Page 1 of 1

Enumerating kernel notification callback routines, x64

Posted: Mon Dec 03, 2018 8:32 am
by EP_X0FF
This document covers kernel notification callback routines up to 19H1, released as part of WinObjEx64 v1.7

https://github.com/hfiref0x/WinObjEx64/ ... lbacks.pdf

Notification callbacks mentioned
  • ObRegisterCallbacks
  • CmRegisterCallbacks
  • CmRegisterCallbacksEx
  • PsSetCreateProcessNotifyRoutine
  • PsSetCreateProcessNotifyRoutineEx
  • PsSetCreateProcessNotifyRoutineEx2
  • PsSetCreateThreadNotifyRoutine
  • PsSetCreateThreadNotifyRoutineEx
  • PsSetLoadImageNotifyRoutine
  • PsSetLoadImageNotifyRoutineEx
  • KeRegisterBugCheckCallback
  • KeRegisterBugCheckReasonCallback
  • IoRegisterShutdownNotification
  • IoRegisterLastChanceShutdownNotification
  • SeRegisterLogonSessionTerminatedRoutine
  • SeRegisterLogonSessionTerminatedRoutineEx
  • PoRegisterPowerSettingCallback
  • DbgSetDebugPrintCallback
  • IoRegisterFsRegistrationChange