I need to log CNG(BCrypt/NCrypt) function calls. I've managed to find the respective channels in Windows Event Log, but they don't provide the complete information - some calls aren't logged, and the function argument values aren't logged. What I want to do now is to write a proxy which would substitute bcrypt.dll and ncrypt.dll for the purpose of external programs calling their functions, log function argument values and then call the necessary functions from BCrypt/NCrypt with GetProcAddress. Can I do it and are there any other ways to log CNG function calls?
I wrote the proxy in question, replacing ncryptprov.dll and bcryptprimitives.dll in
\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cryptography\Providers\Microsoft Primitive Provider\UM\Image and \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cryptography\Providers\Microsoft Software Key Storage Provider\UM\Image. The proxy didn't work as these DLLs don't export BCrypt/NCrypt API functions.
