C language function:CryptDecrypt sample codes

Search sample code in the internet.It is the result.


TITLE : Windows-classic-samples/RSACapiAndCngInterop.cpp at master Microsoft/Windows-classic-samples GitHub
secStatus = NCryptDecrypt(.......
http://github.com/Microsoft/Windows-classic-samples/blob/master/Samples/Security/RSACapiAndCngInterop/cpp/RSACapiAndCngInterop.cpp


TITLE : Windows-classic-samples/RSACapiAndCngInterop.cpp at master Microsoft/Windows-classic-samples GitHub
if(!CryptDecrypt(.......
http://github.com/Microsoft/Windows-classic-samples/blob/master/Samples/Security/RSACapiAndCngInterop/cpp/RSACapiAndCngInterop.cpp
TITLE : Beyond Automated Unpacking: Extracting Decrypted/Decompressed Memory Blocks | Malware Musings
I noticed some malware calling RtlDecompressBuffer() and CryptDecrypt() to extract new code to run, and donft forget the classic CreateProcess() / WriteProcessMemory() trick (process hollowing) to run malicious code under the guise of another process. I figured that with WinAppDbges ability to hook API calls, we could capture the resulting memory data and save it to a file. To do this, wefll take version 2013.02.26 of unpack.py, and add to it........
http://malwaremusings.com/2014/09/16/beyond-automated-unpacking-extracting-decrypteddecompressed-memory-blocks/
TITLE : Beyond Automated Unpacking: Extracting Decrypted/Decompressed Memory Blocks | Malware Musings
Whilst looking at some of the malware samples from my honeynet, I noticed the RtlDecompressBuffer() and CryptDecrypt() Win32 API calls being used to decompress and decrypt new code to run........
http://malwaremusings.com/2014/09/16/beyond-automated-unpacking-extracting-decrypteddecompressed-memory-blocks/
TITLE : Beyond Automated Unpacking: Extracting Decrypted/Decompressed Memory Blocks | Malware Musings
* Look for calls to RtlDecompressBuffer() and CryptDecrypt(), and capture the compress/encrypted memory and the decompressed/decrypted memory........
http://malwaremusings.com/2014/09/16/beyond-automated-unpacking-extracting-decrypteddecompressed-memory-blocks/
TITLE : Beyond Automated Unpacking: Extracting Decrypted/Decompressed Memory Blocks | Malware Musings
The first step in obtaining decrypted and decompressed memory blocks, is to hook the API functions responsible for doing the decryption and decompression, namely CryptDecrypt() and RtlDecompressBuffer(). These hooks are created by adding entries to the apiHooks{} dictionary in section C.1 of unpack.py. Something to add in the future would be detection for other encryption/decryption library calls, such as those found in OpenSSL........
http://malwaremusings.com/2014/09/16/beyond-automated-unpacking-extracting-decrypteddecompressed-memory-blocks/
TITLE : Beyond Automated Unpacking: Extracting Decrypted/Decompressed Memory Blocks | Malware Musings
pre_CryptDecrypt().......
http://malwaremusings.com/2014/09/16/beyond-automated-unpacking-extracting-decrypteddecompressed-memory-blocks/
TITLE : Beyond Automated Unpacking: Extracting Decrypted/Decompressed Memory Blocks | Malware Musings
post_CryptDecrypt().......
http://malwaremusings.com/2014/09/16/beyond-automated-unpacking-extracting-decrypteddecompressed-memory-blocks/
TITLE : Beyond Automated Unpacking: Extracting Decrypted/Decompressed Memory Blocks | Malware Musings
pre_CryptDecrypt() (section C.3) uses WinAppDbges Process.read_uint() method to dereference the pdwDataLen argument, giving us the size of the buffer........
http://malwaremusings.com/2014/09/16/beyond-automated-unpacking-extracting-decrypteddecompressed-memory-blocks/
TITLE : Beyond Automated Unpacking: Extracting Decrypted/Decompressed Memory Blocks | Malware Musings
Apart from that difference, both pre_CryptDecrypt() (section C.3) and pre_RtlDecompressBuffer() (section C.4) use WinAppDbges Process.read() method to read the data buffers(pbData, CompressedBuffer, and UncompressedBuffer) from the processf address space, and write them to disk........
http://malwaremusings.com/2014/09/16/beyond-automated-unpacking-extracting-decrypteddecompressed-memory-blocks/
TITLE : Beyond Automated Unpacking: Extracting Decrypted/Decompressed Memory Blocks | Malware Musings
Both the CryptDecrypt() and RtlDecompressBuffer() hook handlers save the memory buffers to files named after the exe file that unpack.py is running ? they simply append .memblk followed by .enc (encrypted), .dec (decrypted), .comp (compressed), .decomp (decompressed). These output file names are also logged in both the human readable log output, and in the JSON log output........
http://malwaremusings.com/2014/09/16/beyond-automated-unpacking-extracting-decrypteddecompressed-memory-blocks/
TITLE : Example C Program: Decrypting a File (Windows)
if(!CryptDecrypt(.......
http://msdn.microsoft.com/en-us/library/windows/desktop/aa382044(v=vs.85).aspx
TITLE : CryptDecrypt function (Windows)
BOOL WINAPI CryptDecrypt(.......
http://msdn.microsoft.com/ja-jp/library/windows/desktop/aa379913(v=vs.85).aspx
TITLE : CryptDecrypt function (Windows)
CryptDecrypt(hDuplicateKey, block).......
http://msdn.microsoft.com/ja-jp/library/windows/desktop/aa379913(v=vs.85).aspx
TITLE : RSA encryption for C++/Delphi (CryptoAPI) and PHP (OpenSSL) [part 2] | Pumka.net
if (!CryptDecrypt(hKey, NULL, final, 0, (System::PByte)chunk->Memory, &dwSize)) {.......
http://pumka.net/2009/12/16/rsa-encryption-cplusplus-delphi-cryptoapi-php-openssl-2/
search Google

https://www.google.com/#q=CryptDecrypt