KiTpExcludedRoutines

As you can guess from name this is array of functions for which you can`t set kernel tracepoint. Curious that this lists differs in x64 and arm64
x64

bug in ida pro arm64 module

Lets see in ida pro some arm64 windows kernel, for example good old function PspSetCreateThreadNotifyRoutine:
 ADRP            X8, #PspNotifyEnableMask@PAGE
 ADD             X11, X8, #PspNotifyEnableMask@PAGEOFF
 TBNZ            W20, #0, loc_140690960
 ADD             X10, X11, #0x33C

register x11 contains address of PspNotifyEnableMask - in my case this is 0x1408AE6B0 and then x10 loading address of PspNotifyEnableMask + 0x33c = 0x1408AE9EC - this is actually PspCreateThreadNotifyRoutineCount. And no - you cannot fix last instruction with pressing O or Ctrl + O
Given that cross-refs in arm64 is highly dependent from correct code analysis - this is very annoing
Tested in ida pro 6.9 and 7.2

armpatched

Several days ago I started my new pet project on GitHub, bcs

• quarantine is boring
• reading a book "ARM 64-Bit Assembly Language" without practice is useless

So I just forked arm64 disasm called armadillo, ported it on windows, added naïve pe loader (btw attempt to use MapViewOfFile function was unsuccessful with GetLastError 1132) and today add some practical usage of static code analysis to extract lists and lock of lookaside lists from arm64 windows kernel

Main magic happens in ntoskrnl_hack::find_lock_list function

static code analysis

This cool article is good case to show how you can employ static code analysis for extracting some unexported symbols from binary code - in this case we need ExNPagedLookasideLock & ExNPagedLookasideListHead

Sure the first thing you need is disassembler. If you search at GitHub "x86 disasm" you will get something about 20 repositories, but we need one that satisfies some requirements:

• disasm to some intermediate code and not in string output
• can be used in kernel mode (just in case if you want to do it) which means that it must be written in C

So just choose the one with the most comprehensible code - bcs they all contains bugs and you anyway will fix them and/or add missed instructions

Lets start with exported function ExInitializeNPagedLookasideList. Simplest cases - xp 64bit:

VfDifThunks

It seems that in w10 build 19569 new verifier table has appeared - VfDifThunks along with new exported function DifRegisterPlugin (which is used only in VerifierExt.sys for now). List of intercepted functions:

fltmgr.GLOBALS!PerfTraceRoutines

In windows 8 in fltmgr was introduced feature for filter operation Etw logging - structure WMI_FLTIO_NOTIFY_ROUTINES in GLOBALS:
 void  (TimeStampRoutine*)(struct _ETW_KERNEL_TRACE_TIMESTAMP*, unsigned long);
 void  (FailureNotifyRoutine*)(void*, unsigned long, unsigned long, unsigned short);
 void  (InitiationNotifyRoutine*)(void*, unsigned long, unsigned long, unsigned short);
 void  (CompletionNotifyRoutine*)(void*, unsigned long, unsigned long, unsigned short, struct _ETW_KERNEL_TRACE_TIMESTAMP*);

 void  (FastCompletionNotifyRoutine*)(void*, unsigned long, unsigned long, unsigned short, struct _ETW_KERNEL_TRACE_TIMESTAMP*);

in windows 10 new entry was added:
void  (IoRedirectionNotifyRoutine*)(struct _IRP*, struct _FILE_OBJECT*);

This structure initialized in DriverEntry - PerfTraceRoutines assigned address of GLOBALS.DummyPerfTraceRoutines and then called function WmiQueryTraceInformation with class FltIoNotifyRoutinesClass (where this structure filled with content of EtwpFltIoNotifyRoutines)
So patching this functions pointers you can have real-time info about operations in file filters (or perhaps disable Etw logging for them)

On freshly installed system only two pfns are initialized:

W32pServiceTable from windows 10 build 19577 64bit

W32pServiceLimit .eq. 0x5AD
Btw what does prefix NtModerncore mean?