Skip to content

Monitoring the WinScard system calls and APDUs in a PC SC application in Windows

Mart Sõmermaa edited this page Apr 22, 2022 · 6 revisions

Introduction

On a Windows computer, all smart card-enabled applications communicate with smart cards via the system's PC/SC library, winscard.dll. winscard.dll internally communicates with the PC/SC service, which in turn communicates with the reader's driver, and finally the reader communicates with the card.

API Monitor is a free tool that lets you monitor and control Windows API calls made by applications and services. Using API Monitor, it is possible to view all WinSCard API function calls made by the application, including the APDUs exchanged with the card within SCardTransmit.

Installing and configuring API Monitor

  1. Download and unzip the portable API Monitor ZIP file from http://www.rohitab.com/apimonitor.
  2. Amend the following API metadata XML files in the extracted API folder (source: MySmartLogon) to make function call dwDisposition parameters symbolic and designate the variables that contain SCardTransmit APDU buffers' length.
    1. In scard.h.xml, add the following variable:
      <!-- [SCARD_DISPOSITION] -->
      <Variable Name="[SCARD_DISPOSITION]" Type="Alias" Base="LONG">
          <Display Name="LONG" />
          <Enum>
              <Set Name="SCARD_LEAVE_CARD"   Value="0" />
              <Set Name="SCARD_RESET_CARD"   Value="1" />
              <Set Name="SCARD_UNPOWER_CARD" Value="2" />
              <Set Name="SCARD_EJECT_CARD"   Value="3" />
          </Enum>
      </Variable>
    2. In winscard.xml, amend the following three functions:
      <Api Name="SCardDisconnect">
          <Param Type="SCARDHANDLE" Name="hCard" />
          <Param Type="[SCARD_DISPOSITION]" Name="dwDisposition" /> <!-- replace type -->
          <Return Type="[SCARD_ERROR]" />
      </Api>
      <Api Name="SCardEndTransaction">
          <Param Type="SCARDHANDLE" Name="hCard" />
          <Param Type="[SCARD_DISPOSITION]" Name="dwDisposition" /> <!-- replace type -->
          <Return Type="[SCARD_ERROR]" />
      </Api>
      
      <Api Name="SCardTransmit">
          <Param Type="SCARDHANDLE" Name="hCard" />
          <Param Type="LPCSCARD_IO_REQUEST" Name="pioSendPci"/>
          <Param Type="LPCBYTE" Name="pbSendBuffer" Count="cbSendLength" /> <!-- add count -->
          <Param Type="DWORD" Name="cbSendLength" />
          <Param Type="LPSCARD_IO_REQUEST" Name="pioRecvPci" />
          <Param Type="LPBYTE" Name="pbRecvBuffer" PostCount="pcbRecvLength" /> <!-- add post count -->
          <Param Type="LPDWORD" Name="pcbRecvLength" />
          <Return Type="[SCARD_ERROR]" />
      </Api>

Inspecting WinSCard API calls using API Monitor

  1. Launch API Monitor, search for WinSCard in the API Filter window and select all function calls:
    image1
  2. Launch the smart card application you want to monitor, find it from the Running Processes window you want to monitor, right-click on it and choose Start Monitoring:
    image2
  3. Now you will see the WinSCard API calls in the monitor log window:
    image5
  4. You can examine the call parameters in the Parameters window, note that the send and receive buffers can be expanded and examined as well:
    image4
  5. When you click on the buffer field, it will be loaded into the Hex buffer window, where you can see the buffer bytes in hexadecimal, copy and save the contents:
    image3
Clone this wiki locally