Now it`s time to enum WNF callbacks in kernel
It is not surprising that they stored in EPROCESS.WnfContext, this struct is undocumented but can be partially recovered from function ExpWnfCreateProcessContext:
offset 0 - WORD signature 0x906
offset 4 - WORD - size 0x88 (0x44 for x86)
offset 8 - eprocess
offset 0x10 - linked list for WNF contexts
offset 0x28 - push lock
offset 0x40 - linked list
offset 0x58 - linked list
offset 0x70 - linked list
Lets see at this struct in windbg
kd>? nt!PsInitialSystemProcess
Evaluate expression: -8785642524704 = fffff802`6ee5efe0
kd> dp fffff802`6ee5efe0
fffff802`6ee5efe0 ffffb482`fce4f040
kd> dt _EPROCESS ffffb482`fce4f040
...
+0x6b0 ThreadListLock : _EX_PUSH_LOCK
+0x6b8 WnfContext : 0xffff9e0f`63a60c60 Void
+0x6c0 ServerSilo : (null)
kd> dp ffff9e0f`63a60c60
ffff9e0f`63a60c60 00000000`00880906 ffffb482`fce4f040
ffff9e0f`63a60c70 ffff9e0f`65477ea0 fffff802`6f2415b8
ffff9e0f`63a60c80 00000000`00000000 00000000`00000000
ffff9e0f`63a60c90 00000000`00000000 00000000`00000000
ffff9e0f`63a60ca0 ffff9e0f`647eafd8 ffff9e0f`65ecb508
ffff9e0f`63a60cb0 00000000`00000000 ffff9e0f`63a3b518
ffff9e0f`63a60cc0 ffff9e0f`65e97598 00000000`00000000
ffff9e0f`63a60cd0 ffff9e0f`63a60cd0 ffff9e0f`63a60cd0
Lets look at list on offset 0x58:
kd> dps ffff9e0f`63a3b518
ffff9e0f`63a3b518 ffff9e0f`644358f8
ffff9e0f`63a3b520 ffff9e0f`63a60cb8
ffff9e0f`63a3b528 ffffb482`fce4f040
ffff9e0f`63a3b530 ffff9e0f`63a8e770
ffff9e0f`63a3b538 41504e50`00000801
ffff9e0f`63a3b540 ffff9e0f`69b042d0
ffff9e0f`63a3b548 ffff9e0f`63a8e7e8
ffff9e0f`63a3b550 fffff802`6ef52220 nt!PiUEventMetaNotificationCallback
ffffb482`fce4f040 - address of EPROCESS
41504e50 & 00000801 - WNF id, but we need
id1: 801 xor A3BC0074 = A3BC0875
id2: 41504e50 xor 41C64E6D = 96003D
This is WNF_PNPA_DEVNODES_CHANGED
I got constants A3BC0074 and 41C64E6D from function ExpWnfDispatchKernelSubscription
So this struct looks like
struct WNF_CB
{
LIST_ENTRY ListEntry;
EPROCESS *eproc;
PVOID unknown;
DWORD id1;
DWORD id2;
LIST_ENTRY ListEntry2;
PVOID cb;
};
And sample of output:
[0]: FFFF9E0F63A3B518 EPROCESS FFFFB482FCE4F040 id1 A3BC0875 id2 96003D (WNF_PNPA_DEVNODES_CHANGED) cb FFFFF8026EF52220 \SystemRoot\system32\ntoskrnl.exe
[1]: FFFF9E0F644358F8 EPROCESS FFFFB482FCE4F040 id1 A3BC3075 id2 41C6013D (WNF_PO_ENERGY_SAVER_OVERRIDE) cb FFFFF8026F160AE0 \SystemRoot\system32\ntoskrnl.exe
[2]: FFFF9E0F644F8AC8 EPROCESS FFFFB482FCE4F040 id1 A3BC9075 id2 41C6013D (WNF_PO_BACKGROUND_ACTIVITY_POLICY) cb FFFFF8026F160A50 \SystemRoot\system32\ntoskrnl.exe
[3]: FFFF9E0F645F21A8 EPROCESS FFFFB482FCE4F040 id1 A3BC6875 id2 41960A28 (WNF_EDP_PURGE_APP_LEARNING_EVT) cb FFFFF801DE665A00 \SystemRoot\System32\drivers\tcpip.sys
[4]: FFFF9E0F645D84C8 EPROCESS FFFFB482FCE4F040 id1 A3BC9875 id2 41840B3E (WNF_SEB_SYSTEM_LPE) cb FFFFF801DDC51800 \SystemRoot\system32\drivers\CEA.sys
[5]: FFFF9E0F6461C4D8 EPROCESS FFFFB482FCE4F040 id1 A3BD0075 id2 41840B3E (WNF_SEB_FULL_SCREEN_VIDEO_PLAYBACK) cb FFFFF801DDC51800 \SystemRoot\system32\drivers\CEA.sys
[6]: FFFF9E0F6461C438 EPROCESS FFFFB482FCE4F040 id1 A3BC6075 id2 28F0222 cb FFFFF801DE017380 \SystemRoot\System32\DRIVERS\fvevol.sys
[7]: FFFF9E0F6457F4F8 EPROCESS FFFFB482FCE4F040 id1 A3BC0875 id2 418B1E39 (WNF_TPM_OWNERSHIP_TAKEN) cb FFFFF801DE017380 \SystemRoot\System32\DRIVERS\fvevol.sys
[8]: FFFF9E0F6460F338 EPROCESS FFFFB482FCE4F040 id1 A3BC0875 id2 41921C3E (WNF_SRT_WINRE_CONFIGURATION_CHANGE) cb FFFFF801DE017380 \SystemRoot\System32\DRIVERS\fvevol.sys
[9]: FFFF9E0F64552748 EPROCESS FFFFB482FCE4F040 id1 A3BCB875 id2 41C6013D (WNF_PO_MODERN_STANDBY_EXIT_INITIATED) cb FFFFF801DFD69D80 \SystemRoot\System32\drivers\dxgkrnl.sys
[10]: FFFF9E0F63A87DA8 EPROCESS FFFFB482FCE4F040 id1 A3BC0875 id2 41C6013D (WNF_PO_SCENARIO_CHANGE) cb FFFFF801DFC449E0 \SystemRoot\System32\drivers\dxgkrnl.sys
[11]: FFFF9E0F64549EE8 EPROCESS FFFFB482FCE4F040 id1 A3BC1875 id2 12821A3F (WNF_RTDS_NAMED_PIPE_TRIGGER_CHANGED) cb FFFFF801DF7E7540 \SystemRoot\System32\drivers\npsvctrig.sys
[12]: FFFF9E0F647E9F08 EPROCESS FFFFB482FCE4F040 id1 A3BDB075 id2 41840B3E (WNF_SEB_AUDIO_ACTIVITY) cb FFFFF8026EF51FE0 \SystemRoot\system32\ntoskrnl.exe
[13]: FFFF9E0F647D51B8 EPROCESS FFFFB482FCE4F040 id1 A3BD0075 id2 41840B3E (WNF_SEB_FULL_SCREEN_VIDEO_PLAYBACK) cb FFFFF8026F157790 \SystemRoot\system32\ntoskrnl.exe
[14]: FFFF9E0F647E9A38 EPROCESS FFFFB482FCE4F040 id1 A3BC7075 id2 41C6013D (WNF_PO_USER_AWAY_PREDICTION) cb FFFFF8026F157830 \SystemRoot\system32\ntoskrnl.exe
[15]: FFFF9E0F64785B38 EPROCESS FFFFB482FCE4F040 id1 A3BC0945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[16]: FFFF9E0F647F37C8 EPROCESS FFFFB482FCE4F040 id1 A3BC1075 id2 41950828 cb FFFFF801DE9312E0 \SystemRoot\System32\Drivers\NTFS.sys
[17]: FFFF9E0F64532728 EPROCESS FFFFB482FCE4F040 id1 A3BC5875 id2 41960A28 (WNF_EDP_DPL_KEYS_DROPPING) cb FFFFF801DE9A1850 \SystemRoot\System32\Drivers\NTFS.sys
[18]: FFFF9E0F64A02F88 EPROCESS FFFFB482FCE4F040 id1 A3BC1875 id2 41960A28 (WNF_EDP_DPL_KEYS_STATE) cb FFFFF801DE9A1850 \SystemRoot\System32\Drivers\NTFS.sys
[19]: FFFF9E0F68D8EC88 EPROCESS FFFFB482FCE4F040 id1 A3BD5C75 id2 13920028 (WNF_ENTR_EDPENFORCEMENTLEVEL_CACHED_POLICY_VALUE_CHANGED) cb FFFFF801DE9312E0 \SystemRoot\System32\Drivers\NTFS.sys
[20]: FFFF9E0F68D8B1F8 EPROCESS FFFFB482FCE4F040 id1 A3BC2145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[21]: FFFF9E0F65595528 EPROCESS FFFFB482FCE4F040 id1 A3BC3145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[22]: FFFF9E0F6C391948 EPROCESS FFFFB482FCE4F040 id1 A3BC3945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[23]: FFFF9E0F6540A768 EPROCESS FFFFB482FCE4F040 id1 A3BC0875 id2 41C6013D (WNF_PO_SCENARIO_CHANGE) cb FFFFF801DFCAF930 \SystemRoot\System32\drivers\dxgkrnl.sys
[24]: FFFF9E0F64B6B648 EPROCESS FFFFB482FCE4F040 id1 A3BC4145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[25]: FFFF9E0F68F30698 EPROCESS FFFFB482FCE4F040 id1 A3BC4945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[26]: FFFF9E0F65215558 EPROCESS FFFFB482FCE4F040 id1 A3BC5145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[27]: FFFF9E0F6531A3A8 EPROCESS FFFFB482FCE4F040 id1 A3BC6145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[28]: FFFF9E0F652E8548 EPROCESS FFFFB482FCE4F040 id1 A3BC6945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[29]: FFFF9E0F652A4338 EPROCESS FFFFB482FCE4F040 id1 A3BC7145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[30]: FFFF9E0F65301D78 EPROCESS FFFFB482FCE4F040 id1 A3BCE945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[31]: FFFF9E0F65254448 EPROCESS FFFFB482FCE4F040 id1 A3BD1945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[32]: FFFF9E0F6524ADF8 EPROCESS FFFFB482FCE4F040 id1 A3B02945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[33]: FFFF9E0F6C894A98 EPROCESS FFFFB482FCE4F040 id1 A3B03945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[34]: FFFF9E0F6C8B0348 EPROCESS FFFFB482FCE4F040 id1 A3B04145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[35]: FFFF9E0F64E0C7D8 EPROCESS FFFFB482FCE4F040 id1 A3B09945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[36]: FFFF9E0F64E285D8 EPROCESS FFFFB482FCE4F040 id1 A3B0E945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[37]: FFFF9E0F64ECD268 EPROCESS FFFFB482FCE4F040 id1 A3B33945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[38]: FFFF9E0F64EC37C8 EPROCESS FFFFB482FCE4F040 id1 A3BC0C75 id2 41960B29 (WNF_DEP_OOBE_COMPLETE) cb FFFFF801E07D0030 \SystemRoot\system32\drivers\cldflt.sys
[39]: FFFF9E0F64EAF8D8 EPROCESS FFFFB482FCE4F040 id1 A3B36945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[40]: FFFF9E0F650B7C28 EPROCESS FFFFB482FCE4F040 id1 A3AE0145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[41]: FFFF9E0F650FBD68 EPROCESS FFFFB482FCE4F040 id1 A3AEF945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[42]: FFFF9E0F650AB1A8 EPROCESS FFFFB482FCE4F040 id1 A3AF0145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[43]: FFFF9E0F65109CC8 EPROCESS FFFFB482FCE4F040 id1 A3AF2145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[44]: FFFF9E0F6518C598 EPROCESS FFFFB482FCE4F040 id1 A3A8B145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[45]: FFFF9E0F6524DD68 EPROCESS FFFFB482FCE4F040 id1 A3BD5C75 id2 13920028 (WNF_ENTR_EDPENFORCEMENTLEVEL_CACHED_POLICY_VALUE_CHANGED) cb FFFFF801E0A25A70 \SystemRoot\system32\DRIVERS\mrxsmb.sys
[46]: FFFF9E0F650B0A38 EPROCESS FFFFB482FCE4F040 id1 A39FF945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[47]: FFFF9E0F651DAC28 EPROCESS FFFFB482FCE4F040 id1 A3980145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[48]: FFFF9E0F63A1F8B8 EPROCESS FFFFB482FCE4F040 id1 A3980945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[49]: FFFF9E0F65C7F878 EPROCESS FFFFB482FCE4F040 id1 A398C145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[50]: FFFF9E0F65E97598 EPROCESS FFFFB482FCE4F040 id1 A3993145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[51]: FFFF9E0F65BEF028 EPROCESS FFFFB482FCE4F040 id1 A39A3145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[52]: FFFF9E0F664DFA38 EPROCESS FFFFB482FCE4F040 id1 A39A4945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[53]: FFFF9E0F66D69CE8 EPROCESS FFFFB482FCE4F040 id1 A39A6945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[54]: FFFF9E0F66DB2DE8 EPROCESS FFFFB482FCE4F040 id1 A3BC2475 id2 D83063E (WNF_SHEL_OOBE_USER_LOGON_COMPLETE) cb FFFFF801DE017380 \SystemRoot\System32\DRIVERS\fvevol.sys
[55]: FFFF9E0F66D42438 EPROCESS FFFFB482FCE4F040 id1 A39B3945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[56]: FFFF9E0F66DD8C58 EPROCESS FFFFB482FCE4F040 id1 A39B6945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[57]: FFFF9E0F66B457F8 EPROCESS FFFFB482FCE4F040 id1 A39B9945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[58]: FFFF9E0F664C02C8 EPROCESS FFFFB482FCE4F040 id1 A3942145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[59]: FFFF9E0F67135DC8 EPROCESS FFFFB482FCE4F040 id1 A3944145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[60]: FFFF9E0F671DC898 EPROCESS FFFFB482FCE4F040 id1 A3951945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[61]: FFFF9E0F673464F8 EPROCESS FFFFB482FCE4F040 id1 A395B145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[62]: FFFF9E0F67721AA8 EPROCESS FFFFB482FCE4F040 id1 A3913945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[63]: FFFF9E0F67279F88 EPROCESS FFFFB482FCE4F040 id1 A3915945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[64]: FFFF9E0F6788A028 EPROCESS FFFFB482FCE4F040 id1 A3917145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[65]: FFFF9E0F675802B8 EPROCESS FFFFB482FCE4F040 id1 A391D945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[66]: FFFF9E0F67D34EE8 EPROCESS FFFFB482FCE4F040 id1 A388E945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[67]: FFFF9E0F67E7E448 EPROCESS FFFFB482FCE4F040 id1 A388F145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[68]: FFFF9E0F677834D8 EPROCESS FFFFB482FCE4F040 id1 A38B7145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[69]: FFFF9E0F67809738 EPROCESS FFFFB482FCE4F040 id1 A380A145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[70]: FFFF9E0F6753D5B8 EPROCESS FFFFB482FCE4F040 id1 A380B945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[71]: FFFF9E0F673BD758 EPROCESS FFFFB482FCE4F040 id1 A381F145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[72]: FFFF9E0F68A23398 EPROCESS FFFFB482FCE4F040 id1 A3821145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[73]: FFFF9E0F67E14448 EPROCESS FFFFB482FCE4F040 id1 A3823945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
[74]: FFFF9E0F676EA8B8 EPROCESS FFFFB482FCE4F040 id1 A3824145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
Комментариев нет:
Отправить комментарий