Windows 10 1809 kernel sensors

After reading this article I was curious which info Mocrosoft gather in it`s telemetry. There is some theoretical possibility to ask Microsoft via MVI but link to "apply for membership" gives 404, lol. So as usually run IDA Pro and start with KeInsertQueueApc function

We can see that code checks EtwThreatIntProvRegHandle and somewhere inside function calls etw logger function EtwTiLogInsertQueueUserApc. So lets collect other etw loggers reffered to
EtwThreatIntProvRegHandle (and EtwSecurityMitigationsRegHandle too)

• EtwThreatIntProvRegHandle - called from KeInsertQueueApc and IopfCompleteRequest
• EtwTiLogSetContextThread - called from PspWow64SetContextThread & PspSetContextThreadInternal
• EtwTiLogAllocExecVm - called from MiAllocateVirtualMemory
• EtwTiLogProtectExecVm - called from NtProtectVirtualMemory
• EtwTiLogReadWriteVm - called from MiReadWriteVirtualMemory
• EtwTiLogDeviceObjectLoadUnload - called from IoDeleteDevice & IoCreateDevice
• EtwTiLogDriverObjectLoad - called from IopLoadDriver & IoCreateDriver
• EtwTiLogMapExecView - called from NtMapViewOfSection & MiMapViewOfSectionExCommon
• EtwTiLogSuspendResumeProcess - called from PsThawProcess, PsFreezeProcess, PsResumeProcess & PsSuspendProcess
• EtwTiLogSuspendResumeThread - called from PsSuspendThread & PsResumeThread

etw loggers reffered to EtwSecurityMitigationsRegHandle

• EtwpTimLogMitigationForProcess - called from MiAllowImageMap
• EtwTimLogProhibitDynamicCode - called from MiArbitraryCodeBlocked
• EtwTimLogProhibitWin32kSystemCalls - called from PsConvertToGuiThread
• EtwTimLogProhibitNonMicrosoftBinaries - called from MiValidateSectionSigningPolicy
• EtwTimLogProhibitChildProcessCreation - called from SeSubProcessToken
• EtwTimLogProhibitLowILImageMap - called from MiAllowImageMap

simple way to find PsKernelRangeList

It seems that since est. build 15025 to PsKernelRangeList was added absolute addresses of KUSER_SHARED_DATA.SystemCall and KUSER_SHARED_DATA.ProcessorFeatures
So now it can be trivially found with signature 0xFFFFF78000000308 (0xFFDF0308 for 32bit) in .data section
Lets see what is interesting in this list
Items in PsKernelRangeList can be described something like

struct protected_area
{
 PBYTE addr;
 PBYTE len;
};
Also it seems that new entries always adding in end of this list. On build 18312 this list contains

1. PspPicoProviderRoutines
2. 3 zero entry
3. MmUserProbeAddress (exported)
4. MmSystemRangeStart (exported)
5. MmHighestUserAddress (exported)
6. MmBadPointer (exported)
7. HvcallCodeVa
8. PsWin32NullCallBack
9. PspSystemMitigationOptions (size 0x10)
10. KdpBootedNodebug
11. KUSER_SHARED_DATA.SystemCall
12.  KUSER_SHARED_DATA.ProcessorFeatures
13. KiDynamicTraceEnabled
14. KiDynamicTraceCallouts (size 0x28 on 32bit, 0x50 on 64bit)

WNF IDs from w10 build 18312

ripped from ContentDeliveryManager.Utilities.dll

apisetschema.dll from windows 10 build 1774

new modules was added since 15025

• win-containers-cmclient
• win-core-backgroundtask
• win-core-com-private
• win-core-file-fromapp
• win-core-pcw
• win-core-state-helpers
• win-gaming-deviceinformation
• win-security-isolationapi
• win-security-isolationpolicy
• win-shcore-taskpool
• win-wsl-api
• win-appcompat-aeinv
• win-hostactivitymanager-hostidstore
• win-hyperv-hgs
• win-hyperv-hvemulation
• win-hyperv-hvplatform
• win-hyperv-compute
• win-networking-teredo
• win-rtcore-ntuser-controllernavigation
• win-security-authz-helper
• win-security-catalog-database
• ms-win-security-cfl
• win-security-ngc-local
• win-security-vaultcds
• win-session-candidateaccountmgr

bug in wtsapi32!WTSFreeMemoryExA

prototype

BOOL WTSFreeMemoryExA(
  WTS_TYPE_CLASS WTSTypeClass,
  PVOID          pMemory,
  ULONG          NumberOfEntries
);

WTS_TYPE_CLASS declared in WtsApi32.h as

enum _WTS_TYPE_CLASS {
  WTSTypeProcessInfoLevel0 = 0x0,
  WTSTypeProcessInfoLevel1 = 0x1,
  WTSTypeSessionInfoLevel1 = 0x2,
};

ok, check in disasm what happens:
WTSFreeMemoryExA proc near 

  push    rbx
  sub     rsp, 20h
  xor     ebx, ebx
  cmp     ecx, ebx
  jl      short loc_7FF70582EC2
  cmp     ecx, 1 ; whut ?
  jg      short loc_7FF70582EC2
  call    WTSFreeMemoryExW
  mov     ebx, eax
  jmp     short loc_7FF70582ECD

loc_7FF70582EC2: 

  mov     ecx, 87         ; dwErrCode - ERROR_INVALID_PARAMETER
  call    cs:__imp_SetLastError 

as you can see you cannot pass WTSTypeSessionInfoLevel1 to function WTSFreeMemoryExA - it gives error ERROR_INVALID_PARAMETER. As dirty workaround you can use WTSFreeMemoryExW - it has correct checking of WTSTypeClass. btw this lead to memory leaks and known at least since 2013

WNF IDs from perf_nt_c.dll (adk version 17692)

to compare with

interesting case of memory leak

after three weeks of work service osqueryd.exe consumed about 150 mb of memory. so I made full memory dump with process explorer and run !heap -l in windbg
298991 string in log ! lets write quick and ditry perl script to calculate sizes of leaked blocks:

my $state = 0;
my($str, %dict, $size);
while( $str = <> )
{
  chomp $str;
  last if ( $str eq '' );
  if ( ! $state )
  {
    $state = 1 if ( $str =~ /^-----/ );
    next;
  }
  $str = substr($str, 72, 10);
  $str =~ s/^\s+//g;
  $str =~ s/\s+$//g;
  $size = hex($str);
  next if ( !$size );
  $dict{$size} += 1;
}

# dump results
my $iter;
foreach $iter ( sort { $dict{$b} <=> $dict{$a} } keys %dict )
{
  printf("%X %d\n", $iter, $dict{$iter});
}

results are encouraging: