void (TimeStampRoutine*)(struct _ETW_KERNEL_TRACE_TIMESTAMP*, unsigned long);
void (FailureNotifyRoutine*)(void*, unsigned long, unsigned long, unsigned short);
void (InitiationNotifyRoutine*)(void*, unsigned long, unsigned long, unsigned short);
void (CompletionNotifyRoutine*)(void*, unsigned long, unsigned long, unsigned short, struct _ETW_KERNEL_TRACE_TIMESTAMP*); void (FastCompletionNotifyRoutine*)(void*, unsigned long, unsigned long, unsigned short, struct _ETW_KERNEL_TRACE_TIMESTAMP*);in windows 10 new entry was added:
void (IoRedirectionNotifyRoutine*)(struct _IRP*, struct _FILE_OBJECT*);
This structure initialized in DriverEntry - PerfTraceRoutines assigned address of GLOBALS.DummyPerfTraceRoutines and then called function WmiQueryTraceInformation with class FltIoNotifyRoutinesClass (where this structure filled with content of EtwpFltIoNotifyRoutines)
So patching this functions pointers you can have real-time info about operations in file filters (or perhaps disable Etw logging for them)
On freshly installed system only two pfns are initialized:
[0] TimeStampRoutine: FFFFF80753B2BAC0 \SystemRoot\system32\ntoskrnl.exe
[5] IoRedirectionNotifyRoutine: FFFFF80753E04570 \SystemRoot\system32\ntoskrnl.exe
You can find GLOBALS!PerfTraceRoutines with disasm of exported function FltCompletePendedPostOperation
Комментариев нет:
Отправить комментарий