Microsoft Security Catalog Format Documentation and API Samples

I'm looking for any documentation on the API for working with Microsoft Security Catalogs, or in lieu of that, information on the file format so that I may write my own parser.

In short, I have some .cat f开发者_Go百科iles that I need to be able to work with. Looking at the file in a hex editor, they obviously have different regions, which are delimited somehow (looks like typical binary saved structs). I need to get certain information out of them, and ignore other information.

I could probably reverse engineer the format and parse out what I need, but I'd prefer to do that either through the Win32 API, or at least write my parser to be correct for the format, instead of just "able to do what I need it to do".

MSCAT32.DLL seems to be the signficant one, but I'm not sure it has exports to do what I need... It's a bit cryptic (no pun intended).

Any information at all would be helpful.

Just to toss a few more keywords in here...

The MIME type is: application/vnd.ms-pki.seccat The magic header bytes are: 30 80 09 06 The field delimiters in the file seem to be: EOT (04) and € (80) A program that generates them is: MakeCat.exe

Microsoft Security Catalogs are nothing more than binary files, coded in ASN.1 DER format. Inside the file is PKCS#7 signed data with additional fields for Microsoft specific stuff (coded with Microsoft OIDs). A list of these OIDs can be found here: https://support.microsoft.com/en-us/kb/287547

If you want to decode ASN.1 DER, use for example this JavaScript based encoder: http://lapo.it/asn1js/

By the way: 30 80 09 06 is not the file magic, but means there is a constructive SEQUENCE with unknown length starting there. ASN.1 DER Files do not have any magic, but start with a SEQUENCE (which is coded in DER as 0x30 in many cases.

Here is a definition of the wintrust calls that are used by makecat Look under Catalog Definition Functions Catalog Functions which are made up of certificate trust list (CTL) A predefined list of items that have been signed by a trusted entity. A CTL can be anything, such as a list of hashes of certificates, or a list of file names. All the items in the list are authenticated (approved) by the signing entity.

which in turn are composed on pkcs#7 blobs