среда, 10 октября 2012 г.

PoRegisterPowerSettingCallback callbacks

This documented functions was introduced in Vista. Lets check how we can enum all registered callbacks
It seems that all callbacks are stored in linked list PopRegisteredPowerSettingCallbacks and synchronized with fast mutex PopSettingLock
Structure of callback record can be easy recovered from this code (ripped from vista):
  push  34h                             ; size_t
  push  0                               ; int
  push  ebx                             ; void *
  call  _memset
  mov   eax, [ebp+Callback]
  mov   [ebx+8], esi
  mov   esi, [ebp+SettingGuid]
  lea   edi, [ebx+14h]                  ; 0x14 IID
  movsd
  movsd
  movsd
  movsd
  mov   esi, [ebp+SettingGuid]
  mov   [ebx+28h], eax                  ; 0x28 Callback
  mov   eax, [ebp+Context]
  add   esp, 0Ch
  mov   [ebx+2Ch], eax                  ; 0x2C Context
  mov   eax, [ebp+DeviceObject]
  push  esi
  mov   [ebx+30h], eax                  ; 0x30 DeviceObject

So structure of callback records looks like  
struct power_cbs_item
{
/* win32 win64 offsets */
/*     0     0 */ LIST_ENTRY ListEntry;
/*     8    10 */ ULONG tag;
/*     C    14 */ PVOID unk1;
/*    10    1C */ PVOID unk2;
/*    14    24 */ IID iid;
/*    24    34 */ PVOID unk3;
#ifdef _WIN64
/*          3C */ ULONG pad;
#endif /* _WIN64 */
/*    28    40 */ unsigned char *Callback;
/*    2C    48 */ PVOID Context;
/*    30    50 */ PVOID DevObj;
};

Sample of output from windows server 2012:  
PowerSettingCallbacks: 10
 cb[0]: 99FF10E7-23B1-4C07-A9D1-5C3206D741B4 (GUID_LIDOPEN_POWERSTATE): devobj 0000000000000000 FFFFF8020957BAD0 \SystemRoot\system32\ntoskrnl.exe
 cb[1]: 1D077298-E31C-4F03-9DE9-7473B61B1D29 (GUID_VIDEO_BRIGHTNESS_CAPABLE): devobj 0000000000000000 FFFFF802092065F4 \SystemRoot\system32\ntoskrnl.exe
 cb[2]: 5DBB7C9F-38E9-40D2-9749-4F8A0E9F640F (GUID_BATTERY_DISCHARGE_FLAGS_0): devobj 0000000000000000 FFFFF802091BBD30 \SystemRoot\system32\ntoskrnl.exe
 cb[3]: 421CBA38-1A8E-4881-AC89-E33A8B04ECE4 (GUID_BATTERY_DISCHARGE_ACTION_2): devobj 0000000000000000 FFFFF802091BBD30 \SystemRoot\system32\ntoskrnl.exe
 cb[4]: 07A07CA2-ADAF-40D7-B077-533AADED1BFA (GUID_BATTERY_DISCHARGE_LEVEL_2): devobj 0000000000000000 FFFFF802091BBD30 \SystemRoot\system32\ntoskrnl.exe
 cb[5]: 7FD2F0C4-FEB7-4DA3-8117-E3FBEDC46582 (GUID_BATTERY_DISCHARGE_FLAGS_2): devobj 0000000000000000 FFFFF802091BBD30 \SystemRoot\system32\ntoskrnl.exe
 cb[6]: 80472613-9780-455E-B308-72D3003CF2F8 (GUID_BATTERY_DISCHARGE_ACTION_3): devobj 0000000000000000 FFFFF802091BBD30 \SystemRoot\system32\ntoskrnl.exe
 cb[7]: 58AFD5A6-C2DD-47D2-9FBF-EF70CC5C5965 (GUID_BATTERY_DISCHARGE_LEVEL_3): devobj 0000000000000000 FFFFF802091BBD30 \SystemRoot\system32\ntoskrnl.exe
 cb[8]: 73613CCF-DBFA-4279-8356-4935F6BF62F3 (GUID_BATTERY_DISCHARGE_FLAGS_3): devobj 0000000000000000 FFFFF802091BBD30 \SystemRoot\system32\ntoskrnl.exe
 cb[9]: 99FF10E7-23B1-4C07-A9D1-5C3206D741B4 (GUID_LIDOPEN_POWERSTATE): devobj 0000000000000000 FFFFF88000A1BE08 \SystemRoot\system32\drivers\pdc.sys

Комментариев нет:

Отправить комментарий