void WDbgArk::InitCallbackCommands() { uint32_t timer_routine_offset = 0; if ( GetFieldOffset("nt!_IO_TIMER", "TimerRoutine", reinterpret_cast<PULONG>(&timer_routine_offset)) != 0 ) warn << wa::showqmark << __FUNCTION__ << ": GetFieldOffset failed with nt!_IO_TIMER.TimerRoutine" << endlwarn; uint32_t le_size = GetTypeSize("nt!_LIST_ENTRY"); m_system_cb_commands = { { { "image", { "nt!PspLoadImageNotifyRoutineCount", "nt!PspLoadImageNotifyRoutine", 0, 0, 0 } }, { "process", { "nt!PspCreateProcessNotifyRoutineCount", "nt!PspCreateProcessNotifyRoutine", 0, 0, 0 } }, { "thread", { "nt!PspCreateThreadNotifyRoutineCount", "nt!PspCreateThreadNotifyRoutine", 0, 0, 0 } }, { "registry", { "nt!CmpCallBackCount", "nt!CmpCallBackVector", GetCmCallbackItemFunctionOffset(), 0, 0 } }, { "bugcheck", { "", "nt!KeBugCheckCallbackListHead", le_size, 0, 0 } }, { "bugcheckreason", { "", "nt!KeBugCheckReasonCallbackListHead", le_size, 0, 0 } }, { "bugcheckaddpages", { "", "nt!KeBugCheckAddPagesCallbackListHead", le_size, 0, 0 } }, { "bugcheckaddremovepages", { "", "nt!KeBugCheckAddRemovePagesCallbackListHead", le_size, 0, 0 } }, { "powersetting", { "", "nt!PopRegisteredPowerSettingCallbacks", GetPowerCallbackItemFunctionOffset(), 0, 0 } }, { "kdppower", { "", "nt!KdpPowerListHead", le_size, 0, 0 } }, { "callbackdir", {} }, { "shutdown", { "", "nt!IopNotifyShutdownQueueHead", 0, 0, 0 } }, { "shutdownlast", { "", "nt!IopNotifyLastChanceShutdownQueueHead", 0, 0, 0 } }, { "drvreinit", { "", "nt!IopDriverReinitializeQueueHead", le_size + m_PtrSize, 0, 0 } }, { "bootdrvreinit", { "", "nt!IopBootDriverReinitializeQueueHead", le_size + m_PtrSize, 0, 0 } }, { "fschange", { "", "nt!IopFsNotifyChangeQueueHead", le_size + m_PtrSize, 0, 0 } }, { "nmi", { "", "nt!KiNmiCallbackListHead", m_PtrSize, 0, 0 } }, { "logonsessionroutine", { "", "nt!SeFileSystemNotifyRoutinesHead", m_PtrSize, 0, 0 } }, { "prioritycallback", { "nt!IopUpdatePriorityCallbackRoutineCount", "nt!IopUpdatePriorityCallbackRoutine", 0, 0, 0 } }, { "pnp", {} }, { "lego", { "", "nt!PspLegoNotifyRoutine", 0, 0, 0 } }, { "debugprint", { "", "nt!RtlpDebugPrintCallbackList", le_size, 0, 0 } }, { "alpcplog", { "", "nt!AlpcpLogCallbackListHead", le_size, 0, 0 } }, { "empcb", { "", "nt!EmpCallbackListHead", GetTypeSize("nt!_GUID"), 0, 0 } }, { "ioperf", { "", "nt!IopPerfIoTrackingListHead", le_size, 0, 0 } }, { "dbgklkmd", { "", "nt!DbgkLkmdCallbackArray", 0, 0, 0 } }, { "ioptimer", { "", "nt!IopTimerQueueHead", timer_routine_offset, 0, 0 } } } }; for ( auto &cb_pair : m_system_cb_commands ) { uint64_t offset_count = 0ULL; uint64_t offset_head = 0ULL; if ( !cb_pair.second.list_count_name.empty() ) { if ( m_sym_cache->GetSymbolOffset(cb_pair.second.list_count_name, true, &offset_count) ) cb_pair.second.list_count_address = offset_count; } if ( !cb_pair.second.list_head_name.empty() ) { if ( m_sym_cache->GetSymbolOffset(cb_pair.second.list_head_name, true, &offset_head) ) cb_pair.second.list_head_address = offset_head; } } }
void WDbgArk::InitCallbackCommands(void) { // TODO(swwwolf): optimize by calculating offsets in constructor only once // init systemcb map SystemCbCommand command_info = { "nt!PspLoadImageNotifyRoutineCount", "nt!PspLoadImageNotifyRoutine", 0 }; system_cb_commands["image"] = command_info; command_info.list_count_name = "nt!PspCreateProcessNotifyRoutineCount"; command_info.list_head_name = "nt!PspCreateProcessNotifyRoutine"; system_cb_commands["process"] = command_info; command_info.list_count_name = "nt!PspCreateThreadNotifyRoutineCount"; command_info.list_head_name = "nt!PspCreateThreadNotifyRoutine"; system_cb_commands["thread"] = command_info; command_info.list_count_name = "nt!CmpCallBackCount"; command_info.list_head_name = "nt!CmpCallBackVector"; command_info.offset_to_routine = GetCmCallbackItemFunctionOffset(); system_cb_commands["registry"] = command_info; command_info.list_count_name = ""; command_info.list_head_name = "nt!KeBugCheckCallbackListHead"; command_info.offset_to_routine = GetTypeSize("nt!_LIST_ENTRY"); system_cb_commands["bugcheck"] = command_info; command_info.list_count_name = ""; command_info.list_head_name = "nt!KeBugCheckReasonCallbackListHead"; command_info.offset_to_routine = GetTypeSize("nt!_LIST_ENTRY"); system_cb_commands["bugcheckreason"] = command_info; command_info.list_count_name = ""; command_info.list_head_name = "nt!KeBugCheckAddPagesCallbackListHead"; command_info.offset_to_routine = GetTypeSize("nt!_LIST_ENTRY"); system_cb_commands["bugcheckaddpages"] = command_info; command_info.list_count_name = ""; command_info.list_head_name = "nt!PopRegisteredPowerSettingCallbacks"; command_info.offset_to_routine = GetPowerCallbackItemFunctionOffset(); system_cb_commands["powersetting"] = command_info; command_info.list_count_name = ""; command_info.list_head_name = ""; command_info.offset_to_routine = 0; system_cb_commands["callbackdir"] = command_info; command_info.list_count_name = ""; command_info.list_head_name = "nt!IopNotifyShutdownQueueHead"; system_cb_commands["shutdown"] = command_info; command_info.list_count_name = ""; command_info.list_head_name = "nt!IopNotifyLastChanceShutdownQueueHead"; system_cb_commands["shutdownlast"] = command_info; command_info.list_count_name = ""; command_info.list_head_name = "nt!IopDriverReinitializeQueueHead"; command_info.offset_to_routine = GetTypeSize("nt!_LIST_ENTRY") + m_PtrSize; system_cb_commands["drvreinit"] = command_info; command_info.list_count_name = ""; command_info.list_head_name = "nt!IopBootDriverReinitializeQueueHead"; command_info.offset_to_routine = GetTypeSize("nt!_LIST_ENTRY") + m_PtrSize; system_cb_commands["bootdrvreinit"] = command_info; command_info.list_count_name = ""; command_info.list_head_name = "nt!IopFsNotifyChangeQueueHead"; command_info.offset_to_routine = GetTypeSize("nt!_LIST_ENTRY") + m_PtrSize; system_cb_commands["fschange"] = command_info; command_info.list_count_name = ""; command_info.list_head_name = "nt!KiNmiCallbackListHead"; command_info.offset_to_routine = m_PtrSize; system_cb_commands["nmi"] = command_info; command_info.list_count_name = ""; command_info.list_head_name = "nt!SeFileSystemNotifyRoutinesHead"; command_info.offset_to_routine = m_PtrSize; system_cb_commands["logonsessionroutine"] = command_info; command_info.list_count_name = "nt!IopUpdatePriorityCallbackRoutineCount"; command_info.list_head_name = "nt!IopUpdatePriorityCallbackRoutine"; command_info.offset_to_routine = 0; system_cb_commands["prioritycallback"] = command_info; command_info.list_count_name = ""; command_info.list_head_name = ""; system_cb_commands["pnp"] = command_info; command_info.list_count_name = ""; command_info.list_head_name = "nt!PspLegoNotifyRoutine"; // actually just a pointer system_cb_commands["lego"] = command_info; command_info.list_count_name = ""; command_info.list_head_name = "nt!RtlpDebugPrintCallbackList"; command_info.offset_to_routine = GetTypeSize("nt!_LIST_ENTRY"); system_cb_commands["debugprint"] = command_info; command_info.list_count_name = ""; command_info.list_head_name = "nt!AlpcpLogCallbackListHead"; command_info.offset_to_routine = GetTypeSize("nt!_LIST_ENTRY"); system_cb_commands["alpcplog"] = command_info; command_info.list_count_name = ""; command_info.list_head_name = "nt!EmpCallbackListHead"; command_info.offset_to_routine = GetTypeSize("nt!_GUID"); system_cb_commands["empcb"] = command_info; command_info.list_count_name = ""; command_info.list_head_name = "nt!IopPerfIoTrackingListHead"; command_info.offset_to_routine = GetTypeSize("nt!_LIST_ENTRY"); system_cb_commands["ioperf"] = command_info; command_info.list_count_name = ""; command_info.list_head_name = "nt!DbgkLkmdCallbackArray"; command_info.offset_to_routine = 0; system_cb_commands["dbgklkmd"] = command_info; }