000010)=0x0`00000010) {.echo CRYPT_DELETEKEYSET(0x10)}; .if((poi(@esp+14)&0x0`00000020)=0x0`00000020) {.echo CRYPT_MACHINE_KEYSET(0x20)}; .if((poi(@esp+14)&0x0`00000040)=0x0`00000040) {.echo CRYPT_SILENT(0x40)};    bp /t @$thread poi(@esp) \"    .echo;.echo OUT;    .if(poi(@esp-14)=0) {.echo phProv;.echo NULL} .else {.echo hProv; .if(poi(poi(@esp-14))=0) {.echo NULL} .else {.printf \\\"%#x\\\\n\\\", poi(poi(@esp-14))} };    .echo;.echo RESULT;    .if(@eax=1) {.printf \\\"CryptAcquireContextA (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptAcquireContextA (%#x) FAILED\\\\n\\\", @$tid;!gle};    .echo;.echo <<<<<<<<<<<<<<<<<<<<<<;    G;\";    G;";

bm Advapi32!CryptGetProvParam ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptGetProvParam (%#x)\\n\", @$tid;    .echo;.echo IN;    .printf \"hProv\\n%#x\\n\\n\", poi(@esp+4);    .echo dwParam; .if(poi(@esp+8)=0x16) {.echo PP_ENUMALGS_EX} .else {.printf \"%#x\\n\", poi(@esp+8)};    .echo;.echo pbData; .if(poi(@esp+c)=0) {.echo NULL} .else {.printf \"%#x\\n\", poi(@esp+c)};    .printf \"\\ndwDataLen\\n%d\\n\", poi(poi(@esp+10));        .printf \"\\ndwFlags\\n%#x\\n\", poi(@esp+14);    bp /t @$thread poi(@esp) \"   .echo;.echo OUT;    .if((poi(@esp-c)!=0) & (poi(poi(@esp-8))!=0)) {r $t0=(poi(poi(@esp-8))+3)/4; .echo bData; dd poi(@esp-c) l@$t0; .echo};    .printf \\\"dwDataLen\\\\n%d\\\\n\\\", poi(poi(@esp-8));    .echo;.echo RESULT;    .if(@eax=1) {.printf \\\"CryptGetProvParam (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptGetProvParam (%#x) FAILED\\\\n\\\", @$tid;!gle};    .echo;.echo <<<<<<<<<<<<<<<<<<<<<<;    G;\";    G;";

bm Advapi32!CryptGenRandom ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptGenRandom (%#x)\\n\", @$tid;    .echo;.echo IN;    .printf \"hProv\\n%#x\\n\\n\", poi(@esp+4);    .printf \"dwLen\\n%d\\n\", poi(@esp+8);    r $t0=(poi(@esp+8)+3)/4; .echo;.echo bBuffer; dd poi(@esp+c) l@$t0;    bp /t @$thread poi(@esp) \"    .echo;.echo OUT;    r $t0=(poi(@esp-8)+3)/4; .echo bBuffer; dd poi(@esp-4) l@$t0;    .echo;.echo RESULT;    .if(@eax=1) {.printf \\\"CryptGenRandom (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptGenRandom (%#x) FAILED\\\\n\\\", @$tid;!gle};    .echo;.echo <<<<<<<<<<<<<<<<<<<<<<;    G;\";    G;";

bm Advapi32!CryptReleaseContext ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptReleaseContext (%#x)\\n\", @$tid;    .echo;.echo IN;    .printf \"hProv\\n%#x\\n\\n\", poi(@esp+4);    .printf \"dwFlags\\n%#x\\n\", poi(@esp+8);    bp /t @$thread poi(@esp) \"    .echo;.echo RESULT;    .if(@eax=1) {.printf \\\"CryptReleaseContext (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptReleaseContext (%#x) FAILED\\\\n\\\", @$tid;!gle};    .echo;.echo <<<<<<<<<<<<<<<<<<<<<<;    G;\";    G;";

bm Advapi32!CryptCreateHash ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptCreateHash (%#x)\\n\", @$tid;    .echo;.echo IN;    .printf \"hProv\\n%#x\\n\\n\", poi(@esp+4);    .echo Algid; .if(poi(@esp+8)=0x00008004) {.echo CALG_SHA} .elsif(poi(@esp+8)=0x00008003) {.echo CALG_MD5} .else {.printf \"%#x\\n\", poi(@esp+8)};    .printf \"\\nhKey\\n%#x\\n\\n\", poi(@esp+c);    .printf \"dwFlags\\n%#x\\n\", poi(@esp+10);    bp /t @$thread poi(@esp) \"    .echo;.echo OUT;    .printf \\\"hHash\\\\n%#x\\\\n\\\", poi(poi(@esp-4));    .echo;.echo RESULT;    .if(@eax=1) {.printf \\\"CryptCreateHash (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptCreateHash (%#x) FAILED\\\\n\\\", @$tid;!gle};    .echo;.echo <<<<<<<<<<<<<<<<<<<<<<;    G;\";    G;";


bm Advapi32!CryptHashData ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptHashData (%#x)\\n\", @$tid;    .echo;.echo IN;    .printf \"hHash\\n%#x\\n\\n\", poi(@esp+4);    r $t0=(poi(@esp+c)+3)/4; .echo bData;dd poi(@esp+8) l@$t0;    .printf \"\\ndwDataLen\\n%d\\n\\n\", poi(@esp+c);    .printf \"dwFlags\\n%#x\\n\", poi(@esp+10);    bp /t @$thread poi(@esp) \"    .echo;.echo RESULT;    .if(@eax=1) {.printf \\\"CryptHashData (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptHashData (%#x) FAILED\\\\n\\\", @$tid;!gle};    .echo;.echo <<<<<<<<<<<<<<<<<<<<<<;    G;\";    G;";

bm Advapi32!CryptDestroyHash ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptDestroyHash (%#x)\\n\", @$tid;    .echo;.echo IN;    .printf \"hHash\\n%#x\\n\", poi(@esp+4);    bp /t @$thread poi(@esp) \"    .echo;.echo RESULT;    .if(@eax=1) {.printf \\\"CryptDestroyHash (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptDestroyHash (%#x) FAILED\\\\n\\\", @$tid;!gle};    .echo;.echo <<<<<<<<<<<<<<<<<<<<<<;    G;\";    G;";

bm Advapi32!CryptGetHashParam ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptGetHashParam (%#x)\\n\", @$tid;    .echo;.echo IN;    .printf \"hHash\\n%#x\\n\", poi(@esp+4);    .echo;.echo dwParam; .if(poi(@esp+8)=0x1) {.echo HP_ALGID} .elsif(poi(@esp+8)=0x2) {.echo HP_HASHVAL} .elsif(poi(@esp+8)=0x4) {.echo HP_HASHSIZE} .else {.printf \"%#x\\n\", poi(@esp+8)};    .echo;.echo pbData; .if(poi(@esp+c)=0) {.echo NULL} .else {.printf \"%#x\\n\", poi(@esp+c)};    .printf \"\\ndwDataLen\\n%d\\n\", poi(poi(@esp+10));    .printf \"\\ndwFlags\\n%#x\\n\", poi(@esp+14);    bp /t @$thread poi(@esp) \"    .echo;.echo OUT;    .if((poi(@esp-c)!=0) & (poi(poi(@esp-8))!=0)) {r $t0=(poi(poi(@esp-8))+3)/4; .echo bData; dd poi(@esp-c) l@$t0; .echo};    .printf \\\"dwDataLen\\\\n%d\\\\n\\\", poi(poi(@esp-8));    .echo;.echo RESULT;    .if(@eax=1) {.printf \\\"CryptGetHashParam (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptGetHashParam (%#x) FAILED\\\\n\\\", @$tid;!gle};    .echo;.echo <<<<<<<<<<<<<<<<<<<<<<;    G;\";    G;";

bm Advapi32!CryptGetUserKey ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptGetUserKey (%#x)\\n\", @$tid;    .echo;.echo IN;    .printf \"hProv\\n%#x\\n\\n\", poi(@esp+4);    .echo dwKeySpec; .if(poi(@esp+8)=0x1) {.echo AT_KEYEXCHANGE} .elsif(poi(@esp+8)=0x2) {.echo AT_SIGNATURE} .else {.printf \"%#x\\n\", poi(@esp+8)};    bp /t @$thread poi(@esp) \"    .echo;.echo OUT;    .printf \\\"hUserKey\\\\n%#x\\\\n\\\", poi(poi(@esp-4));    .echo;.echo RESULT;    .if(@eax=1) {.printf \\\"CryptGetUserKey (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptGetUserKey (%#x) FAILED\\\\n\\\", @$tid;!gle};    .echo;.echo <<<<<<<<<<<<<<<<<<<<<<;    G;\";    G;";

bm Advapi32!CryptGenKey ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptGenKey (%#x)\\n\", @$tid;    .echo;.echo IN;    .printf \"hProv\\n%#x\\n\\n\", poi(@esp+4);    .echo Algid; .if(poi(@esp+8)=0x1) {.echo AT_KEYEXCHANGE} .elsif(poi(@esp+8)=0x2) {.echo AT_SIGNATURE} .elsif(poi(@esp+8)=0x00008004) {.echo CALG_SHA} .else {.printf \"%#x\\n\", poi(@esp+8)};    .printf \"\\ndwFlags\\n%#x\\n\", poi(@esp+c); r $t0=(poi(@esp+c))>>10; .printf \"Key Size(%d)\\n\", @$t0; .if((poi(@esp+c)&0x0`00000001)=0x0`00000001) {.echo CRYPT_EXPORTABLE(0x1)};    bp /t @$thread poi(@esp) \"    .echo;.echo OUT;    .printf \\\"hKey\\\\n%#x\\\\n\\\", poi(poi(@esp-4));    .echo;.echo RESULT;    .if(@eax=1) {.printf \\\"CryptGenKey (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptGenKey (%#x) FAILED\\\\n\\\", @$tid;!gle};    .echo;.echo <<<<<<<<<<<<<<<<<<<<<<;    G;\";    G;";

bm Advapi32!CryptGetKeyParam ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptGetKeyParam (%#x)\\n\", @$tid;    .echo;.echo IN;    .printf \"hKey\\n%#x\\n\\n\", poi(@esp+4);    .echo dwParam; .if(poi(@esp+8)=0x7) {.echo KP_ALGID} .elsif(poi(@esp+8)=0x9) {.echo KP_KEYLEN} .else {.printf \"%#x\\n\", poi(@esp+8)};    .echo;.echo pbData; .if(poi(@esp+c)=0) {.echo NULL} .else {.printf \"%#x\\n\", poi(@esp+c)};    .printf \"\\ndwDataLen\\n%d\\n\", poi(poi(@esp+10));    .printf \"\\ndwFlags\\n%#x\\n\", poi(@esp+14);    bp /t @$thread poi(@esp) \"   .echo;.echo OUT;    .if((poi(@esp-c)!=0) & (poi(poi(@esp-8))!=0)) {r $t0=(poi(poi(@esp-8))+3)/4; .echo bData; dd poi(@esp-c) l@$t0; .echo};    .printf \\\"dwDataLen\\\\n%d\\\\n\\\", poi(poi(@esp-8));    .echo;.echo RESULT;    .if(@eax=1) {.printf \\\"CryptGetKeyParam (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptGetKeyParam (%#x) FAILED\\\\n\\\", @$tid;!gle};    .echo;.echo <<<<<<<<<<<<<<<<<<<<<<;    G;\";    G;";

bm Advapi32!CryptDestroyKey ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptDestroyKey (%#x)\\n\", @$tid;    .echo;.echo IN;    .printf \"hKey\\n%#x\\n\", poi(@esp+4);   bp /t @$thread poi(@esp) \"    .echo;.echo RESULT;    .if(@eax=1) {.printf \\\"CryptDestroyKey (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptDestroyKey (%#x) FAILED\\\\n\\\", @$tid;!gle};    .echo;.echo <<<<<<<<<<<<<<<<<<<<<<;    G;\";    G;";

bm Advapi32!CryptEncrypt ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptEncrypt (%#x)\\n\", @$tid;    .echo;.echo IN;    .printf \"hKey\\n%#x\\n\\n\", poi(@esp+4);    .printf \"hHash\\n%#x\\n\\n\", poi(@esp+8);    .echo Final; .if(poi(@esp+c)=0) {.echo FALSE} .else {.echo TRUE};    .echo;.echo dwFlags; .if(poi(@esp+10)=0x40) {.echo CRYPT_OAEP} .else {.printf \"%#x\\n\", poi(@esp+10)}; .echo;    .if((poi(@esp+14)!=0) & (poi(poi(@esp+18))!=0)) {r $t0=(poi(poi(@esp+18))+3)/4; .echo bData; dd poi(@esp+14) l@$t0} .elsif(poi(@esp+14)=0) {.echo pbData;.echo NULL} .else {.printf \"pbData\\n%#x\\n\", poi(@esp+14)}; .echo;    .printf \"dwDataLen\\n%d\\n\\n\", poi(poi(@esp+18));    .printf \"dwBufLen\\n%d\\n\", poi(@esp+1c);    bp /t @$thread poi(@esp) \"   .echo;.echo OUT;    .if((poi(@esp-c)!=0) & (poi(poi(@esp-8))!=0)) {r $t0=(poi(poi(@esp-8))+3)/4; .echo bData; dd poi(@esp-c) l@$t0; .echo};    .printf \\\"dwDataLen\\\\n%d\\\\n\\\", poi(poi(@esp-8));    .echo;.echo RESULT;    .if(@eax=1) {.printf \\\"CryptEncrypt (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptEncrypt (%#x) FAILED\\\\n\\\", @$tid;!gle};    .echo;.echo <<<<<<<<<<<<<<<<<<<<<<;    G;\";    G;";

bm Advapi32!CryptDecrypt ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptDecrypt (%#x)\\n\", @$tid;    .echo;.echo IN;    .printf \"hKey\\n%#x\\n\\n\", poi(@esp+4);    .printf \"hHash\\n%#x\\n\\n\", poi(@esp+8);   .echo Final; .if(poi(@esp+c)=0) {.echo FALSE} .else {.echo TRUE};    .echo;.echo dwFlags; .if(poi(@esp+10)=0x40) {.echo CRYPT_OAEP} .else {.printf \"%#x\\n\", poi(@esp+10)}; .echo;    .if((poi(@esp+14)!=0) & (poi(poi(@esp+18))!=0)) {r $t0=(poi(poi(@esp+18))+3)/4; .echo bData; dd poi(@esp+14) l@$t0; .echo} .elsif(poi(@esp+14)=0) {.echo pbData;.echo NULL;.echo};    .printf \"dwDataLen\\n%d\\n\\n\", poi(poi(@esp+18));    bp /t @$thread poi(@esp) \"   .echo;.echo OUT;    .if((poi(@esp-8)!=0) & (poi(poi(@esp-4))!=0)) {r $t0=(poi(poi(@esp-4))+3)/4; .echo bData; dd poi(@esp-8) l@$t0; .echo};    .printf \\\"dwDataLen\\\\n%d\\\\n\\\", poi(poi(@esp-4));    .echo;.echo RESULT;    .if(@eax=1) {.printf \\\"CryptDecrypt (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptDecrypt (%#x) FAILED\\\\n\\\", @$tid;!gle};    .echo;.echo <<<<<<<<<<<<<<<<<<<<<<;    G;\";    G;";

bm Advapi32!CryptSetHashParam ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptSetHashParam (%#x)\\n\", @$tid;    .echo;.echo IN;    .printf \"hHash\\n%#x\\n\", poi(@esp+4);    .echo;.echo dwParam; .if(poi(@esp+8)=0x2) {.echo HP_HASHVAL} .elsif(poi(@esp+8)=0x5) {.echo HP_HMAC_INFO} .else {.printf \"%#x\\n\", poi(@esp+8)};    .echo; .if(poi(@esp+c)=0) {.echo pbData;.echo NULL} .else {.echo bData;dd poi(@esp+c)};     .printf \"\\ndwFlags\\n%#x\\n\", poi(@esp+10);    bp /t @$thread poi(@esp) \"    .echo;.echo RESULT;    .if(@eax=1) {.printf \\\"CryptSetHashParam (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptSetHashParam (%#x) FAILED\\\\n\\\", @$tid;!gle};    .echo;.echo <<<<<<<<<<<<<<<<<<<<<<;    G;\";    G;";

bm Advapi32!CryptSignHashW ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\CryptSignHashW (%#x)\\n\", @$tid;    .echo;.echo IN;    .printf \"hHash\\n%#x\\n\", poi(@esp+4);    .echo;.echo dwKeySpec; .if (poi(@esp+8)=0x1) {.echo AT_KEYEXCHANGE} .elsif (poi(@esp+8)=0x2) {.echo AT_SIGNATURE} .else {.printf \"%#x\\n\", poi(@esp+8)};    .echo;.echo sDescription; .if (poi(@esp+c)=0) {.echo NULL} .else {du poi(@esp+c)};    .printf \"dwFlags\\n%#x\\n\", poi(@esp+10);        .echo;.echo pbSignature; .if (poi(@esp+14)=0) {.echo NULL} .else {.printf \"%#x\\n\", poi(@esp+14)};    .printf \"\\ndwSigLen\\n%d\\n\", poi(poi(@esp+18));    bp /t @$thread poi(@esp) \"    .echo;.echo OUT;    .if((poi(@esp-8)!=0) & (poi(poi(@esp-4))!=0)) {r $t0=(poi(poi(@esp-4))+3)/4; .echo bSignature; dd poi(@esp-8) l@$t0; .echo};    .printf \\\"dwSigLen\\\\n%d\\\\n\\\", poi(poi(@esp-4));    .echo;.echo RESULT;    .if(@eax=1) {.printf \\\"CryptSignHashW (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptSignHashW (%#x) FAILED\\\\n\\\", @$tid;!gle};    .echo;.echo <<<<<<<<<<<<<<<<<<<<<<;    G;\";    G;"; 

bm Advapi32!CryptSignHashA ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptSignHashA (%#x)\\n\", @$tid;    .echo;.echo IN;    .printf \"hHash\\n%#x\\n\", poi(@esp+4);    .echo;.echo dwKeySpec; .if (poi(@esp+8)=0x1) {.echo AT_KEYEXCHANGE} .elsif (poi(@esp+8)=0x2) {.echo AT_SIGNATURE} .else {.printf \"%#x\\n\", poi(@esp+8)};    .echo;.echo sDescription; .if (poi(@esp+c)=0) {.echo NULL} .else {da poi(@esp+c)};    .printf \"\\ndwFlags\\n%#x\\n\", poi(@esp+10);        .echo;.echo pbSignature; .if (poi(@esp+14)=0) {.echo NULL} .else {.printf \"%#x\\n\", poi(@esp+14)};    .printf \"\\ndwSigLen\\n%d\\n\", poi(poi(@esp+18));    bp /t @$thread poi(@esp) \"    .echo;.echo OUT;    .if((poi(@esp-8)!=0) & (poi(poi(@esp-4))!=0)) {r $t0=(poi(poi(@esp-4))+3)/4; .echo bSignature; dd poi(@esp-8) l@$t0; .echo};    .printf \\\"dwSigLen\\\\n%d\\\\n\\\", poi(poi(@esp-4));    .echo;.echo RESULT;    .if(@eax=1) {.printf \\\"CryptSignHashA (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptSignHashA (%#x) FAILED\\\\n\\\", @$tid;!gle};    .echo;.echo <<<<<<<<<<<<<<<<<<<<<<;    G;\";    G;"; 

bm Advapi32!CryptVerifySignatureW ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptVerifySignatureW (%#x)\\n\", @$tid;    .echo;.echo IN;    .printf \"hHash\\n%#x\\n\\n\", poi(@esp+4);    .if((poi(@esp+8)!=0) & (poi(@esp+c)!=0)) {r $t0=(poi(@esp+c)+3)/4; .echo bSignature; dd poi(@esp+8) l@$t0;} .elsif(poi(@esp+8)=0) {.echo pbSignature;.echo NULL;} .else {.printf \"pbSignature\\n%#x\\n\", poi(@esp+8)};    .printf \"\\ndwSigLen\\n%d\\n\\n\", poi(@esp+c);    .printf \"hPubKey\\n%#x\\n\", poi(@esp+10);    .echo;.echo sDescription; .if (poi(@esp+14)=0) {.echo NULL} .else {du poi(@esp+14)};    .printf \"\\ndwFlags\\n%#x\\n\", poi(@esp+18);    bp /t @$thread poi(@esp) \"    .echo;.echo RESULT;    .if(@eax=1) {.printf \\\"CryptVerifySignatureW (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptVerifySignatureW (%#x) FAILED\\\\n\\\", @$tid;!gle};    .echo;.echo <<<<<<<<<<<<<<<<<<<<<<;    G;\";    G;";

bm Advapi32!CryptVerifySignatureA ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptVerifySignatureA (%#x)\\n\", @$tid;    .echo;.echo IN;    .printf \"hHash\\n%#x\\n\\n\", poi(@esp+4);    .if((poi(@esp+8)!=0) & (poi(@esp+c)!=0)) {r $t0=(poi(@esp+c)+3)/4; .echo bSignature; dd poi(@esp+8) l@$t0;} .elsif(poi(@esp+8)=0) {.echo pbSignature;.echo NULL;} .else {.printf \"pbSignature\\n%#x\\n\", poi(@esp+8)};    .printf \"\\ndwSigLen\\n%d\\n\\n\", poi(@esp+c);    .printf \"hPubKey\\n%#x\\n\", poi(@esp+10);    .echo;.echo sDescription; .if (poi(@esp+14)=0) {.echo NULL} .else {da poi(@esp+14)};    .printf \"\\ndwFlags\\n%#x\\n\", poi(@esp+18);    bp /t @$thread poi(@esp) \"    .echo;.echo RESULT;    .if(@eax=1) {.printf \\\"CryptVerifySignatureA (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptVerifySignatureA (%#x) FAILED\\\\n\\\", @$tid;!gle};    .echo;.echo <<<<<<<<<<<<<<<<<<<<<<;    G;\";    G;";

bm Advapi32!CryptImportKey ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptImportKey (%#x)\\n\", @$tid;    .echo;.echo IN;    .printf \"hProv\\n%#x\\n\\n\", poi(@esp+4);    .if((poi(@esp+8)!=0) & (poi(@esp+c)!=0)) {r $t0=(poi(@esp+c)+3)/4; .echo bData; dd poi(@esp+8) l@$t0;} .elsif(poi(@esp+8)=0) {.echo pbData;.echo NULL;} .else {.printf \"pbData\\n%#x\\n\", poi(@esp+8)};    .printf \"\\ndwDataLen\\n%d\\n\\n\", poi(@esp+c);    .printf \"hPubKey\\n%#x\\n\\n\", poi(@esp+10);    .printf \"dwFlags\\n%#x\\n\", poi(@esp+14); .if((poi(@esp+14)&0x0`00000001)=0x0`00000001) {.echo CRYPT_EXPORTABLE(0x1)};    bp /t @$thread poi(@esp) \"    .echo;.echo OUT; .printf \\\"hKey\\\\n%#x\\\\n\\\", poi(poi(@esp-4));    .echo;.echo RESULT;    .if(@eax=1) {.printf \\\"CryptImportKey (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptImportKey (%#x) FAILED\\\\n\\\", @$tid;!gle};    .echo;.echo <<<<<<<<<<<<<<<<<<<<<<;    G;\";    G;";

bm Advapi32!CryptExportKey ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptExportKey (%#x)\\n\", @$tid;    .echo;.echo IN;    .printf \"hKey\\n%#x\\n\\n\", poi(@esp+4);    .printf \"hExpKey\\n%#x\\n\\n\", poi(@esp+8);    .echo dwBlobType; .if(poi(@esp+c)=0x7) {.echo PRIVATEKEYBLOB} .else {.printf \"%#x\\n\", poi(@esp+c)};    .printf \"\\ndwFlags\\n%#x\\n\", poi(@esp+10); .if((poi(@esp+10)&0x0`00000040)=0x0`00000040) {.echo CRYPT_OAEP(0x40)};    .echo;.echo pbData; .if(poi(@esp+14)=0) {.echo NULL} .else {.printf \"%#x\\n\", poi(@esp+14)};    .printf \"\\ndwDataLen\\n%d\\n\", poi(poi(@esp+18));    bp /t @$thread poi(@esp) \"    .echo;.echo OUT;    .if((poi(@esp-8)!=0) & (poi(poi(@esp-4))!=0)) {r $t0=(poi(poi(@esp-4))+3)/4; .echo bData; dd poi(@esp-8) l@$t0; .echo};    .printf \\\"dwDataLen\\\\n%d\\\\n\\\", poi(poi(@esp-4));    .echo;.echo RESULT;    .if(@eax=1) {.printf \\\"CryptExportKey (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptExportKey (%#x) FAILED\\\\n\\\", @$tid;!gle};    .echo;.echo <<<<<<<<<<<<<<<<<<<<<<;    G;\";    G;";

************************************************************************
* CRYPT32!CRYPT* TRACERS
************************************************************************

bm Crypt32!CryptProtectData ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptProtectData (%#x)\\n\", @$tid;    .echo;.echo IN;    .if (poi(@esp+4)=0) {.echo pDataIn;.echo NULL} .else {.printf \"pDataIn->cbData\\n%d\\n\\n\", poi(poi(@esp+4)); r $t0=(poi(poi(@esp+4))+3)/4;.if(@$t0 > 40){r $t0=40}; .echo pDataIn->pbData;dd poi(poi(@esp+4)+4) l@$t0};    .echo;.echo szDataDescr; .if(poi(@esp+8)=0) {.echo NULL} .else {du poi(@esp+8)};    .echo; .if (poi(@esp+c)=0) {.echo pOptionalEntropy;.echo NULL} .else { .printf \"pOptionalEntropy->cbData\\n%d\\n\", poi(poi(@esp+c)); r $t0=(poi(poi(@esp+c))+3)/4;.if(@$t0 > 40){r $t0=40}; .echo;.echo pOptionalEntropy->pbData;dd poi(poi(@esp+c)+4) l@$t0};    .echo;.echo vReserved; .if (poi(@esp+10)=0) {.echo NULL} .else {.printf\"%#x\\n\", poi(@esp+10)};    .echo; .if (poi(@esp+14)=0) {.echo pPromptStruct;.echo NULL} .else {.printf \"pPromptStruct->cbSize\\n%d\\n\\n\", poi(poi(@esp+14)); .printf \"pPromptStruct->dwPromptFlags\\n%#x\\n\", poi(poi(@esp+14)+4); .if((poi(poi(@esp+14)+4)&0x0`00000001)=0x0`00000001) {.echo CRYPTPROTECT_PROMPT_ON_UNPROTECT(0x1)}; .if((poi(poi(@esp+14)+4)&0x0`00000002)=0x0`00000002) {.echo CRYPTPROTECT_PROMPT_ON_PROTECT(0x2)}; .printf \"\\npPromptStruct->hwndApp\\n%#x\\n\\n\", poi(poi(@esp+14)+8); .echo pPromptStruct->szPrompt; .if(poi(poi(@esp+14)+c)=0) {.echo NULL} .else {du poi(poi(@esp+14)+c)} };    .echo; .printf \"dwFlags\\n%#x\\n\", poi(@esp+18); .if((poi(@esp+18)&0x0`00000004)=0x0`00000004) {.echo CRYPTPROTECT_LOCAL_MACHINE(0x4)}; .if((poi(@esp+18)&0x0`00000001)=0x0`00000001) {.echo CRYPTPROTECT_UI_FORBIDDEN(0x1)}; .if((poi(@esp+18)&0x0`00000010)=0x0`00000010) {.echo CRYPTPROTECT_AUDIT(0x10)}; .if((poi(@esp+18)&0x0`00000040)=0x0`00000040) {.echo CRYPTPROTECT_VERIFY_PROTECTION(0x40)};    bp /t @$thread poi(@esp) \"    .echo;.echo OUT;    .if (poi(@esp-4)=0) {.echo pDataOut;.echo NULL} .else {.printf \\\"pDataOut->cbData\\\\n%d\\\\n\\\", poi(poi(@esp-4)); r $t0=(poi(poi(@esp-4))+3)/4;.if(@$t0 > 40){r $t0=40}; .echo;.echo pDataOut->pbData;dd poi(poi(@esp-4)+4) l@$t0};    .echo;.echo RESULT;    .if(@eax=1) {.printf \\\"CryptProtectData (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptProtectData (%#x) FAILED\\\\n\\\", @$tid;!gle};    .echo;.echo <<<<<<<<<<<<<<<<<<<<<<;    G;\";    G;";

bm Crypt32!CryptUnprotectData ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptUnprotectData (%#x)\\n\", @$tid;    .echo;.echo IN;    .if (poi(@esp+4)=0) {.echo pDataIn;.echo NULL} .else {.printf \"pDataIn->cbData\\n%d\\n\\n\", poi(poi(@esp+4)); r $t0=(poi(poi(@esp+4))+3)/4;.if(@$t0 > 40){r $t0=40}; .echo pDataIn->pbData;dd poi(poi(@esp+4)+4) l@$t0};    .echo; .if (poi(@esp+c)=0) {.echo pOptionalEntropy;.echo NULL} .else { .printf \"pOptionalEntropy->cbData\\n%d\\n\", poi(poi(@esp+c)); r $t0=(poi(poi(@esp+c))+3)/4;.if(@$t0 > 40){r $t0=40}; .echo;.echo pOptionalEntropy->pbData;dd poi(poi(@esp+c)+4) l@$t0};    .echo;.echo vReserved; .if (poi(@esp+10)=0) {.echo NULL} .else {.printf\"%#x\\n\", poi(@esp+10)};    .echo; .if (poi(@esp+14)=0) {.echo pPromptStruct;.echo NULL} .else {.printf \"pPromptStruct->cbSize\\n%d\\n\\n\", poi(poi(@esp+14)); .printf \"pPromptStruct->dwPromptFlags\\n%#x\\n\", poi(poi(@esp+14)+4); .if((poi(poi(@esp+14)+4)&0x0`00000001)=0x0`00000001) {.echo CRYPTPROTECT_PROMPT_ON_UNPROTECT(0x1)}; .if((poi(poi(@esp+14)+4)&0x0`00000002)=0x0`00000002) {.echo CRYPTPROTECT_PROMPT_ON_PROTECT(0x2)}; .printf \"\\npPromptStruct->hwndApp\\n%#x\\n\\n\", poi(poi(@esp+14)+8); .echo pPromptStruct->szPrompt; .if(poi(poi(@esp+14)+c)=0) {.echo NULL} .else {du poi(poi(@esp+14)+c)} };    .echo; .printf \"dwFlags\\n%#x\\n\", poi(@esp+18); .if((poi(@esp+18)&0x0`00000001)=0x0`00000001) {.echo CRYPTPROTECT_UI_FORBIDDEN(0x1)};    bp /t @$thread poi(@esp) \"    .echo;.echo OUT;    .if(poi(@esp-18)=0) {.echo ppszDataDescr;.echo NULL} .else {.echo szDataDescr; .if(poi(poi(@esp-18))=0) {.echo NULL} .else {du poi(poi(@esp-18))} };    .echo; .if (poi(@esp-4)=0) {.echo pDataOut;.echo NULL} .else {.printf \\\"pDataOut->cbData\\\\n%d\\\\n\\\", poi(poi(@esp-4)); r $t0=(poi(poi(@esp-4))+3)/4;.if(@$t0 > 40){r $t0=40}; .echo;.echo pDataOut->pbData;dd poi(poi(@esp-4)+4) l@$t0};    .echo;.echo RESULT;    .if(@eax=1) {.printf \\\"CryptUnprotectData (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptUnprotectData (%#x) FAILED\\\\n\\\", @$tid;!gle};    .echo;.echo <<<<<<<<<<<<<<<<<<<<<<;    G;\";    G;";

bm Crypt32!CryptMemAlloc ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptMemAlloc (%#x)\\n\", @$tid;    .echo;.echo IN;    .printf \"cbSize\\n%d\\n\", poi(@esp+4);    bp /t @$thread poi(@esp) \"    .echo;.echo RESULT; .printf \\\"%#x\\\\n\\\\n\\\", @eax; .if(@eax!=0) {.printf \\\"CryptMemAlloc (%#x) SUCCEEDED\\\\n\\\", @$tid} .else {.printf \\\"CryptMemAlloc (%#x) FAILED\\\\n\\\", @$tid;!gle};    .echo;.echo <<<<<<<<<<<<<<<<<<<<<<;    G;\";    G;";

bm Crypt32!CryptMemFree ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCryptMemFree (%#x)\\n\", @$tid;    .echo;.echo IN;    .printf \"pv\\n%#x\\n\", poi(@esp+4);    bp /t @$thread poi(@esp) \"    .echo;.echo RESULT;    .printf \\\"CryptMemFree (%#x) SUCCEEDED\\\\n\\\", @$tid;    .echo;.echo <<<<<<<<<<<<<<<<<<<<<<;    G;\";    G;";

************************************************************************
* CRYPT32!CERT* TRACERS
************************************************************************

bm Crypt32!CertOpenStore ".printf \"\\n>>>>>>>>>>>>>>>>>>>>>>\\n\\nCertOpenStore (%#x)\\n\", @$tid;    .echo;.echo IN;    .echo lpszStoreProvider; .if(poi(@esp+4)=0) {.echo NULL} .elsif(poi(@esp+4)=0x1) {.echo CERT_STORE_PROV_MSG} .elsif(poi(@esp+4)=0x2) {.echo CERT_STORE_PROV_MEMORY} .elsif(poi(@esp+4)=0xa) {.echo CERT_STORE_PROV_SYSTEM_W} .elsif(poi(@esp+4)=0xb) {.echo CERT_STORE_PROV_COLLECTION} .elsif(poi(@esp+4)=0xd) {.echo CERT_STORE_PROV_SYSTEM_REGISTRYW} .else {da poi(@esp+4)}; .echo;    .printf \"dwMsgAndCertEncodingType\\n%#x\\n\", poi(@esp+8); .if((poi(@esp+8)&0x0`00000001)=0x0`00000001) {.echo X509_ASN_ENCODING(0x1)}; .if((poi(@esp+8)&0x0`00010000)=0x0`00010000) {.echo PKCS_7_ASN_ENCODING(0x10000)}; .echo;    .echo hCryptProv; .if(poi(@esp+c)=0) {.echo NULL} .else {.printf \"%#x\\n\", poi(@esp+c)}; .echo;    .printf \"dwFlags\\n%#x\\n\", poi(@esp+10); .if((poi(@esp+10)&0x0`00000001)=0x0`00000001) {.echo CERT_STORE_NO_CRYPT_RELEASE_FLAG(0x1)}; .if((poi(@esp+10)&0x0`00000004)=0x0`00000004) {.echo CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG(0x4)}; .if((poi(@esp+10)&0x0`00000080)=0x0`00000080) {.echo CERT_STORE_SHARE_CONTEXT_FLAG(0x80)}; .if((poi(@esp+10)&0x0`00000400)=0x0`00000400) {.echo CERT_STORE_UPDATE_KEYID_FLAG(0x400)}; .if((poi(@esp+10)&0x0`00001000)=0x0`00001000) {.echo CERT_STORE_MAXIMUM_ALLOWED_FLAG(0x1000)}; .if((poi(@esp+10)&0x0`FFFF0000)=0x0`00010000) {.echo CERT_SYSTEM_STORE_CURRENT_USER(0x10000)} .elsif((poi(@esp+10)&0x0`FFFF0000)=0x0`00020000) {.echo CERT_SYSTEM_STORE_LOCAL_MACHINE(0x20000)} .elsif((poi(@esp+10)&0x0`FFFF0000)=0x0`00040000) {.echo CERT_SYSTEM_STORE_CURRENT_SERVICE(0x40000)} .elsif((poi(@esp+10)&0x0`FFFF0000)=0x0`00050000) {.echo CERT_SYSTEM_STORE_SERVICES(0x50000)} .elsif((poi(@esp+10)&0x0`FFFF0000)=0x0`00060000) {.echo CERT_SYSTEM_STORE_USERS(0x60000)} .elsif((poi(@esp+10)&0x0`FFFF0000)=0x0`00070000) {.echo CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY(0x70000)} .elsif((poi(@esp+10)&0x0`FFFF0000)=0x0`00080000) {.echo CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY(0x80000)} .elsif((poi(@esp+10)&0x0`FFFF0000)=0x0`00090000) {.echo CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE(0x90000)};    .echo; .if(poi(@esp+14)=0) {.echo pvPara; .echo NULL} .else {.echo vPara; dd poi(@esp+14)};    bp /t @$thread poi(@esp) \"    .echo;.echo RESULT; .if(@eax!=0) {.printf \\\"%#x\\\\n\\\\nCertOpenStore (%#x) SUCCEEDED\\\\n\\\", @eax, @$tid;} .else {.printf \\\"NULL\\\\n\\\\nCertOpenStore (%#x) FAILED\\\\n\\\", @$tid; !gle};    .echo;.echo <<<<<<<<<<<<<<<<<<<<<<;    G;\";    G;";
 
************************************************************************
* LET'S GO AND TRACE!!!
************************************************************************

* Don't want any output but my own
*
!sym quiet;
.srcnoisy 0;
sxi ld
.outmask- 0xFFFFFFEE  $$ .outmask /d restores the output mask to default

* Create the log and begin
*
.logopen "log.txt";
G
I hope it helps you as much as it helps me every day.
Cheers,
Alex (Alejandro Campos Magencio)
PS: If you find any issue with the script, please let me know so I can improve it. Obviously I couldn't test it in all possible scenarios. For instance, if the debugger breaks on an exception (i.e. Access Violation), the tracing will break, too. We will have to make the tracer to continue with the "g" command in the debugger.
PS: More explanations on this script can be found in my next post How to trace CryptoAPI calls (2).
CryptoAPI Tracer script

Additional resources
