среда, 26 сентября 2012 г.

EmProviderRegister/EmpProviderRegister callbacks

This two exported functions were introduces in vista and totally undocumented. I`ll show how to dump all installed Emp callbacks here.

Check first how they used - for example in apci.sys:

    push offset _AcpiEmProviderHandle
    push 2 ; arg4
    push offset _CallbackReg ; arg3
    push 2 ; arg2
    push offset _EntryReg ; arg1
    push [ebp+arg_0]
    call _EmProviderRegister


Clear enough - arg1 is pointer to some EmpEntries, arg2 is size of EmpEntries, arg3 is pointer to EmpCallbacks and arg4 is size of EmpCallbacks. Last arg returns registered HANDLE. Lets check how EmpEntries & EmpCallbacks look:
  _EntryReg dd offset _GUID_EM_ACPI_NSOBJ_TYPE ; 9AD56063-6B5D-4378-92A6-B4A8CA5B2616
    dd 0
    dd 0
    dd offset _GUID_EM_ACPI_DEVICE_TYPE ; EB1A2D2A-DF53-42D9-A5AA-7B25D0B5712B
    dd 0
    dd 0
_CallbackReg dd offset _GUID_EM_ACPI_NSOBJ_MATCH_CALLBACK
                                        ; C2569BEF-5980-4120-8582-9D0774DCF86D
    dd offset _ACPINsObjMatchCallback@28 ; wow, this is ptr to function !
    dd 0
    dd offset _GUID_EM_ACPI_DEVICE_MATCH_CALLBACK ; 33204598-9949-4AD1-B41E-A4A0F705DC12
    dd offset _ACPIDeviceMatchCallback@28 ; and yet one function !
    dd 0

It seems that both function allow to register some callbacks in kernel-mode.Code inside EmpProviderRegister is very lengthly so I omit all boring stuff. This function uses PUSH_LOCK EmpDatabaseLock for synchronization and two linked lists:  
  • EmpEntryListHead (in EmpSearchEntryDatabase) for storing EMP Entries 
  • EmpCallbackListHead (in EmpSearchCallbackDatabase) for storing EMP Callbacks. 
EmpCallbackListHead holds structures like

typedef struct _Emp_Callback
{
/* win32 win64 offsets */
/*     0     0 */ IID iid;
/*    10    10 */ unsigned char *CallbackFunction;
/*    14    18 */ PVOID unk1;
/*    18    20 */ PVOID unk2;
/*    1C    28 */ LIST_ENTRY ListEntry;
} EMP_CALLBACK, *PEMP_CALLBACK;

From this structure it's obvious how we can navigate on EmpCallbackListHead list.

Sample from my windows7 32bit:
Emp count: 11
 Emp[0] C2569BEF-5980-4120-8582-9D0774DCF86D (EM_ACPI_NSOBJ_MATCH_CALLBACK): 86A8F2FC \SystemRoot\system32\DRIVERS\ACPI.sys
 Emp[1] F79DE8DC-F3D1-4802-9C4B-6BF742D65FBD (EM_PCI_DEVICE_SET_HACKFLAGS_CALLBACK): 86AE0ACC \SystemRoot\system32\DRIVERS\pci.sys
 Emp[2] DFBFD6FE-435A-419E-8F2C-9B13A3C04C9E (EM_PCI_DEVICE_MATCH_CALLBACK): 86AE0A48 \SystemRoot\system32\DRIVERS\pci.sys
 Emp[3] D2E7862C-B8FA-4274-9BD1-59BA8DA0A7C2 (EM_CPU_MATCH_CALLBACK): 82979EF7 \SystemRoot\system32\ntkrnlpa.exe
 Emp[4] 24453286-BDE8-46BC-85D1-1982EDF3E212 (EM_SYSTEM_ARCHITECTURE_CALLBACK): 82AC02B6 \SystemRoot\system32\ntkrnlpa.exe
 Emp[5] 9D991181-C86A-4517-9FE7-32290377B564 (EM_ALWAYS_FALSE_CALLBACK): 82AC02A7 \SystemRoot\system32\ntkrnlpa.exe
 Emp[6] 8026FF68-3BD0-4BA4-A1D4-DE724F781B78 (EM_ALWAYS_TRUE_CALLBACK): 82AC02EB \SystemRoot\system32\ntkrnlpa.exe
 Emp[7] A380467C-D907-4716-8B9B-17584E34256C (EM_CALLBACK_DISABLE_FASTS4_GUID): 8BC4C0E3 \SystemRoot\System32\drivers\VIDEOPRT.SYS
 Emp[8] 182A2B31-D5B8-45EF-BB6D-646EBAEDD8F1 (EM_CALLBACK_BIOS_DATE): 82AC00F3 \SystemRoot\system32\ntkrnlpa.exe
 Emp[9] 6F8D0C6D-B6FB-4584-8B34-F39422CFA61A
 Emp[10] 78BC9E89-552A-4AB8-9231-132E09E235B2
 Emp[11] 7CD2B230-6CEA-4957-B5D7-CFA977C22B18 (HAL_CALLBACK_ACPI_FADT_BOOTARCH): 82C24BB2 \SystemRoot\system32\halmacpi.dll
 Emp[12] BF51DEF4-AC9C-44F3-ADE7-26DD13E756D3 (HAL_CALLBACK_ACPI_REVISION): 82C24BF4 \SystemRoot\system32\halmacpi.dll
 Emp[13] BEAE4D5F-2203-4856-94BB-C772A2C7624A (HAL_CALLBACK_ACPI_OEM_ID): 82C24B54 \SystemRoot\system32\halmacpi.dll
 Emp[14] 7E8FAE0F-7591-4EB6-9554-1D0699873111 (HAL_CALLBACK_ACPI_OEM_REVISION): 82C24AF6 \SystemRoot\system32\halmacpi.dll
 Emp[15] E0E45284-F266-4048-9A5E-7D4007C9C5AB (HAL_CALLBACK_ACPI_OEM_TABLE_ID): 82C24A44 \SystemRoot\system32\halmacpi.dll
 Emp[16] 2960716F-B0D8-41C9-9BB4-EE8BA248F86E (HAL_CALLBACK_ACPI_OEM_ID): 82C249AA \SystemRoot\system32\halmacpi.dll

Комментариев нет:

Отправить комментарий