среда, 24 мая 2017 г.

wnf kernelmode callbacks

I already described how to enum usermode wnf callbacks
Now it`s time to enum WNF callbacks in kernel
It is not surprising that they stored in EPROCESS.WnfContext, this struct is undocumented but can be partially recovered from function ExpWnfCreateProcessContext:
offset 0 - WORD signature 0x906
offset 4 - WORD - size 0x88 (0x44 for x86)
offset 8 - eprocess
offset 0x10 - linked list for WNF contexts
offset 0x28 - push lock
offset 0x40 - linked list
offset 0x58 - linked list
offset 0x70 - linked list

Lets see at this struct in windbg

kd>? nt!PsInitialSystemProcess
Evaluate expression: -8785642524704 = fffff802`6ee5efe0

kd> dp fffff802`6ee5efe0
fffff802`6ee5efe0  ffffb482`fce4f040

kd> dt _EPROCESS ffffb482`fce4f040
...

   +0x6b0 ThreadListLock   : _EX_PUSH_LOCK
   +0x6b8 WnfContext       : 0xffff9e0f`63a60c60 Void
   +0x6c0 ServerSilo       : (null)
kd> dp ffff9e0f`63a60c60
ffff9e0f`63a60c60  00000000`00880906 ffffb482`fce4f040
ffff9e0f`63a60c70  ffff9e0f`65477ea0 fffff802`6f2415b8
ffff9e0f`63a60c80  00000000`00000000 00000000`00000000
ffff9e0f`63a60c90  00000000`00000000 00000000`00000000
ffff9e0f`63a60ca0  ffff9e0f`647eafd8 ffff9e0f`65ecb508
ffff9e0f`63a60cb0  00000000`00000000 ffff9e0f`63a3b518
ffff9e0f`63a60cc0  ffff9e0f`65e97598 00000000`00000000
ffff9e0f`63a60cd0  ffff9e0f`63a60cd0 ffff9e0f`63a60cd0


Lets look at list on offset 0x58:
kd> dps ffff9e0f`63a3b518
ffff9e0f`63a3b518  ffff9e0f`644358f8
ffff9e0f`63a3b520  ffff9e0f`63a60cb8
ffff9e0f`63a3b528  ffffb482`fce4f040
ffff9e0f`63a3b530  ffff9e0f`63a8e770
ffff9e0f`63a3b538  41504e50`00000801
ffff9e0f`63a3b540  ffff9e0f`69b042d0
ffff9e0f`63a3b548  ffff9e0f`63a8e7e8
ffff9e0f`63a3b550  fffff802`6ef52220 nt!PiUEventMetaNotificationCallback


ffffb482`fce4f040 - address of EPROCESS
41504e50 & 00000801 - WNF id, but we need
id1: 801 xor A3BC0074 = A3BC0875
id2: 41504e50 xor 41C64E6D = 96003D
This is WNF_PNPA_DEVNODES_CHANGED
I got constants A3BC0074 and 41C64E6D from function ExpWnfDispatchKernelSubscription
So this struct looks like

struct WNF_CB
{
  LIST_ENTRY ListEntry;
  EPROCESS *eproc;
  PVOID unknown;
  DWORD id1;
  DWORD id2;
  LIST_ENTRY ListEntry2;
  PVOID cb;
};

And sample of output:
 [0]: FFFF9E0F63A3B518 EPROCESS FFFFB482FCE4F040 id1 A3BC0875 id2 96003D (WNF_PNPA_DEVNODES_CHANGED) cb FFFFF8026EF52220 \SystemRoot\system32\ntoskrnl.exe
 [1]: FFFF9E0F644358F8 EPROCESS FFFFB482FCE4F040 id1 A3BC3075 id2 41C6013D (WNF_PO_ENERGY_SAVER_OVERRIDE) cb FFFFF8026F160AE0 \SystemRoot\system32\ntoskrnl.exe
 [2]: FFFF9E0F644F8AC8 EPROCESS FFFFB482FCE4F040 id1 A3BC9075 id2 41C6013D (WNF_PO_BACKGROUND_ACTIVITY_POLICY) cb FFFFF8026F160A50 \SystemRoot\system32\ntoskrnl.exe
 [3]: FFFF9E0F645F21A8 EPROCESS FFFFB482FCE4F040 id1 A3BC6875 id2 41960A28 (WNF_EDP_PURGE_APP_LEARNING_EVT) cb FFFFF801DE665A00 \SystemRoot\System32\drivers\tcpip.sys
 [4]: FFFF9E0F645D84C8 EPROCESS FFFFB482FCE4F040 id1 A3BC9875 id2 41840B3E (WNF_SEB_SYSTEM_LPE) cb FFFFF801DDC51800 \SystemRoot\system32\drivers\CEA.sys
 [5]: FFFF9E0F6461C4D8 EPROCESS FFFFB482FCE4F040 id1 A3BD0075 id2 41840B3E (WNF_SEB_FULL_SCREEN_VIDEO_PLAYBACK) cb FFFFF801DDC51800 \SystemRoot\system32\drivers\CEA.sys
 [6]: FFFF9E0F6461C438 EPROCESS FFFFB482FCE4F040 id1 A3BC6075 id2 28F0222 cb FFFFF801DE017380 \SystemRoot\System32\DRIVERS\fvevol.sys
 [7]: FFFF9E0F6457F4F8 EPROCESS FFFFB482FCE4F040 id1 A3BC0875 id2 418B1E39 (WNF_TPM_OWNERSHIP_TAKEN) cb FFFFF801DE017380 \SystemRoot\System32\DRIVERS\fvevol.sys
 [8]: FFFF9E0F6460F338 EPROCESS FFFFB482FCE4F040 id1 A3BC0875 id2 41921C3E (WNF_SRT_WINRE_CONFIGURATION_CHANGE) cb FFFFF801DE017380 \SystemRoot\System32\DRIVERS\fvevol.sys
 [9]: FFFF9E0F64552748 EPROCESS FFFFB482FCE4F040 id1 A3BCB875 id2 41C6013D (WNF_PO_MODERN_STANDBY_EXIT_INITIATED) cb FFFFF801DFD69D80 \SystemRoot\System32\drivers\dxgkrnl.sys
 [10]: FFFF9E0F63A87DA8 EPROCESS FFFFB482FCE4F040 id1 A3BC0875 id2 41C6013D (WNF_PO_SCENARIO_CHANGE) cb FFFFF801DFC449E0 \SystemRoot\System32\drivers\dxgkrnl.sys
 [11]: FFFF9E0F64549EE8 EPROCESS FFFFB482FCE4F040 id1 A3BC1875 id2 12821A3F (WNF_RTDS_NAMED_PIPE_TRIGGER_CHANGED) cb FFFFF801DF7E7540 \SystemRoot\System32\drivers\npsvctrig.sys
 [12]: FFFF9E0F647E9F08 EPROCESS FFFFB482FCE4F040 id1 A3BDB075 id2 41840B3E (WNF_SEB_AUDIO_ACTIVITY) cb FFFFF8026EF51FE0 \SystemRoot\system32\ntoskrnl.exe
 [13]: FFFF9E0F647D51B8 EPROCESS FFFFB482FCE4F040 id1 A3BD0075 id2 41840B3E (WNF_SEB_FULL_SCREEN_VIDEO_PLAYBACK) cb FFFFF8026F157790 \SystemRoot\system32\ntoskrnl.exe
 [14]: FFFF9E0F647E9A38 EPROCESS FFFFB482FCE4F040 id1 A3BC7075 id2 41C6013D (WNF_PO_USER_AWAY_PREDICTION) cb FFFFF8026F157830 \SystemRoot\system32\ntoskrnl.exe
 [15]: FFFF9E0F64785B38 EPROCESS FFFFB482FCE4F040 id1 A3BC0945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [16]: FFFF9E0F647F37C8 EPROCESS FFFFB482FCE4F040 id1 A3BC1075 id2 41950828 cb FFFFF801DE9312E0 \SystemRoot\System32\Drivers\NTFS.sys
 [17]: FFFF9E0F64532728 EPROCESS FFFFB482FCE4F040 id1 A3BC5875 id2 41960A28 (WNF_EDP_DPL_KEYS_DROPPING) cb FFFFF801DE9A1850 \SystemRoot\System32\Drivers\NTFS.sys
 [18]: FFFF9E0F64A02F88 EPROCESS FFFFB482FCE4F040 id1 A3BC1875 id2 41960A28 (WNF_EDP_DPL_KEYS_STATE) cb FFFFF801DE9A1850 \SystemRoot\System32\Drivers\NTFS.sys
 [19]: FFFF9E0F68D8EC88 EPROCESS FFFFB482FCE4F040 id1 A3BD5C75 id2 13920028 (WNF_ENTR_EDPENFORCEMENTLEVEL_CACHED_POLICY_VALUE_CHANGED) cb FFFFF801DE9312E0 \SystemRoot\System32\Drivers\NTFS.sys
 [20]: FFFF9E0F68D8B1F8 EPROCESS FFFFB482FCE4F040 id1 A3BC2145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [21]: FFFF9E0F65595528 EPROCESS FFFFB482FCE4F040 id1 A3BC3145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [22]: FFFF9E0F6C391948 EPROCESS FFFFB482FCE4F040 id1 A3BC3945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [23]: FFFF9E0F6540A768 EPROCESS FFFFB482FCE4F040 id1 A3BC0875 id2 41C6013D (WNF_PO_SCENARIO_CHANGE) cb FFFFF801DFCAF930 \SystemRoot\System32\drivers\dxgkrnl.sys
 [24]: FFFF9E0F64B6B648 EPROCESS FFFFB482FCE4F040 id1 A3BC4145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [25]: FFFF9E0F68F30698 EPROCESS FFFFB482FCE4F040 id1 A3BC4945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [26]: FFFF9E0F65215558 EPROCESS FFFFB482FCE4F040 id1 A3BC5145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [27]: FFFF9E0F6531A3A8 EPROCESS FFFFB482FCE4F040 id1 A3BC6145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [28]: FFFF9E0F652E8548 EPROCESS FFFFB482FCE4F040 id1 A3BC6945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [29]: FFFF9E0F652A4338 EPROCESS FFFFB482FCE4F040 id1 A3BC7145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [30]: FFFF9E0F65301D78 EPROCESS FFFFB482FCE4F040 id1 A3BCE945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [31]: FFFF9E0F65254448 EPROCESS FFFFB482FCE4F040 id1 A3BD1945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [32]: FFFF9E0F6524ADF8 EPROCESS FFFFB482FCE4F040 id1 A3B02945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [33]: FFFF9E0F6C894A98 EPROCESS FFFFB482FCE4F040 id1 A3B03945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [34]: FFFF9E0F6C8B0348 EPROCESS FFFFB482FCE4F040 id1 A3B04145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [35]: FFFF9E0F64E0C7D8 EPROCESS FFFFB482FCE4F040 id1 A3B09945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [36]: FFFF9E0F64E285D8 EPROCESS FFFFB482FCE4F040 id1 A3B0E945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [37]: FFFF9E0F64ECD268 EPROCESS FFFFB482FCE4F040 id1 A3B33945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [38]: FFFF9E0F64EC37C8 EPROCESS FFFFB482FCE4F040 id1 A3BC0C75 id2 41960B29 (WNF_DEP_OOBE_COMPLETE) cb FFFFF801E07D0030 \SystemRoot\system32\drivers\cldflt.sys
 [39]: FFFF9E0F64EAF8D8 EPROCESS FFFFB482FCE4F040 id1 A3B36945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [40]: FFFF9E0F650B7C28 EPROCESS FFFFB482FCE4F040 id1 A3AE0145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [41]: FFFF9E0F650FBD68 EPROCESS FFFFB482FCE4F040 id1 A3AEF945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [42]: FFFF9E0F650AB1A8 EPROCESS FFFFB482FCE4F040 id1 A3AF0145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [43]: FFFF9E0F65109CC8 EPROCESS FFFFB482FCE4F040 id1 A3AF2145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [44]: FFFF9E0F6518C598 EPROCESS FFFFB482FCE4F040 id1 A3A8B145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [45]: FFFF9E0F6524DD68 EPROCESS FFFFB482FCE4F040 id1 A3BD5C75 id2 13920028 (WNF_ENTR_EDPENFORCEMENTLEVEL_CACHED_POLICY_VALUE_CHANGED) cb FFFFF801E0A25A70 \SystemRoot\system32\DRIVERS\mrxsmb.sys
 [46]: FFFF9E0F650B0A38 EPROCESS FFFFB482FCE4F040 id1 A39FF945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [47]: FFFF9E0F651DAC28 EPROCESS FFFFB482FCE4F040 id1 A3980145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [48]: FFFF9E0F63A1F8B8 EPROCESS FFFFB482FCE4F040 id1 A3980945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [49]: FFFF9E0F65C7F878 EPROCESS FFFFB482FCE4F040 id1 A398C145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [50]: FFFF9E0F65E97598 EPROCESS FFFFB482FCE4F040 id1 A3993145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [51]: FFFF9E0F65BEF028 EPROCESS FFFFB482FCE4F040 id1 A39A3145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [52]: FFFF9E0F664DFA38 EPROCESS FFFFB482FCE4F040 id1 A39A4945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [53]: FFFF9E0F66D69CE8 EPROCESS FFFFB482FCE4F040 id1 A39A6945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [54]: FFFF9E0F66DB2DE8 EPROCESS FFFFB482FCE4F040 id1 A3BC2475 id2 D83063E (WNF_SHEL_OOBE_USER_LOGON_COMPLETE) cb FFFFF801DE017380 \SystemRoot\System32\DRIVERS\fvevol.sys
 [55]: FFFF9E0F66D42438 EPROCESS FFFFB482FCE4F040 id1 A39B3945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [56]: FFFF9E0F66DD8C58 EPROCESS FFFFB482FCE4F040 id1 A39B6945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [57]: FFFF9E0F66B457F8 EPROCESS FFFFB482FCE4F040 id1 A39B9945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [58]: FFFF9E0F664C02C8 EPROCESS FFFFB482FCE4F040 id1 A3942145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [59]: FFFF9E0F67135DC8 EPROCESS FFFFB482FCE4F040 id1 A3944145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [60]: FFFF9E0F671DC898 EPROCESS FFFFB482FCE4F040 id1 A3951945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [61]: FFFF9E0F673464F8 EPROCESS FFFFB482FCE4F040 id1 A395B145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [62]: FFFF9E0F67721AA8 EPROCESS FFFFB482FCE4F040 id1 A3913945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [63]: FFFF9E0F67279F88 EPROCESS FFFFB482FCE4F040 id1 A3915945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [64]: FFFF9E0F6788A028 EPROCESS FFFFB482FCE4F040 id1 A3917145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [65]: FFFF9E0F675802B8 EPROCESS FFFFB482FCE4F040 id1 A391D945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [66]: FFFF9E0F67D34EE8 EPROCESS FFFFB482FCE4F040 id1 A388E945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [67]: FFFF9E0F67E7E448 EPROCESS FFFFB482FCE4F040 id1 A388F145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [68]: FFFF9E0F677834D8 EPROCESS FFFFB482FCE4F040 id1 A38B7145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [69]: FFFF9E0F67809738 EPROCESS FFFFB482FCE4F040 id1 A380A145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [70]: FFFF9E0F6753D5B8 EPROCESS FFFFB482FCE4F040 id1 A380B945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [71]: FFFF9E0F673BD758 EPROCESS FFFFB482FCE4F040 id1 A381F145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [72]: FFFF9E0F68A23398 EPROCESS FFFFB482FCE4F040 id1 A3821145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [73]: FFFF9E0F67E14448 EPROCESS FFFFB482FCE4F040 id1 A3823945 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys
 [74]: FFFF9E0F676EA8B8 EPROCESS FFFFB482FCE4F040 id1 A3824145 id2 41C64E6D cb FFFFF801DF86A640 \SystemRoot\system32\drivers\bam.sys

Комментариев нет:

Отправить комментарий