void WDbgArk::InitCallbackCommands() {
uint32_t timer_routine_offset = 0;
if ( GetFieldOffset("nt!_IO_TIMER", "TimerRoutine", reinterpret_cast<PULONG>(&timer_routine_offset)) != 0 )
warn << wa::showqmark << __FUNCTION__ << ": GetFieldOffset failed with nt!_IO_TIMER.TimerRoutine" << endlwarn;
uint32_t le_size = GetTypeSize("nt!_LIST_ENTRY");
m_system_cb_commands = { {
{ "image", { "nt!PspLoadImageNotifyRoutineCount", "nt!PspLoadImageNotifyRoutine", 0, 0, 0 } },
{ "process", { "nt!PspCreateProcessNotifyRoutineCount", "nt!PspCreateProcessNotifyRoutine", 0, 0, 0 } },
{ "thread", { "nt!PspCreateThreadNotifyRoutineCount", "nt!PspCreateThreadNotifyRoutine", 0, 0, 0 } },
{ "registry", { "nt!CmpCallBackCount", "nt!CmpCallBackVector", GetCmCallbackItemFunctionOffset(), 0, 0 } },
{ "bugcheck", { "", "nt!KeBugCheckCallbackListHead", le_size, 0, 0 } },
{ "bugcheckreason", { "", "nt!KeBugCheckReasonCallbackListHead", le_size, 0, 0 } },
{ "bugcheckaddpages", { "", "nt!KeBugCheckAddPagesCallbackListHead", le_size, 0, 0 } },
{ "bugcheckaddremovepages", { "", "nt!KeBugCheckAddRemovePagesCallbackListHead", le_size, 0, 0 } },
{ "powersetting", { "", "nt!PopRegisteredPowerSettingCallbacks", GetPowerCallbackItemFunctionOffset(), 0, 0 } },
{ "kdppower", { "", "nt!KdpPowerListHead", le_size, 0, 0 } },
{ "callbackdir", {} },
{ "shutdown", { "", "nt!IopNotifyShutdownQueueHead", 0, 0, 0 } },
{ "shutdownlast", { "", "nt!IopNotifyLastChanceShutdownQueueHead", 0, 0, 0 } },
{ "drvreinit", { "", "nt!IopDriverReinitializeQueueHead", le_size + m_PtrSize, 0, 0 } },
{ "bootdrvreinit", { "", "nt!IopBootDriverReinitializeQueueHead", le_size + m_PtrSize, 0, 0 } },
{ "fschange", { "", "nt!IopFsNotifyChangeQueueHead", le_size + m_PtrSize, 0, 0 } },
{ "nmi", { "", "nt!KiNmiCallbackListHead", m_PtrSize, 0, 0 } },
{ "logonsessionroutine", { "", "nt!SeFileSystemNotifyRoutinesHead", m_PtrSize, 0, 0 } },
{ "prioritycallback", { "nt!IopUpdatePriorityCallbackRoutineCount", "nt!IopUpdatePriorityCallbackRoutine", 0,
0, 0 } },
{ "pnp", {} },
{ "lego", { "", "nt!PspLegoNotifyRoutine", 0, 0, 0 } },
{ "debugprint", { "", "nt!RtlpDebugPrintCallbackList", le_size, 0, 0 } },
{ "alpcplog", { "", "nt!AlpcpLogCallbackListHead", le_size, 0, 0 } },
{ "empcb", { "", "nt!EmpCallbackListHead", GetTypeSize("nt!_GUID"), 0, 0 } },
{ "ioperf", { "", "nt!IopPerfIoTrackingListHead", le_size, 0, 0 } },
{ "dbgklkmd", { "", "nt!DbgkLkmdCallbackArray", 0, 0, 0 } },
{ "ioptimer", { "", "nt!IopTimerQueueHead", timer_routine_offset, 0, 0 } } } };
for ( auto &cb_pair : m_system_cb_commands ) {
uint64_t offset_count = 0ULL;
uint64_t offset_head = 0ULL;
if ( !cb_pair.second.list_count_name.empty() ) {
if ( m_sym_cache->GetSymbolOffset(cb_pair.second.list_count_name, true, &offset_count) )
cb_pair.second.list_count_address = offset_count;
}
if ( !cb_pair.second.list_head_name.empty() ) {
if ( m_sym_cache->GetSymbolOffset(cb_pair.second.list_head_name, true, &offset_head) )
cb_pair.second.list_head_address = offset_head;
}
}
}
void WDbgArk::InitCallbackCommands(void) {
// TODO(swwwolf): optimize by calculating offsets in constructor only once
// init systemcb map
SystemCbCommand command_info = { "nt!PspLoadImageNotifyRoutineCount", "nt!PspLoadImageNotifyRoutine", 0 };
system_cb_commands["image"] = command_info;
command_info.list_count_name = "nt!PspCreateProcessNotifyRoutineCount";
command_info.list_head_name = "nt!PspCreateProcessNotifyRoutine";
system_cb_commands["process"] = command_info;
command_info.list_count_name = "nt!PspCreateThreadNotifyRoutineCount";
command_info.list_head_name = "nt!PspCreateThreadNotifyRoutine";
system_cb_commands["thread"] = command_info;
command_info.list_count_name = "nt!CmpCallBackCount";
command_info.list_head_name = "nt!CmpCallBackVector";
command_info.offset_to_routine = GetCmCallbackItemFunctionOffset();
system_cb_commands["registry"] = command_info;
command_info.list_count_name = "";
command_info.list_head_name = "nt!KeBugCheckCallbackListHead";
command_info.offset_to_routine = GetTypeSize("nt!_LIST_ENTRY");
system_cb_commands["bugcheck"] = command_info;
command_info.list_count_name = "";
command_info.list_head_name = "nt!KeBugCheckReasonCallbackListHead";
command_info.offset_to_routine = GetTypeSize("nt!_LIST_ENTRY");
system_cb_commands["bugcheckreason"] = command_info;
command_info.list_count_name = "";
command_info.list_head_name = "nt!KeBugCheckAddPagesCallbackListHead";
command_info.offset_to_routine = GetTypeSize("nt!_LIST_ENTRY");
system_cb_commands["bugcheckaddpages"] = command_info;
command_info.list_count_name = "";
command_info.list_head_name = "nt!PopRegisteredPowerSettingCallbacks";
command_info.offset_to_routine = GetPowerCallbackItemFunctionOffset();
system_cb_commands["powersetting"] = command_info;
command_info.list_count_name = "";
command_info.list_head_name = "";
command_info.offset_to_routine = 0;
system_cb_commands["callbackdir"] = command_info;
command_info.list_count_name = "";
command_info.list_head_name = "nt!IopNotifyShutdownQueueHead";
system_cb_commands["shutdown"] = command_info;
command_info.list_count_name = "";
command_info.list_head_name = "nt!IopNotifyLastChanceShutdownQueueHead";
system_cb_commands["shutdownlast"] = command_info;
command_info.list_count_name = "";
command_info.list_head_name = "nt!IopDriverReinitializeQueueHead";
command_info.offset_to_routine = GetTypeSize("nt!_LIST_ENTRY") + m_PtrSize;
system_cb_commands["drvreinit"] = command_info;
command_info.list_count_name = "";
command_info.list_head_name = "nt!IopBootDriverReinitializeQueueHead";
command_info.offset_to_routine = GetTypeSize("nt!_LIST_ENTRY") + m_PtrSize;
system_cb_commands["bootdrvreinit"] = command_info;
command_info.list_count_name = "";
command_info.list_head_name = "nt!IopFsNotifyChangeQueueHead";
command_info.offset_to_routine = GetTypeSize("nt!_LIST_ENTRY") + m_PtrSize;
system_cb_commands["fschange"] = command_info;
command_info.list_count_name = "";
command_info.list_head_name = "nt!KiNmiCallbackListHead";
command_info.offset_to_routine = m_PtrSize;
system_cb_commands["nmi"] = command_info;
command_info.list_count_name = "";
command_info.list_head_name = "nt!SeFileSystemNotifyRoutinesHead";
command_info.offset_to_routine = m_PtrSize;
system_cb_commands["logonsessionroutine"] = command_info;
command_info.list_count_name = "nt!IopUpdatePriorityCallbackRoutineCount";
command_info.list_head_name = "nt!IopUpdatePriorityCallbackRoutine";
command_info.offset_to_routine = 0;
system_cb_commands["prioritycallback"] = command_info;
command_info.list_count_name = "";
command_info.list_head_name = "";
system_cb_commands["pnp"] = command_info;
command_info.list_count_name = "";
command_info.list_head_name = "nt!PspLegoNotifyRoutine"; // actually just a pointer
system_cb_commands["lego"] = command_info;
command_info.list_count_name = "";
command_info.list_head_name = "nt!RtlpDebugPrintCallbackList";
command_info.offset_to_routine = GetTypeSize("nt!_LIST_ENTRY");
system_cb_commands["debugprint"] = command_info;
command_info.list_count_name = "";
command_info.list_head_name = "nt!AlpcpLogCallbackListHead";
command_info.offset_to_routine = GetTypeSize("nt!_LIST_ENTRY");
system_cb_commands["alpcplog"] = command_info;
command_info.list_count_name = "";
command_info.list_head_name = "nt!EmpCallbackListHead";
command_info.offset_to_routine = GetTypeSize("nt!_GUID");
system_cb_commands["empcb"] = command_info;
command_info.list_count_name = "";
command_info.list_head_name = "nt!IopPerfIoTrackingListHead";
command_info.offset_to_routine = GetTypeSize("nt!_LIST_ENTRY");
system_cb_commands["ioperf"] = command_info;
command_info.list_count_name = "";
command_info.list_head_name = "nt!DbgkLkmdCallbackArray";
command_info.offset_to_routine = 0;
system_cb_commands["dbgklkmd"] = command_info;
}
