遍历Windows操作系统的执行体回调
遍历Windows操作系统的执行体回调
前言
回调对象(Callback Objects),这是官方的名字,这个名字有点含糊,容易混淆,我更愿意叫它执行体回调。
因为相关的函数中包含:Ex*Callback。以便和CmRegisterCallback,ObRegisterCallbacks等概念区别。
这个对象的相关的流程是:
- 创建/打开:ExCreateCallback
- 注册/设置相关属性:ExRegisterCallback
- 可选的控制/触发:ExNotifyCallback
- 最后是销毁:ExUnregisterCallback
回调对象,之所以这么笼统大气,是有原因的,因为它是另外一二十种回调/通知的基础。
如:时间改变,电源状态,处理器变更,即插即用,会话变更等等。
具体的可以看看对象目录\Callback\下的内容。
更重要的是这里的内容是自己(驱动程序)可以添加的。
https://learn.microsoft.com/zh-cn/windows-hardware/drivers/kernel/callback-objects
https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/callback-objects
编程示例
这个对象的用法分两种情况
第一个是自己创建对象。
这种情况下,需要自己调用ExNotifyCallback。
这可以用于驱动间的通讯。
简单代码如下:
/*
made by correy
made at 2013.05.01
QQ:112426112
Email:kouleguan at hotmail dot com
*/
#include <ntddk.h>
#define _In_
#define _Inout_
#define _Inout_opt_
PVOID CbRegistration;
DRIVER_UNLOAD Unload;
VOID Unload(__in PDRIVER_OBJECT DriverObject)
{
if (CbRegistration) {
ExUnregisterCallback(CbRegistration);//运行之后,对象还存在。可以用工具查看。
}
}
//PCALLBACK_FUNCTION pcallback_function;
VOID pcallback_function (IN PVOID CallbackContext, IN PVOID Argument1, IN PVOID Argument2)
{
DbgPrint("停下来看看吧!\n");
KdBreakPoint();
}
DRIVER_INITIALIZE DriverEntry;
NTSTATUS DriverEntry( __in struct _DRIVER_OBJECT * DriverObject, __in PUNICODE_STRING RegistryPath)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
BOOLEAN b = 0;
UNICODE_STRING CallbackName;
OBJECT_ATTRIBUTES InitializedAttributes;
PCALLBACK_OBJECT PCallbackObject;
KdBreakPoint();//#define KdBreakPoint() DbgBreakPoint()
DriverObject->DriverUnload = Unload;
RtlInitUnicodeString(&CallbackName, L"\\Callback\\correy");
InitializeObjectAttributes(&InitializedAttributes, &CallbackName, OBJ_CASE_INSENSITIVE | OBJ_PERMANENT, NULL, NULL);
status = ExCreateCallback(&PCallbackObject, &InitializedAttributes, TRUE, 0);//TRUE
if(!NT_SUCCESS(status) ) {
DbgPrint("ExCreateCallback failed 0x%0x\n", status);
return status;
}
CbRegistration = ExRegisterCallback(PCallbackObject, pcallback_function, NULL);
if(CbRegistration == 0) {//如果已经注册成功,再此注册之前不成功运行ExUnregisterCallback,会返回值是0.
DbgPrint("CbRegistration failed\n");
return STATUS_UNSUCCESSFUL;
}
ObDereferenceObject(PCallbackObject);
ExNotifyCallback(PCallbackObject, NULL, NULL);//这个调用是测试。
return status;//STATUS_SUCCESS
}第二种情况是利用原有的对象。
举例,修改时间这个看似简单的操作,
在恶意代码安全对抗里是少不了的话题,在游戏安全的世界里更是如此。
#include <ntifs.h>
/*
made by correy
made at 2014.05.07
email:kouleguan at hotmail dot com
*/
PVOID CbRegistration;
PCALLBACK_OBJECT PCallbackObject;
DRIVER_UNLOAD Unload;
VOID Unload(__in PDRIVER_OBJECT DriverObject)
{
if (CbRegistration) {
ExUnregisterCallback(CbRegistration);
}
ObDereferenceObject(PCallbackObject);
}
VOID pcallback_function (IN PVOID CallbackContext, IN PVOID Argument1, IN PVOID Argument2)
/*
注意:IRQL<=DISPATCH_LEVEL,解决办法是加工作线程和同步对象。
如果是:\Callback\SetSystemTime
Argument1 Not used.
Argument2 Not used.
不过经观察:CallbackContext的都为0.
*/
{
DbgPrint("时间被修改了。\n");
KdBreakPoint();
}
DRIVER_INITIALIZE DriverEntry;
NTSTATUS DriverEntry( __in struct _DRIVER_OBJECT * DriverObject, __in PUNICODE_STRING RegistryPath)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
UNICODE_STRING CallbackName;
OBJECT_ATTRIBUTES InitializedAttributes;
KdBreakPoint();
DriverObject->DriverUnload = Unload;
RtlInitUnicodeString(&CallbackName, L"\\Callback\\SetSystemTime");
InitializeObjectAttributes(&InitializedAttributes, &CallbackName, OBJ_CASE_INSENSITIVE | OBJ_PERMANENT, NULL, NULL);
status = ExCreateCallback(&PCallbackObject, &InitializedAttributes, TRUE, 0);//TRUE
if(!NT_SUCCESS(status) ) {
DbgPrint("ExCreateCallback failed 0x%0x\n", status);
return status;
}
CbRegistration = ExRegisterCallback(PCallbackObject, pcallback_function, NULL);
if(CbRegistration == 0) {
DbgPrint("CbRegistration failed\n");
ObDereferenceObject(PCallbackObject);
return STATUS_UNSUCCESSFUL;
}
return status;//STATUS_SUCCESS
}以上两个示例代码摘自:https://leguanyuan.blogspot.com/2013/05/exregistercallbackc.html 略有删减
IDA分析
这里主要分析两个函数:ExCreateCallback和ExRegisterCallback
ExCreateCallback的IDA分析
ExCreateCallback的全部伪码这里都不列出了,这里给出简要流程和核心数据。
- 如果是打开操作,调用ObOpenObjectByName得到句柄,然后调用ObReferenceObjectByHandle获取对象,最后赋值给第一个参数。
- 如果是创建操作,核心伪码如下:
if ( Create )
{
NtStatus = ObCreateObjectEx(0, ExCallbackObjectType, &ObjectAttributesa, 0, Object, sizeof(_CALLBACK_OBJECT), 0, 0, (PVOID *)&ExCallbackObject, 0i64);
if ( NtStatus < 0 )
return NtStatus;
ExCallbackObject->tag = 'llaC';
ExCallbackObject->AllowMultipleCallbacks = AllowMultipleCallbacks;
ExCallbackObject->ListEntry.Blink = &ExCallbackObject->ListEntry;
ExCallbackObject->ListEntry.Flink = &ExCallbackObject->ListEntry;
ExCallbackObject->SpinLock = 0i64;
--CurrentThread->Tcb.SpecialApcDisable;
ExAcquirePushLockExclusiveEx(&ExpCallbackListLock, 0);
ListHead = ExpCallbackListHead.Blink;
p_ListEntry2 = &ExCallbackObject->ListEntry2;
if ( ExpCallbackListHead.Blink->Flink != &ExpCallbackListHead )
__fastfail(3u);
ExCallbackObject->ListEntry2.Blink = ExpCallbackListHead.Blink;
p_ListEntry2->Flink = &ExpCallbackListHead;
ListHead->Flink = p_ListEntry2;
ExpCallbackListHead.Blink = &ExCallbackObject->ListEntry2;
ExpUnlockCallbackListExclusive(CurrentThread);
NtStatus = ObInsertObjectEx(ExCallbackObject, 0i64, 1u, 0, 0, 0i64, &Handle);
}关于这点伪码,有必要说两句,这是本文的重点:
- 这个数据结构里有两个链表。
- 重点是第二个链表,注意和全局变量ExpCallbackListHead的关系,当然也少不了ExpCallbackListLock。
- 所以要遍历整个链表,上面的全局变量是个不错的入手点,自己调用ExCreateCallback也是一个思路。
- 第一个链表是链接的后面的CALLBACK_REGISTRATION结构,在ExRegisterCallback里看的更清楚。
- 当然要插入命名空间了,ObInsertObjectEx。
IDA中这个结构的定义如下:
注意内存对齐。
00000000 ; ---------------------------------------------------------------------------
00000000
00000000 ; 这个结构竟然没有符号信息。
00000000 ; sizeof=0x38
00000000 ; reactos\sdk\include\ndk\extypes.h
00000000 ; typedef struct _CALLBACK_OBJECT
00000000 ; {
00000000 ; ULONG Signature;
00000000 ; KSPIN_LOCK Lock;
00000000 ; LIST_ENTRY RegisteredCallbacks;
00000000 ; BOOLEAN AllowMultipleCallbacks;
00000000 ; UCHAR reserved[3];
00000000 ; } CALLBACK_OBJECT;
00000000 _CALLBACK_OBJECT struc ; (sizeof=0x38, mappedto_2659)
00000000 tag dd ?
00000004 db ? ; undefined
00000005 db ? ; undefined
00000006 db ? ; undefined
00000007 db ? ; undefined
00000008 SpinLock dq ?
00000010 ListEntry LIST_ENTRY ? ; 类型是CALLBACK_REGISTRATION。
00000020 AllowMultipleCallbacks db ?
00000021 db ? ; undefined
00000022 db ? ; undefined
00000023 db ? ; undefined
00000024 db ? ; undefined
00000025 db ? ; undefined
00000026 db ? ; undefined
00000027 db ? ; undefined
00000028 ListEntry2 _LIST_ENTRY ?
00000038 _CALLBACK_OBJECT endsida中c样式的数据结构:
/// 这个结构竟然没有符号信息。
struct _CALLBACK_OBJECT
{
ULONG tag;
KSPIN_LOCK SpinLock;
LIST_ENTRY ListEntry;
BOOLEAN AllowMultipleCallbacks;
_LIST_ENTRY ListEntry2;
};顺便给出俺编程中定义的数据结构:
typedef struct _CALLBACK_OBJECT {//8字节对齐。
ULONG Tag;
KSPIN_LOCK SpinLock;
LIST_ENTRY ListEntry;
bool AllowMultipleCallbacks;
LIST_ENTRY ListEntry2;
} CALLBACK_OBJECT, * PCALLBACK_OBJECT;
#if defined(_AMD64_)
static_assert(sizeof(CALLBACK_OBJECT) == 0x38, "XXX");
#endif切记Callback是一种类型为ExCallbackObjectType的内核对象。
ExRegisterCallback的IDA分析
ExRegisterCallback相对比较简单,主要是把三个参数放入到一个CALLBACK_REGISTRATION结构里,然后链起来。
CALLBACK_REGISTRATION *__stdcall ExRegisterCallback(PCALLBACK_OBJECT CallbackObject, PCALLBACK_FUNCTION CallbackFunction, PVOID CallbackContext)
{
CALLBACK_REGISTRATION *Callback; // rax MAPDST
char IsOk; // r14
unsigned __int64 Irql; // rsi
_LIST_ENTRY *ListEntry; // rdx
unsigned __int8 CurrentIrql; // al
struct _KPRCB *CurrentPrcb; // r10
SchedulerAssist *SchedulerAssist; // r9
int v15; // eax
bool v16; // zf
ObfReferenceObjectWithTag(CallbackObject, 'tlfD');
Callback = (CALLBACK_REGISTRATION *)ExAllocatePoolWithTag(NonPagedPoolNx, sizeof(CALLBACK_REGISTRATION), 'eRBC');
if ( Callback )
{
Callback->n = 0;
Callback->CallbackObject = CallbackObject;
IsOk = 0;
Callback->CallbackFunction = CallbackFunction;
Callback->CallbackContext = CallbackContext;
Callback->b = 0;
Irql = KeAcquireSpinLockRaiseToDpc(&CallbackObject->SpinLock);
if ( CallbackObject->AllowMultipleCallbacks || CallbackObject->ListEntry.Flink == &CallbackObject->ListEntry )
{
IsOk = 1;
ListEntry = CallbackObject->ListEntry.Blink;
if ( ListEntry->Flink != &CallbackObject->ListEntry )
__fastfail(3u);
Callback->ListEntry.Flink = &CallbackObject->ListEntry;
Callback->ListEntry.Blink = ListEntry;
ListEntry->Flink = &Callback->ListEntry;
CallbackObject->ListEntry.Blink = &Callback->ListEntry;
}
KxReleaseSpinLock(&CallbackObject->SpinLock);
//本主题关联性不大的伪码。
...
__writecr8(Irql);
if ( !IsOk )
{
ExFreePoolWithTag(Callback, 0);
ObfDereferenceObjectWithTag(CallbackObject, 'tlfD');
return NULL;
}
return Callback;
}
else
{
ObfDereferenceObjectWithTag(CallbackObject, 'tlfD');
return NULL;
}
}这里重要的是给出数据结构的定义:
IDA的原始结构定义:
00000000 ; sizeof=0x30;结构名取自\reactos\ntoskrnl\ex\callback.c
00000000 CALLBACK_REGISTRATION struc ; (sizeof=0x30, mappedto_2893)
00000000 ListEntry LIST_ENTRY ? ; 自身的链表,链自CALLBACK_OBJECT的第二个链表。
00000010 CallbackObject dq ? ; offset
00000018 CallbackFunction dq ? ; offset
00000020 CallbackContext dq ? ; offset
00000028 n dd ?
0000002C b db ?
0000002D field_2D db ?
0000002E field_2E db ?
0000002F field_2F db ?
00000030 CALLBACK_REGISTRATION endsIDA的c结构定义:
/// sizeof=0x30;结构名取自\reactos\ntoskrnl\ex\callback.c
struct CALLBACK_REGISTRATION
{
LIST_ENTRY ListEntry; ///< 自身的链表,链自CALLBACK_OBJECT的第二个链表。
PCALLBACK_OBJECT CallbackObject;
PCALLBACK_FUNCTION CallbackFunction;
PVOID CallbackContext;
DWORD n;
bool b;
char field_2D;
char field_2E;
char field_2F;
};自己编程中的定义:
typedef struct _CALLBACK_REGISTRATION {//注意内存对齐。
LIST_ENTRY ListEntry;
PVOID CallbackObject;
PVOID CallbackFunction;
PVOID CallbackContext;
ULONG n;
bool b;
} CALLBACK_REGISTRATION, * PCALLBACK_REGISTRATION;WINDBG验证
略
符号文件里没有这些结构的定义,只能看二进制内存了(或者用自己程序的符号文件里的自定义的结构信息)。
看官有兴趣了,可以跟踪下。
不过,这里可以看看\Callback的内容:
和下文的测试不相干
0: kd> !object \Callback
Object: ffffe4808348cb70 Type: (ffffd482b62a0da0) Directory
ObjectHeader: ffffe4808348cb40 (new version)
HandleCount: 0 PointerCount: 23
Directory Object: ffffe48083402850 Name: Callback
Hash Address Type Name
---- ------- ---- ----
01 ffffd482b62d30a0 Callback EnlightenmentState
04 ffffd482b62d3fa0 Callback SetSystemState
08 ffffd482b62d33c0 Callback LicensingData
11 ffffd482b6a02c10 Callback TcpConnectionCallbackTemp
12 ffffd482b62d31e0 Callback SetSystemTime
13 ffffd482b6a034d0 Callback NdisBindUnbind
ffffd482b62d3280 Callback ProcessorAdd
ffffd482b62d3140 Callback PowerState
18 ffffd482ba01dbc0 Callback LLTDCallbackMapper0006008001000000
ffffd482b6a031b0 Callback TcpTimerStarvationCallbackTemp
20 ffffd482ba01de40 Callback LLTDCallbackMapper0006008002000000
22 ffffd482b62d3d20 Callback SeImageVerificationDriverInfo
23 ffffd482b6a040b0 Callback AfdTdxCallback
ffffd482b6a02df0 Callback VMCIDetachCB
27 ffffd482ba01db20 Callback LLTDCallbackRspndr0006008001000000
ffffd482b62d3320 Callback Phase1InitComplete
29 ffffd482ba01d9e0 Callback LLTDCallbackRspndr0006008002000000
30 ffffd482b62d3960 Callback IoSessionNotifications
31 ffffd482b6a02e90 Callback WdNriNotificationCallback
34 ffffd482b62d3c80 Callback IoExternalDmaUnblock
35 ffffd482b6a028f0 Callback WdProcessNotificationCallback
ffffd482b62d3640 Callback 542875F90F9B47F497B64BA219CACF69编程实现
无非是一个变量及两个结构的三个链表操作而已,不要忘了加锁。
核心遍历代码如下:
void EnumExCallback(PCALLBACK_OBJECT CallbackObject, EnumCallbackObjectCallback Callback, PVOID Context)
{
if (!CallbackObject) {
return;
}
UNICODE_STRING CallbackObjectName = {0};
GetObjectName(CallbackObject, &CallbackObjectName);
LIST_ENTRY * ListEntry = &CallbackObject->ListEntry;
KIRQL Irql = KeAcquireSpinLockRaiseToDpc(&CallbackObject->SpinLock);
if (!IsListEmpty(ListEntry)) {
for (PLIST_ENTRY iter = ListEntry->Flink; iter != ListEntry; iter = iter->Flink) {
PCALLBACK_REGISTRATION Node = CONTAINING_RECORD(iter, CALLBACK_REGISTRATION, ListEntry);
if (Callback) {
Callback(CallbackObject, &CallbackObjectName, Node, Context);//自定义的获取信息的函数。
}
}
}
KeReleaseSpinLock(&CallbackObject->SpinLock, Irql);
FreeUnicodeString(&CallbackObjectName);
}
void EnumExCallback(EnumCallbackObjectCallback Callback, PVOID Context)
{
PLIST_ENTRY ExpCallbackListHead = (PLIST_ENTRY)g_info.ExpCallbackListHead;
PEX_PUSH_LOCK ExpCallbackListLock = (PEX_PUSH_LOCK)g_info.ExpCallbackListLock;
if (!ExpCallbackListHead || !ExpCallbackListLock) {
return;
}
KeEnterGuardedRegion();
if (g_HighLevelRoutine.ExAcquirePushLockSharedEx) {//高版本(Windows 10)的加锁方式。
g_HighLevelRoutine.ExAcquirePushLockSharedEx(ExpCallbackListLock, EX_DEFAULT_PUSH_LOCK_FLAGS);
//ExAcquirePushLockShared(ExpCallbackListLock);
} else {//低版本(Windows 7)的加锁方式。
g_HighLevelRoutine.ExfAcquirePushLockShared(ExpCallbackListLock);
}
if (!IsListEmpty(ExpCallbackListHead)) {
for (auto iter = ExpCallbackListHead->Flink; iter != ExpCallbackListHead; iter = iter->Flink) {
PCALLBACK_OBJECT Node = CONTAINING_RECORD(iter, CALLBACK_OBJECT, ListEntry2);
EnumExCallback(Node, Callback, Context);
}
}
if (g_HighLevelRoutine.ExReleasePushLockSharedEx) {
//ExReleasePushLockShared(ExpCallbackListLock);
g_HighLevelRoutine.ExReleasePushLockSharedEx(ExpCallbackListLock, EX_DEFAULT_PUSH_LOCK_FLAGS);
} else {
g_HighLevelRoutine.ExfReleasePushLockShared(ExpCallbackListLock);
}
KeLeaveGuardedRegion();
//KiLeaveGuardedRegionUnsafe(PsGetCurrentThread());
}测试效果
这个很重要,有不少的内容,建议每个都应该看看。
有的对象是没有名字的
对象大多在\Callback\目录下
C:\Users\Administrator>C:\Users\Administrator\Desktop\bin\AntiHook.exe EnumExCallback
numbers:45
Index:1
CallbackObject:FFFFBF014ACB1AA0
CallbackObjectName:\Callback\PowerState
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014ACF77A0
CallbackFunction:FFFFF80109D26600, FullPathName:\SystemRoot\System32\drivers\ntosext.sys
CallbackContext:0000000000000000
n:0
b:0
Index:2
CallbackObject:FFFFBF014ACB1AA0
CallbackObjectName:\Callback\PowerState
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014ACF73A0
CallbackFunction:FFFFF80105217030, SymbolName:EtwpPowerStateCallback, FullPathName:\SystemRoot\system32\ntoskrnl.exe
CallbackContext:0000000000000000
n:0
b:0
Index:3
CallbackObject:FFFFBF014ACB1AA0
CallbackObjectName:\Callback\PowerState
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014B2FBE60
CallbackFunction:FFFFF80104DB4CF0, SymbolName:HalpPowerStateCallback, FullPathName:\SystemRoot\system32\ntoskrnl.exe
CallbackContext:0000000000000000
n:0
b:0
Index:4
CallbackObject:FFFFBF014ACB1AA0
CallbackObjectName:\Callback\PowerState
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014B0FF660
CallbackFunction:FFFFF8010A09EF50, FullPathName:\SystemRoot\System32\drivers\ACPI.sys
CallbackContext:FFFFBF014AC9A020
n:0
b:0
Index:5
CallbackObject:FFFFBF014ACB1AA0
CallbackObjectName:\Callback\PowerState
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014B0FF060
CallbackFunction:FFFFF8010A1BF110, FullPathName:\SystemRoot\System32\drivers\pci.sys
CallbackContext:0000000000000000
n:0
b:0
Index:6
CallbackObject:FFFFBF014ACB1AA0
CallbackObjectName:\Callback\PowerState
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014B2FB9A0
CallbackFunction:FFFFF80109EF7480, FullPathName:\SystemRoot\system32\drivers\Wdf01000.sys
CallbackContext:FFFFBF014B740830
n:0
b:0
Index:7
CallbackObject:FFFFBF014ACB1AA0
CallbackObjectName:\Callback\PowerState
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014B5AD3A0
CallbackFunction:FFFFF80109EF7480, FullPathName:\SystemRoot\system32\drivers\Wdf01000.sys
CallbackContext:FFFFBF014B793A30
n:0
b:0
Index:8
CallbackObject:FFFFBF014ACB1AA0
CallbackObjectName:\Callback\PowerState
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014AEE9D20
CallbackFunction:FFFFF80109EF7480, FullPathName:\SystemRoot\system32\drivers\Wdf01000.sys
CallbackContext:FFFFBF014B799AB0
n:0
b:0
Index:9
CallbackObject:FFFFBF014ACB1AA0
CallbackObjectName:\Callback\PowerState
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014B68D6D0
CallbackFunction:FFFFF8010AF87E10, FullPathName:\SystemRoot\System32\drivers\tcpip.sys
CallbackContext:0000000000000000
n:0
b:0
Index:10
CallbackObject:FFFFBF014ACB1AA0
CallbackObjectName:\Callback\PowerState
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014BFFF010
CallbackFunction:FFFFF8010F6E10C0, FullPathName:\SystemRoot\system32\DRIVERS\360netmon.sys
CallbackContext:0000000000000000
n:0
b:0
Index:11
CallbackObject:FFFFBF014ACB1AA0
CallbackObjectName:\Callback\PowerState
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014D1EF4D0
CallbackFunction:FFFFF80109EF7480, FullPathName:\SystemRoot\system32\drivers\Wdf01000.sys
CallbackContext:FFFFBF014D164A30
n:0
b:0
Index:12
CallbackObject:FFFFBF014ACB1AA0
CallbackObjectName:\Callback\PowerState
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014D1EF310
CallbackFunction:FFFFF80109EF7480, FullPathName:\SystemRoot\system32\drivers\Wdf01000.sys
CallbackContext:FFFFBF014D1B1770
n:0
b:0
Index:13
CallbackObject:FFFFBF014ACB1AA0
CallbackObjectName:\Callback\PowerState
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014D1EF390
CallbackFunction:FFFFF80109EF7480, FullPathName:\SystemRoot\system32\drivers\Wdf01000.sys
CallbackContext:FFFFBF014D214770
n:0
b:0
Index:14
CallbackObject:FFFFBF014ACB1AA0
CallbackObjectName:\Callback\PowerState
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014D1F0050
CallbackFunction:FFFFF80109EF7480, FullPathName:\SystemRoot\system32\drivers\Wdf01000.sys
CallbackContext:FFFFBF014BF9E020
n:0
b:0
Index:15
CallbackObject:FFFFBF014ACB1AA0
CallbackObjectName:\Callback\PowerState
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014D1F0850
CallbackFunction:FFFFF80109EF7480, FullPathName:\SystemRoot\system32\drivers\Wdf01000.sys
CallbackContext:FFFFBF014D23FB40
n:0
b:0
Index:16
CallbackObject:FFFFBF014ACB1AA0
CallbackObjectName:\Callback\PowerState
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014D1F05D0
CallbackFunction:FFFFF80109EF7480, FullPathName:\SystemRoot\system32\drivers\Wdf01000.sys
CallbackContext:FFFFBF014D235A10
n:0
b:0
Index:17
CallbackObject:FFFFBF014ACB1AA0
CallbackObjectName:\Callback\PowerState
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014D1F09D0
CallbackFunction:FFFFF80109EF7480, FullPathName:\SystemRoot\system32\drivers\Wdf01000.sys
CallbackContext:FFFFBF014D2AE020
n:0
b:0
Index:18
CallbackObject:FFFFBF014ACB1AA0
CallbackObjectName:\Callback\PowerState
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014D1F0A90
CallbackFunction:FFFFF80109EF7480, FullPathName:\SystemRoot\system32\drivers\Wdf01000.sys
CallbackContext:FFFFBF014D2AE930
n:0
b:0
Index:19
CallbackObject:FFFFBF014ACB1AA0
CallbackObjectName:\Callback\PowerState
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014D1F0B10
CallbackFunction:FFFFF80109EF7480, FullPathName:\SystemRoot\system32\drivers\Wdf01000.sys
CallbackContext:FFFFBF014D2B3A00
n:0
b:0
Index:20
CallbackObject:FFFFBF014ACB1AA0
CallbackObjectName:\Callback\PowerState
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014D2D0450
CallbackFunction:FFFFF80109EF7480, FullPathName:\SystemRoot\system32\drivers\Wdf01000.sys
CallbackContext:FFFFBF014D447770
n:0
b:0
Index:21
CallbackObject:FFFFBF014ACB1AA0
CallbackObjectName:\Callback\PowerState
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014DB67610
CallbackFunction:FFFFF80109EF7480, FullPathName:\SystemRoot\system32\drivers\Wdf01000.sys
CallbackContext:FFFFBF014DADE370
n:0
b:0
Index:22
CallbackObject:FFFFBF014ACB1AA0
CallbackObjectName:\Callback\PowerState
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014DB68150
CallbackFunction:FFFFF80109EF7480, FullPathName:\SystemRoot\system32\drivers\Wdf01000.sys
CallbackContext:FFFFBF014DC44350
n:0
b:0
Index:23
CallbackObject:FFFFBF014ACB1820
CallbackObjectName:\Callback\ProcessorAdd
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014B0FF8E0
CallbackFunction:FFFFF8010A0DCAC0, FullPathName:\SystemRoot\System32\drivers\ACPI.sys
CallbackContext:0000000000000000
n:0
b:0
Index:24
CallbackObject:FFFFBF014ACB1820
CallbackObjectName:\Callback\ProcessorAdd
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014B68C790
CallbackFunction:FFFFF8010ACDE960, SymbolName:ndisCpuHotAddHandler, FullPathName:\SystemRoot\system32\drivers\ndis.sys
CallbackContext:0000000000000000
n:0
b:0
Index:25
CallbackObject:FFFFBF014ACB1820
CallbackObjectName:\Callback\ProcessorAdd
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014B68C110
CallbackFunction:FFFFF8010B0098B0, FullPathName:\SystemRoot\System32\drivers\tcpip.sys
CallbackContext:0000000000000000
n:0
b:0
Index:26
CallbackObject:FFFFBF014ACB1820
CallbackObjectName:\Callback\ProcessorAdd
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014B68DE10
CallbackFunction:FFFFF80105388D80, SymbolName:PopNewProcessorCallback, FullPathName:\SystemRoot\system32\ntoskrnl.exe
CallbackContext:0000000000000000
n:0
b:0
Index:27
CallbackObject:FFFFBF014ACB1820
CallbackObjectName:\Callback\ProcessorAdd
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014FFF7F50
CallbackFunction:FFFFF801191425B0, FullPathName:\SystemRoot\System32\DRIVERS\wanarp.sys
CallbackContext:0000000000000000
n:0
b:0
Index:28
CallbackObject:FFFFBF014ACB1820
CallbackObjectName:\Callback\ProcessorAdd
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014FFF9790
CallbackFunction:FFFFF80108927950, FullPathName:\SystemRoot\system32\drivers\HTTP.sys
CallbackContext:0000000000000000
n:0
b:0
Index:29
CallbackObject:FFFFBF014ACB1F00
CallbackObjectName:\Callback\SeImageVerificationDriverInfo
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014B68C810
CallbackFunction:FFFFF8010A8F5D50, FullPathName:\SystemRoot\system32\drivers\wd\WdFilter.sys
CallbackContext:0000000000000000
n:0
b:0
Index:30
CallbackObject:FFFFBF014ACB1500
CallbackObjectName:\Callback\LicensingData
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014BFFF090
CallbackFunction:FFFFF8010E5FD370, FullPathName:\SystemRoot\system32\drivers\csc.sys
CallbackContext:0000000000000000
n:0
b:0
Index:31
CallbackObject:FFFFBF014AC659C0
CallbackObjectName:
Tag:6c6c6143
AllowMultipleCallbacks:false
CallbackRegistration:FFFFBF014ACF76E0
CallbackFunction:FFFFF80105215380, SymbolName:SshpAlpcMessageCallback, FullPathName:\SystemRoot\system32\ntoskrnl.exe
CallbackContext:0000000000000000
n:0
b:0
Index:32
CallbackObject:FFFFBF014AC65640
CallbackObjectName:
Tag:6c6c6143
AllowMultipleCallbacks:false
CallbackRegistration:FFFFBF014ACF7360
CallbackFunction:FFFFF80104D6EF50, SymbolName:PopUmpoMessageCallback, FullPathName:\SystemRoot\system32\ntoskrnl.exe
CallbackContext:0000000000000000
n:0
b:0
Index:33
CallbackObject:FFFFBF014AC655C0
CallbackObjectName:
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014ACF7320
CallbackFunction:FFFFF80105399970, SymbolName:PopMonitorAlpcCallback, FullPathName:\SystemRoot\system32\ntoskrnl.exe
CallbackContext:0000000000000000
n:0
b:0
Index:34
CallbackObject:FFFFBF014ACB13C0
CallbackObjectName:\Callback\IoExternalDmaUnblock
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014ACF7D60
CallbackFunction:FFFFF80105165C90, SymbolName:PipCslStateChangeCallback, FullPathName:\SystemRoot\system32\ntoskrnl.exe
CallbackContext:0000000000000000
n:0
b:0
Index:35
CallbackObject:FFFFBF014ACB13C0
CallbackObjectName:\Callback\IoExternalDmaUnblock
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014B0FF560
CallbackFunction:FFFFF8010A1BADF0, FullPathName:\SystemRoot\System32\drivers\pci.sys
CallbackContext:0000000000000000
n:0
b:0
Index:36
CallbackObject:FFFFBF014ACB1D20
CallbackObjectName:\Callback\WdEbNotificationCallback
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014B68C690
CallbackFunction:FFFFF8010A916C40, FullPathName:\SystemRoot\system32\drivers\wd\WdFilter.sys
CallbackContext:0000000000000000
n:0
b:0
Index:37
CallbackObject:FFFFBF014AEE8A40
CallbackObjectName:
Tag:6c6c6143
AllowMultipleCallbacks:false
CallbackRegistration:FFFFBF014AEE98A0
CallbackFunction:FFFFF8010A3D8620, FullPathName:\SystemRoot\system32\drivers\pdc.sys
CallbackContext:0000000000000000
n:0
b:0
Index:38
CallbackObject:FFFFBF014B502C40
CallbackObjectName:\Callback\VMCIDetachCB
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF01502F9110
CallbackFunction:FFFFF8010A5E1000, FullPathName:\SystemRoot\system32\DRIVERS\vsock.sys
CallbackContext:0000000000000000
n:0
b:0
Index:39
CallbackObject:FFFFBF014B502C40
CallbackObjectName:\Callback\VMCIDetachCB
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF01509F08D0
CallbackFunction:FFFFF8012FC88C60, FullPathName:\SystemRoot\system32\DRIVERS\vmhgfs.sys
CallbackContext:0000000000000000
n:0
b:0
Index:40
CallbackObject:FFFFBF014B5033C0
CallbackObjectName:\Callback\WdNriNotificationCallback
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014B68C090
CallbackFunction:FFFFF8010A8FC2F0, FullPathName:\SystemRoot\system32\drivers\wd\WdFilter.sys
CallbackContext:FFFFBF014BE43000
n:0
b:0
Index:41
CallbackObject:FFFFBF014B53F6E0
CallbackObjectName:
Tag:6c6c6143
AllowMultipleCallbacks:false
CallbackRegistration:FFFFBF014FC4C350
CallbackFunction:FFFFF2B8EB4996B0, FullPathName:\SystemRoot\System32\win32kbase.sys
CallbackContext:0000000000000000
n:0
b:0
Index:42
CallbackObject:FFFFBF014B4332B0
CallbackObjectName:\Callback\LLTDCallbackRspndr0006008002000000
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014FFF7450
CallbackFunction:FFFFF801191240D0, FullPathName:\SystemRoot\system32\drivers\rspndr.sys
CallbackContext:FFFFBF014ADCF010
n:0
b:0
Index:43
CallbackObject:FFFFBF014B4335D0
CallbackObjectName:\Callback\LLTDCallbackRspndr0006008001000000
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014FFF7BD0
CallbackFunction:FFFFF801191240D0, FullPathName:\SystemRoot\system32\drivers\rspndr.sys
CallbackContext:FFFFBF015003A5D0
n:0
b:0
Index:44
CallbackObject:FFFFBF014B4338F0
CallbackObjectName:\Callback\LLTDCallbackRspndr0006008006000000
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014FFF7D10
CallbackFunction:FFFFF801191240D0, FullPathName:\SystemRoot\system32\drivers\rspndr.sys
CallbackContext:FFFFBF015003C5D0
n:0
b:0
Index:45
CallbackObject:FFFFBF014B433530
CallbackObjectName:\Callback\LLTDCallbackRspndr0006008007000000
Tag:6c6c6143
AllowMultipleCallbacks:true
CallbackRegistration:FFFFBF014FFF8010
CallbackFunction:FFFFF801191240D0, FullPathName:\SystemRoot\system32\drivers\rspndr.sys
CallbackContext:FFFFBF015003E5D0
n:0
b:0
C:\Users\Administrator>摘自:https://github.com/kouzhudong/AntiHook/blob/main/log/EnumExCallback.txt
作者信息
made by correy
made at 2024-05-13
https://github.com/kouzhudong
转载
分享
0 条评论
可输入 255 字
发布投稿
