W32pServiceTable from windows 10 build 14316

W32pServiceLimit .eq. 0x471

KiServiceTable from windows 10 build 14316

KiServiceLimit .eq. 0x1c1

KiServiceTable from windows 10 build 14316 64bit

KiServiceLimit .eq. 0x1C1

wincheck rc8.56

download
mirror

changelog:

• add support of windows 10rtm, build 14279 & 14295
• add dumping of g_pAuditingFuncs
• add dumping of hal!InterruptController
• add dumping of PICO. Sample of output:
  PspPicoProviderRoutines at FFFFF803D2F42EA0:
 DispatchSystemCall: FFFFF803B997B4B0 \SystemRoot\system32\drivers\LXCORE.SYS
 ExitThread:         FFFFF803B997B4E0 \SystemRoot\system32\drivers\LXCORE.SYS
 ExitProcess:        FFFFF803B997B450 \SystemRoot\system32\drivers\LXCORE.SYS
 DispatchException:  FFFFF803B997B1E0 \SystemRoot\system32\drivers\LXCORE.SYS
 ProcessTerminate:   FFFFF803B997B480 \SystemRoot\system32\drivers\LXCORE.SYS
 WalkUserStack:      FFFFF803B997B630 \SystemRoot\system32\drivers\LXCORE.SYS
 ProtectedRanges:    FFFFF803B9930400 \SystemRoot\system32\drivers\LXCORE.SYS
 GetAllocatedProcessImageName: FFFFF803B997B650 \SystemRoot\system32\drivers\LXCORE.SYS
• fix wnf identifiers
• fix WFP callouts for w8.1 & w10
• lots of bugs were fixed

xxxSetAuditingInterface

Nice piece of code from lsasrv:
_GetCngAuditFunctions@4 proc near   ; CODE XREF: SrvPrepKeyIso(x)+33p
                                    ; LsapInitCNGAuditing()+Dp
  test  ecx, ecx
  jz    short loc_5095F661
  mov   dword ptr [ecx], offset _AuditFunctionTable
  xor   eax, eax
  retn

_AuditFunctionTable:
_AuditFunctionTable db    1
  db    0
  db    0
  db    0
  dd offset _CngAdtSelfTest@12              ; offset 4
  dd offset _CngAdtKeyFileOperation@32      ; offset 8
  dd offset _CngAdtKeyMigrationOperation@28 ; offset C
  dd offset _CngAdtVerificationFailure@24   ; offset 10
  dd offset _CngAdtCryptOperation@28        ; offset 14
  dd offset _CngAdtPrimitiveFailure@16      ; offset 18

This table used in SrvPrepKeyIso & LsapInitCNGAuditing functions: