Enumerating kernel notification callback routines, x64

Discussion on reverse-engineering and debugging.
Post Reply
User avatar
EP_X0FF
Global Moderator
Posts: 4811
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Enumerating kernel notification callback routines, x64

Post by EP_X0FF » Mon Dec 03, 2018 8:32 am

This document covers kernel notification callback routines up to 19H1, released as part of WinObjEx64 v1.7

https://github.com/hfiref0x/WinObjEx64/ ... lbacks.pdf

Notification callbacks mentioned
  • ObRegisterCallbacks
  • CmRegisterCallbacks
  • CmRegisterCallbacksEx
  • PsSetCreateProcessNotifyRoutine
  • PsSetCreateProcessNotifyRoutineEx
  • PsSetCreateProcessNotifyRoutineEx2
  • PsSetCreateThreadNotifyRoutine
  • PsSetCreateThreadNotifyRoutineEx
  • PsSetLoadImageNotifyRoutine
  • PsSetLoadImageNotifyRoutineEx
  • KeRegisterBugCheckCallback
  • KeRegisterBugCheckReasonCallback
  • IoRegisterShutdownNotification
  • IoRegisterLastChanceShutdownNotification
  • SeRegisterLogonSessionTerminatedRoutine
  • SeRegisterLogonSessionTerminatedRoutineEx
  • PoRegisterPowerSettingCallback
  • DbgSetDebugPrintCallback
  • IoRegisterFsRegistrationChange
Ring0 - the source of inspiration

Post Reply