After reading this article I was curious which info Mocrosoft gather in it`s telemetry. There is some theoretical possibility to ask Microsoft via MVI but link to "apply for membership" gives 404, lol. So as usually run IDA Pro and start with KeInsertQueueApc function

We can see that code checks EtwThreatIntProvRegHandle and somewhere inside function calls etw logger function EtwTiLogInsertQueueUserApc. So lets collect other etw loggers reffered to
EtwThreatIntProvRegHandle (and EtwSecurityMitigationsRegHandle too)

• EtwThreatIntProvRegHandle - called from KeInsertQueueApc and IopfCompleteRequest
• EtwTiLogSetContextThread - called from PspWow64SetContextThread & PspSetContextThreadInternal
• EtwTiLogAllocExecVm - called from MiAllocateVirtualMemory
• EtwTiLogProtectExecVm - called from NtProtectVirtualMemory
• EtwTiLogReadWriteVm - called from MiReadWriteVirtualMemory
• EtwTiLogDeviceObjectLoadUnload - called from IoDeleteDevice & IoCreateDevice
• EtwTiLogDriverObjectLoad - called from IopLoadDriver & IoCreateDriver
• EtwTiLogMapExecView - called from NtMapViewOfSection & MiMapViewOfSectionExCommon
• EtwTiLogSuspendResumeProcess - called from PsThawProcess, PsFreezeProcess, PsResumeProcess & PsSuspendProcess
• EtwTiLogSuspendResumeThread - called from PsSuspendThread & PsResumeThread

etw loggers reffered to EtwSecurityMitigationsRegHandle

• EtwpTimLogMitigationForProcess - called from MiAllowImageMap
• EtwTimLogProhibitDynamicCode - called from MiArbitraryCodeBlocked
• EtwTimLogProhibitWin32kSystemCalls - called from PsConvertToGuiThread
• EtwTimLogProhibitNonMicrosoftBinaries - called from MiValidateSectionSigningPolicy
• EtwTimLogProhibitChildProcessCreation - called from SeSubProcessToken
• EtwTimLogProhibitLowILImageMap - called from MiAllowImageMap

Declaration of CM_Register_Notification:

CMAPI CONFIGRET CM_Register_Notification(
  PCM_NOTIFY_FILTER   pFilter,
  PVOID               pContext,
  PCM_NOTIFY_CALLBACK pCallback,
  PHCMNOTIFICATION    pNotifyContext
);

It`s easy to recover structures stored in EventSystemClientList:

field	32bit offset	64bit offset
WORD - signature 0xF097	0	0
LIST_ENTRY	0xC	0x18
CM_NOTIFY_FILTER	0x24	0x40
pCallback	0x1c4	0x1e0

sample of output on windows w10 build 18898:

cfgmgr32.dll!EventSystemClientList at 00007FFA577A6810: 000001A570E25718
 client[0] callback 00007FFA564F95B0 C:\Windows\SYSTEM32\umpoext.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {4D1E55B2-F16F-11CF-88CB-001111000030} (DEVINTERFACE_HID)
 client[1] callback 00007FFA564FEDE0 C:\Windows\SYSTEM32\umpoext.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {45BD8344-7ED6-49CF-A440-C276C933B053} (DEVICE_ENERGY_METER)
 client[2] callback 00007FFA564FEDE0 C:\Windows\SYSTEM32\umpoext.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {E849804E-C719-43D8-AC88-96B894C191E2} (DEVICE_POWER_METER)
 client[3] callback 00007FFA58906710 C:\Windows\System32\sechost.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {1CA05180-A699-450A-9A0C-DE4FBE3DDD89} (DISPLAY_DEVICE_ARVIVAL)
 client[4] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {0850302A-B344-4FDA-9BE9-90576B8D46F0} (BTHPORT_DEVICE_INTERFACE)
 client[5] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {0850302A-B344-4FDA-9BE9-90576B8D46F0} (BTHPORT_DEVICE_INTERFACE)
 client[6] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {0850302A-B344-4FDA-9BE9-90576B8D46F0} (BTHPORT_DEVICE_INTERFACE)
 client[7] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {50DD5230-BA8A-11D1-BF5D-0000F805F530} (DEVINTERFACE_SMARTCARD_READER)
 client[8] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {121D8161-866D-4A24-BA58-9058940C0D47}
 client[9] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {97F115C8-599A-4153-8894-D2D12899918A} (SENSOR_TYPE_AMBIENT_LIGHT)
 client[10] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {A7029AAC-77DD-4DDD-959B-054F5574F4FB}
 client[11] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {DB524086-BA90-4E1E-BE42-894E94ECF289}
 client[12] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {E5323777-F976-4F5B-9B55-B94699C46E44} (KSCATEGORY_VIDEO_CAMERA)
 client[13] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {24E552D7-6523-47F7-A647-D3465BF1F5CA} (KSCATEGORY_SENSOR_CAMERA)
 client[14] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {4D1E55B2-F16F-11CF-88CB-001111000030} (DEVINTERFACE_HID)
 client[15] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {3336E5E4-018A-4669-84C5-BD05F3BD368B} (DEVINTERFACE_GNSS)
 client[16] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {00F40965-E89D-4487-9890-87C3ABB211F4} (BTH_DEVICE_INTERFACE)
 client[17] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {50DD5230-BA8A-11D1-BF5D-0000F805F530} (DEVINTERFACE_SMARTCARD_READER)
 client[18] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {121D8161-866D-4A24-BA58-9058940C0D47}
 client[19] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {C2FB0F5F-E2D2-4C78-BCD0-352A9582819D} (SENSOR_TYPE_ACCELEROMETER_3D)
 client[20] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {17A665C0-9063-4216-B202-5C7A255E18CE} (SENSOR_CATEGORY_LIGHT)
 client[21] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {CA19690F-A2C7-477D-A99E-99EC6E2B5648} (SENSOR_CATEGORY_BIOMETRIC)
 client[22] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {CD09DAF1-3B2E-4C3D-B598-B5E5FF93FD46} (SENSOR_CATEGORY_MOTION)
 client[23] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {C2FB0F5F-E2D2-4C78-BCD0-352A9582819D} (SENSOR_TYPE_ACCELEROMETER_3D)
 client[24] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {4F40006F-B933-4550-B532-2B58CEE614D3}
 client[25] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {34D14BE3-DEE4-41C8-9AE7-6B174977C192} (HV_FCOPY_GUID)
 client[26] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {57164F39-9115-4E78-AB55-382F3BD5422D}
 client[27] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {A9A0F4E7-5A45-4D96-B827-8A841E8C03E6}
 client[28] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {276AACF4-AC15-426C-98DD-7521AD3F01FE}
 client[29] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {0E0B6031-5213-4934-818B-38D90CED39DB} (HV_SHUTDOWN_GUID)
 client[30] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {9527E630-D0AE-497B-ADCE-E80AB0175CAF}
 client[31] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {999E53D4-3D5C-4C3E-8779-BED06EC056E1} (HV_GUID_VM_SESSION_SERVICE_ID)
 client[32] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {35FA2E29-EA23-4236-96AE-3A6EBACBA440}
 client[33] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {53F56307-B6BF-11D0-94F2-00A0C91EFB8B} (DEVINTERFACE_DISK)
 client[34] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {C1E9BC6D-1DAE-421A-9369-CC7FF0D6E359} (DEVINTERFACE_BUSENUM_MTPBTH)
 client[35] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {0850302A-B344-4FDA-9BE9-90576B8D46F0} (BTHPORT_DEVICE_INTERFACE)
 client[36] callback 00007FFA53AF7F00 c:\windows\system32\systemeventsbrokerserver.dll
  CM_NOTIFY_FILTER.FilterType: 0
  CM_NOTIFY_FILTER.Flags:      0
  DeviceInterface: {4D1E55B2-F16F-11CF-88CB-001111000030} (DEVINTERFACE_HID)


download
mirror
Changelog:

• add support of Windows 10 RS4, 1809 & 1903
• add support of Windows 10 build 18922, but seems that this build hangs on RPC interfaces enumeration
• add dumping of AlpcpLogCallbackListHead (with -alpc option)
• add dumping of CfgMgr32.dll!CM_Register_Notification registered callbacks
• add dumping of providers from mpr.dll
• add new comdline options:
  • -denc - dump ntdll registered enclaves
  • -dynf - dump registered dynamic functions from RtlpDynamicFunctionTable
  • -dkt - dump kernel tracepoints
  • -vf - dump kernel verifier tables
  • -fs - dump DRIVER_OBJECTs registered with IoRegisterFsRegistrationChangeMountAware function
• lots of bugs was fixed (and added as usually)

It seems that est since build 18922 Microsoft turned on retpoline
This is implemented as RFG relocations with 3 new type:

Type 3
typedef struct _IMAGE_IMPORT_CONTROL_TRANSFER_DYNAMIC_RELOCATION {
    DWORD       PageRelativeOffset : 12;
    DWORD       IndirectCall       : 1;
    DWORD       IATIndex           : 19;
} IMAGE_IMPORT_CONTROL_TRANSFER_DYNAMIC_RELOCATION;

Looks like IAT function calling patch:
     call    cs:__imp_PshedFreeMemory
     nop     dword ptr [rax+rax+00h]

Type 4
typedef struct _IMAGE_INDIR_CONTROL_TRANSFER_DYNAMIC_RELOCATION {
    WORD        PageRelativeOffset : 12;
    WORD        IndirectCall       : 1;
    WORD        RexWPrefix         : 1;
    WORD        CfgCheck           : 1;
    WORD        Reserved           : 1;
} IMAGE_INDIR_CONTROL_TRANSFER_DYNAMIC_RELOCATION;

Looks like call reg patch:
    call    rax
    nop     dword ptr [rax]

Type 5
typedef struct _IMAGE_SWITCHTABLE_BRANCH_DYNAMIC_RELOCATION {
    WORD        PageRelativeOffset : 12;
    WORD        RegisterNumber     : 4;
} IMAGE_SWITCHTABLE_BRANCH_DYNAMIC_RELOCATION;

Looks like call reg in switch patch:
   mov     ecx, ds:rva off_14000DEBC[rdx+rdi*4]
   add     rcx, rdx
   jmp     rcx             ; switch jump
   db 4 dup(0CCh)


I patched today my RFG plugin to IDA Pro to support this new types

bcs all source code belongs to my former employer
I do not have time and motivation to rewrite it for free
Sorry

I commited today plugin for processing 64bit kernel resource with name "FUNCTIONEXTENTLIST" (located in RCDATA)

It seems that processing of this resource happens in huge unnamed sub called from famous KiFilterFiberContext, so this is apparently part of PatchGuard. Format of this resource relative simple.
At start we have signature CTXE for compressed data (LTXE for noncompressed but I have never seen this). Data unpacking with RtlDecompressBufferEx function. In packed data we have table with pair offsets, first to RUNTIME_FUNCTION recognised from IDA and second to some additional RUNTIME_FUNCTION (which usually skipped in IDA Pro for unknown reason)

And even after calling this plugin there are lots of some valid RUNTIME_FUNCTION in .pdata section - I don`t know why

it`s last because of
My former employer was so so nice that he allowed me to publish this build. Btw I seek new job

Download
Mirror

Changelog: 

• add support of Windows 1909
• add support of new RFG relocs. As usually kernel itself has bad IMAGE_DYNAMIC_RELOCATION_TABLE - it contains zero type somewhere inside IMAGE_DYNAMIC_RELOCATION
• add dumping of WMI_LOGGER_CONTEXTs for InfinityHook detection (with -wmi option)
• add dumping of PsAltSystemCallHandlers
• add dumping of PoPdcCallbacks (with -pofx option)
• add dumping of PpmPlatformStates (with -ppm option)
• add dumping callbacks registered with RtlRegisterFeatureConfigurationChangeNotification function 

I decided in retirement to fill the gaps in my education, so now I reading book"Linux Device Drivers Development" and noticed lots of annoying typos in code samples

page 65:
/* some where */
spinlock_t my_spinlock;
spin_lock_init(my_spinlock);
static irqreturn_t my_irq_handler(int irq, void *data)
{
 unsigned long status, flags;
 spin_lock_irqsave(&my_spinlock, flags);
 status = access_shared_resources();
 spin_unlock_irqrestore(&gpio->slock, flags); // wut? &my_spinlock
 return IRQ_HANDLED;
}

page 103-104:
struct my_data {
 int my_int_var;
 struct tasklet_struct the_tasklet;
 int dma_request;
};

static irqreturn_t my_irq_handler(int irq, void *dev_id)
{
  struct my_data *md = dev_id;
  /* Let's schedule our tasklet */
  tasklet_schedule(&md.dma_tasklet); // wut? &md->the_tasklet
  return IRQ_HANDLED;
}
An so on. Seems that code samples looks like Frankenstein ripped from some random kernel places

Managed Device Resource (described in Documentation/driver-model/devres.txt) is witty technique for lazy developers. Unfortunately it does not exempt from the need to check results. I decided to see if there are such places in linux kernel (which can lead to null address dereference). Right way to do it is use Static Analyzer like clang, coverity or PVS Studio. But I am too lazy so I wrote simple and naive perl script and run it on linux kernel 4.18 source tree. It found 56 cases (from total 4173 where devm_kzalloc was used) - not too much for manual checking. So lets see what we have

impd1_probe in arch/arm/mach-integrator/impd1.c:
            lookup = devm_kzalloc(&dev->dev,
                          sizeof(*lookup) + 3 * sizeof(struct gpiod_lookup),
                          GFP_KERNEL);
            chipname = devm_kstrdup(&dev->dev, devname, GFP_KERNEL);
            mmciname = kasprintf(GFP_KERNEL, "lm%x:00700", dev->id);
            lookup->dev_id = mmciname;


st_sensors_of_probe in drivers/iio/common/st_sensors/st_sensors_core.c:
    pdata = devm_kzalloc(dev, sizeof(*pdata), GFP_KERNEL);
    if (!of_property_read_u32(np, "st,drdy-int-pin", &val) && (val <= 2))
        pdata->drdy_int_pin = (u8) val;
    else
        pdata->drdy_int_pin = defdata ? defdata->drdy_int_pin : 0;

    pdata->open_drain = of_property_read_bool(np, "drive-open-drain");


sm501_register_gpio_i2c_instance in drivers/mfd/sm501.c:
    lookup = devm_kzalloc(&pdev->dev,
                  sizeof(*lookup) + 3 * sizeof(struct gpiod_lookup),
                  GFP_KERNEL);
    lookup->dev_id = "i2c-gpio";
    if (iic->pin_sda < 32)
        lookup->table[0].chip_label = "SM501-LOW";
    else
        lookup->table[0].chip_label = "SM501-HIGH";
    lookup->table[0].chip_hwnum = iic->pin_sda % 32;
    lookup->table[0].con_id = NULL;
    lookup->table[0].idx = 0;
    lookup->table[0].flags = GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN;

rt2880_pinmux_index in drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c:
            f[c]->groups = devm_kzalloc(p->dev, sizeof(int), GFP_KERNEL);
            f[c]->groups[0] = i;

rt2880_pinmux_probe in drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c: 

        range = devm_kzalloc(p->dev, sizeof(struct pinctrl_gpio_range) + 4, GFP_KERNEL);
        range->name = name = (char *) &range[1];
        sprintf(name, "pio");
        range->npins = __be32_to_cpu(*ngpio);
        range->base = __be32_to_cpu(*gpiobase);
        range->pin_base = range->base;




rt5514_spi_pcm_probe in sound/soc/codecs/rt5514-spi.c:
    rt5514_dsp = devm_kzalloc(component->dev, sizeof(*rt5514_dsp),
            GFP_KERNEL);

    rt5514_dsp->dev = &rt5514_spi->dev;
    mutex_init(&rt5514_dsp->dma_lock);


rt5663_parse_dp in sound/soc/codecs/rt5663.c:
        rt5663->imp_table = devm_kzalloc(dev, table_size, GFP_KERNEL);
        device_property_read_u32_array(dev,
            "realtek,impedance_sensing_table",
            (u32 *)rt5663->imp_table, table_size);


perl script used to find this bugs:

#!perl -w
use strict;
use warnings;
use File::Find;

my $kz_count = 0;
my $bad_kz = 0;

sub wanted
{
  my $fname = $_;
  return if ( ! -f $fname );
  return if ( $fname !~ /\.c$/i );
  my($fh, $str);
  open($fh, '<', $fname) or die("Cannot open file $fname, error $!\n");
  my $state = 0;
  my @vars;
  while($str = <$fh>)
  {
    chomp $str;
    $str =~ s/\s*$//;
    if ( !$state )
    {
      next if ( $str !~ /^\s*(\S+) = devm_kzalloc\(/ );
      $kz_count++;
      push(@vars, $1);
      $state = 1;
      $state = 2 if ( $str !~ /;$/ );
      next;
    }
    $str =~ s/^\s*//;
    next if $str eq '';
    if ( $state == 1 )
    {
      my $var;
      foreach $var ( @vars )
      {
        if ( $str !~ /\!$var/ && 
             $str !~ /$var == NULL/ && 
             $str !~ /NULL == $var/ )
        {
          $bad_kz++;
          printf("%s: %s\n", $var, $File::Find::name);
        }
      }
      @vars = ();
      $state = 0;
      next;
    }
    if ( 2 == $state )
    {
      $state = 1 if ( $str =~ /;$/ );
    }
  }
  close $fh;
}

# main
my @dirs;
push @dirs, ".";
find(\&wanted, @dirs);
printf("total: %d bad %d\n", $kz_count, $bad_kz);

Part I
This time I add references to linux kernel github - although I ran my naive code analyzer on version 4.18 - all found bugs have long and happy life in current source tree

gb_generate_enum_strings in drivers/staging/greybus/audio_topology.c:
strings = devm_kcalloc(gb->dev, items, sizeof(char *), GFP_KERNEL);
data = gbenum->names;

for (i = 0; i < items; i++) {
  strings[i] = (const char *)data;

rt2880_pinmux_pins in drivers/staging/mt7621-pinctrl/pinctrl-rt2880.c:  
p->func[i]->pins = devm_kcalloc(p->dev,
                p->func[i]->pin_count,
                sizeof(int),
                GFP_KERNEL);
for (j = 0; j < p->func[i]->pin_count; j++)
  p->func[i]->pins[j] = p->func[i]->pin_first + j;

Using unchecked result from devm_kmalloc_array:
ti_sci_scan_clocks_from_fw in drivers/clk/keystone/sci-clk.c:
tmp_clks = devm_kmalloc_array(dev, max_clks + 64,
                  sizeof(sci_clk),
                  GFP_KERNEL);
memcpy(tmp_clks, clks, max_clks * sizeof(sci_clk));

Doubtful case (I think is has delayed effects bcs no checks for ports field) - function mscc_ocelot_probe in drivers/net/ethernet/mscc/ocelot_board.c
ocelot->ports = devm_kcalloc(&pdev->dev, ocelot->num_phys_ports,
                     sizeof(struct ocelot_port *), GFP_KERNEL);

since w8 Microsoft introduced for PnP devices management new structure with lots of function pointers - PiPnpRtlCtx

It`s called from lots of exported functions, but I think most comfortable for RE are IoOpenDeviceRegistryKey& IoOpenDeviceInterfaceRegistryKey. You can gather address of PiPnpRtlCtx with one pass of disassembling - it will be first loaded address in .data section after call to ExAcquireResourceExclusiveLite

This structure allocating and partially initializing in function PnpCtxOpenMachine. There are at least 3 version with different size:

• 0xac for 32 bit/0x158 for x64 - used in w8, w8.1 and in w10 up to est.build 14279
• 0xb0 for 32 bit/0x160 for x64 - used in w10 up to est. build 16299
• 0x10c for 32 bit/0x210 for x64 - used in w10 since est. build 17134

Size	0xac/0x156	0xb0/0x160	0x10c/0x210
PiRtlObjectActionCallback offset	0x98/0x130	0x9c/0x138	0xf8/0x1e8
PiRtlCmActionCallback offset	0xa0/0x140	0xa4/0x148	0x100/0x1f8
PiRtlObjectEventCallback offset	0x9c/0x138	0xa0/0x140	0xfc/0x1f0
PnpDispatchDevice offset	0x44/0x88	0x48/0x90	0x9c/0x130
PnpDispatchInstallerClass offset	0x48/0x90	0x4c/0x98	0xa0/0x138
PnpDispatchDeviceInterface offset	0x4c/0x98	0x50/0xa0	0xa4/0x140
PnpDispatchInterfaceClass offset	0x50/0xa0	0x54/0xa8	0xa8/0x148
PnpDispatchInterfaceClass offset	0x54/0xa8	0x58/0xb0	0xac/0x150
PnpDispatchDevicePanel offset			0xb0/0x158

There is also function PnpCtxSetNtPlugPlayRoutine which set up to 6 pfns:

1. PiPnpRtlGetDeviceNtPropertyRoutine
2. PiPnpRtlGetDeviceStatus
3. PiPnpRtlGetDeviceRelatedDeviceRoutine
4. PiPnpRtlGetDeviceRelationsList
5. PiPnpRtlGetDeviceInterfaceEnabled

W32pServiceLimit .eq. 0x5AD
Btw what does prefix NtModerncore mean?

NtUserGetThreadState
NtUserPeekMessage
NtUserCallOneParam
NtUserGetKeyState
NtUserInvalidateRect
NtUserCallNoParam
NtUserGetMessage
NtUserMessageCall
NtGdiBitBlt
NtGdiGetCharSet
NtUserGetDC
NtGdiSelectBitmap
NtUserWaitMessage
NtUserTranslateMessage
NtUserGetProp
NtUserPostMessage
NtUserQueryWindow
NtUserTranslateAccelerator
NtGdiFlush
NtUserRedrawWindow
NtUserWindowFromPoint
NtUserCallMsgFilter
NtUserValidateTimerCallback
NtUserBeginPaint
NtUserSetTimer
NtUserEndPaint
NtUserSetCursor
NtUserKillTimer
NtUserBuildHwndList
NtUserSelectPalette
NtUserCallNextHookEx
NtUserHideCaret
NtGdiIntersectClipRect
NtUserCallHwndLock
NtUserGetProcessWindowStation
NtGdiDeleteObjectApp
NtUserSetWindowPos
NtUserShowCaret
NtUserEndDeferWindowPosEx
NtUserCallHwndParamLock
NtUserVkKeyScanEx
NtGdiSetDIBitsToDeviceInternal
NtUserCallTwoParam
NtGdiGetRandomRgn
NtUserCopyAcceleratorTable
NtUserNotifyWinEvent
NtGdiExtSelectClipRgn
NtUserIsClipboardFormatAvailable
NtUserSetScrollInfo
NtGdiStretchBlt
NtUserCreateCaret
NtGdiRectVisible
NtGdiCombineRgn
NtGdiGetDCObject
NtUserDispatchMessage
NtUserRegisterWindowMessage
NtGdiExtTextOutW
NtGdiSelectFont
NtGdiRestoreDC
NtGdiSaveDC
NtUserGetForegroundWindow
NtUserShowScrollBar
NtUserFindExistingCursorIcon
NtGdiGetDCDword
NtGdiGetRegionData
NtGdiLineTo
NtUserSystemParametersInfo
NtGdiGetAppClipBox
NtUserGetAsyncKeyState
NtUserGetCPD
NtUserRemoveProp
NtGdiDoPalette
NtGdiPolyPolyDraw
NtUserSetCapture
NtUserEnumDisplayMonitors
NtGdiCreateCompatibleBitmap
NtUserSetProp
NtGdiGetTextCharsetInfo
NtUserSBGetParms
NtUserGetIconInfo
NtUserExcludeUpdateRgn
NtUserSetFocus
NtGdiExtGetObjectW
NtUserGetUpdateRect
NtGdiCreateCompatibleDC
NtUserGetClipboardSequenceNumber
NtGdiCreatePen
NtUserShowWindow
NtUserGetKeyboardLayoutList
NtGdiPatBlt
NtUserMapVirtualKeyEx
NtUserSetWindowLong
NtGdiHfontCreate
NtUserMoveWindow
NtUserPostThreadMessage
NtUserDrawIconEx
NtUserGetSystemMenu
NtGdiDrawStream
NtUserInternalGetWindowText
NtUserGetWindowDC
NtGdiInvertRgn
NtGdiGetRgnBox
NtGdiGetAndSetDCDword
NtGdiMaskBlt
NtGdiGetWidthTable
NtUserScrollDC
NtUserGetObjectInformation
NtGdiCreateBitmap
NtUserFindWindowEx
NtGdiPolyPatBlt
NtUserUnhookWindowsHookEx
NtGdiGetNearestColor
NtGdiTransformPoints
NtGdiGetDCPoint
NtGdiCreateDIBBrush
NtGdiGetTextMetricsW
NtUserCreateWindowEx
NtUserSetParent
NtUserGetKeyboardState
NtUserToUnicodeEx
NtUserGetControlBrush
NtUserGetClassName
NtGdiAlphaBlend
NtGdiOffsetRgn
NtUserDefSetText
NtGdiGetTextFaceW
NtGdiStretchDIBitsInternal
NtUserSendInput
NtUserGetThreadDesktop
NtGdiCreateRectRgn
NtGdiGetDIBitsInternal
NtUserGetUpdateRgn
NtGdiDeleteClientObj
NtUserGetIconSize
NtUserFillWindow
NtGdiExtCreateRegion
NtGdiComputeXformCoefficients
NtUserSetWindowsHookEx
NtUserNotifyProcessCreate
NtGdiUnrealizeObject
NtUserGetTitleBarInfo
NtGdiRectangle
NtUserSetThreadDesktop
NtUserGetDCEx
NtUserGetScrollBarInfo
NtGdiGetTextExtent
NtUserSetWindowFNID
NtGdiSetLayout
NtUserCalcMenuBar
NtUserThunkedMenuItemInfo
NtGdiExcludeClipRect
NtGdiCreateDIBSection
NtGdiGetDCforBitmap
NtUserDestroyCursor
NtUserDestroyWindow
NtUserCallHwndParam
NtGdiCreateDIBitmapInternal
NtUserOpenWindowStation
NtUserSetCursorIconData
NtUserCloseDesktop
NtUserOpenDesktop
NtUserSetProcessWindowStation
NtUserGetAtomName
NtGdiExtCreatePen
NtGdiCreatePaletteInternal
NtGdiSetBrushOrg
NtUserBuildNameList
NtGdiSetPixel
NtUserRegisterClassExWOW
NtGdiCreatePatternBrushInternal
NtUserGetAncestor
NtGdiGetOutlineTextMetricsInternalW
NtGdiSetBitmapBits
NtUserCloseWindowStation
NtUserGetDoubleClickTime
NtUserEnableScrollBar
NtGdiCreateSolidBrush
NtUserGetClassInfoEx
NtGdiCreateClientObj
NtUserUnregisterClass
NtUserDeleteMenu
NtGdiRectInRegion
NtUserScrollWindowEx
NtGdiGetPixel
NtUserSetClassLong
NtUserGetMenuBarInfo
NtGdiGetNearestPaletteIndex
NtGdiGetCharWidthW
NtUserInvalidateRgn
NtUserGetClipboardOwner
NtUserSetWindowRgn
NtUserBitBltSysBmp
NtGdiGetCharWidthInfo
NtUserValidateRect
NtUserCloseClipboard
NtUserOpenClipboard
NtUserSetClipboardData
NtUserEnableMenuItem
NtUserAlterWindowStyle
NtGdiFillRgn
NtUserGetWindowPlacement
NtGdiModifyWorldTransform
NtGdiGetFontData
NtUserGetOpenClipboardWindow
NtUserSetThreadState
NtGdiOpenDCW
NtUserTrackMouseEvent
NtGdiGetTransform
NtUserDestroyMenu
NtGdiGetBitmapBits
NtUserConsoleControl
NtUserSetActiveWindow
NtUserSetInformationThread
NtUserSetWindowPlacement
NtUserGetControlColor
NtGdiSetMetaRgn
NtGdiSetMiterLimit
NtGdiSetVirtualResolution
NtGdiGetRasterizerCaps
NtUserSetWindowWord
NtUserGetClipboardFormatName
NtUserRealInternalGetMessage
NtUserCreateLocalMemHandle
NtUserAttachThreadInput
NtGdiCreateHalftonePalette
NtUserPaintMenuBar
NtUserSetKeyboardState
NtGdiCombineTransform
NtUserCreateAcceleratorTable
NtUserGetCursorFrameInfo
NtUserGetAltTabInfo
NtUserGetCaretBlinkTime
NtGdiQueryFontAssocInfo
NtUserProcessConnect
NtUserEnumDisplayDevices
NtUserEmptyClipboard
NtUserGetClipboardData
NtUserRemoveMenu
NtGdiSetBoundsRect
NtGdiGetBitmapDimension
NtUserConvertMemHandle
NtUserDestroyAcceleratorTable
NtUserGetGUIThreadInfo
NtGdiCloseFigure
NtUserSetWindowsHookAW
NtUserSetMenuDefaultItem
NtUserCheckMenuItem
NtUserSetWinEventHook
NtUserUnhookWinEvent
NtUserLockWindowUpdate
NtUserSetSystemMenu
NtUserThunkedMenuInfo
NtGdiBeginPath
NtGdiEndPath
NtGdiFillPath
NtUserCallHwnd
NtUserDdeInitialize
NtUserModifyUserStartupInfoFlags
NtUserCountClipboardFormats
NtGdiAddFontMemResourceEx
NtGdiEqualRgn
NtGdiGetSystemPaletteUse
NtGdiRemoveFontMemResourceEx
NtUserEnumDisplaySettings
NtUserPaintDesktop
NtGdiExtEscape
NtGdiSetBitmapDimension
NtGdiSetFontEnumeration
NtUserChangeClipboardChain
NtUserSetClipboardViewer
NtUserShowWindowAsync
NtGdiCreateColorSpace
NtGdiDeleteColorSpace
NtUserActivateKeyboardLayout
NtBindCompositionSurface
NtCloseCompositionInputSink
NtCompositionInputThread
NtCompositionSetDropTarget
NtCompositorNotifyExitWindows
NtConfigureInputSpace
NtCreateCompositionInputSink
NtCreateCompositionSurfaceHandle
NtCreateImplicitCompositionInputSink
NtDCompositionAddCrossDeviceVisualChild
NtDCompositionBeginFrame
NtDCompositionCommitChannel
NtDCompositionCommitSynchronizationObject
NtDCompositionConfirmFrame
NtDCompositionConnectPipe
NtDCompositionCreateAndBindSharedSection
NtDCompositionCreateChannel
NtDCompositionCreateConnection
NtDCompositionCreateDwmChannel
NtDCompositionCreateSharedResourceHandle
NtDCompositionCreateSynchronizationObject
NtDCompositionDestroyChannel
NtDCompositionDestroyConnection
NtDCompositionDiscardFrame
NtDCompositionDuplicateHandleToProcess
NtDCompositionDuplicateSwapchainHandleToDwm
NtDCompositionEnableMMCSS
NtDCompositionGetBatchId
NtDCompositionGetChannels
NtDCompositionGetConnectionBatch
NtDCompositionGetDeletedResources
NtDCompositionGetFrameLegacyTokens
NtDCompositionGetFrameStatistics
NtDCompositionGetFrameSurfaceUpdates
NtDCompositionGetMaterialProperty
NtDCompositionProcessChannelBatchBuffer
NtDCompositionReferenceSharedResourceOnDwmChannel
NtDCompositionRegisterThumbnailVisual
NtDCompositionRegisterVirtualDesktopVisual
NtDCompositionReleaseAllResources
NtDCompositionRemoveCrossDeviceVisualChild
NtDCompositionRetireFrame
NtDCompositionSetChannelCommitCompletionEvent
NtDCompositionSetChannelConnectionId
NtDCompositionSetChildRootVisual
NtDCompositionSetDebugCounter
NtDCompositionSetMaterialProperty
NtDCompositionSubmitDWMBatch
NtDCompositionSuspendAnimations
NtDCompositionSynchronize
NtDCompositionTelemetryAnimationScenarioBegin
NtDCompositionTelemetryAnimationScenarioReference
NtDCompositionTelemetryAnimationScenarioUnreference
NtDCompositionTelemetrySetApplicationId
NtDCompositionTelemetryTouchInteractionBegin
NtDCompositionTelemetryTouchInteractionEnd
NtDCompositionTelemetryTouchInteractionUpdate
NtDCompositionUpdatePointerCapture
NtDCompositionWaitForChannel
NtDesktopCaptureBits
NtDuplicateCompositionInputSink
NtDxgkCreateTrackedWorkload
NtDxgkDestroyTrackedWorkload
NtDxgkDispMgrOperation
NtDxgkDisplayPortOperation
NtDxgkDuplicateHandle
NtDxgkEnumAdapters3
NtDxgkGetAvailableTrackedWorkloadIndex
NtDxgkGetProcessList
NtDxgkGetTrackedWorkloadStatistics
NtDxgkOutputDuplPresentToHwQueue
NtDxgkPinResources
NtDxgkRegisterVailProcess
NtDxgkResetTrackedWorkloadStatistics
NtDxgkSubmitPresentBltToHwQueue
NtDxgkSubmitPresentToHwQueue
NtDxgkUnpinResources
NtDxgkUpdateTrackedWorkload
NtDxgkVailConnect
NtDxgkVailDisconnect
NtDxgkVailPromoteCompositionSurface
NtEnableOneCoreTransformMode
NtFlipObjectAddContent
NtFlipObjectAddPoolBuffer
NtFlipObjectConsumerAcquirePresent
NtFlipObjectConsumerAdjustUsageReference
NtFlipObjectConsumerBeginProcessPresent
NtFlipObjectConsumerEndProcessPresent
NtFlipObjectConsumerPostMessage
NtFlipObjectConsumerQueryBufferInfo
NtFlipObjectCreate
NtFlipObjectDisconnectEndpoint
NtFlipObjectEnablePresentStatisticsType
NtFlipObjectOpen
NtFlipObjectPresentCancel
NtFlipObjectQueryBufferAvailableEvent
NtFlipObjectQueryEndpointConnected
NtFlipObjectQueryNextMessageToProducer
NtFlipObjectReadNextMessageToProducer
NtFlipObjectRemoveContent
NtFlipObjectRemovePoolBuffer
NtFlipObjectSetContent
NtFlipObjectSetMaximumBackchannelQueueDepth
NtGdiAbortDoc
NtGdiAbortPath
NtGdiAddEmbFontToDC
NtGdiAddFontResourceW
NtGdiAddInitialFonts
NtGdiAddRemoteFontToDC
NtGdiAddRemoteMMInstanceToDC
NtGdiAngleArc
NtGdiAnyLinkedFonts
NtGdiArcInternal
NtGdiBRUSHOBJ_DeleteRbrush
NtGdiBRUSHOBJ_hGetColorTransform
NtGdiBRUSHOBJ_pvAllocRbrush
NtGdiBRUSHOBJ_pvGetRbrush
NtGdiBRUSHOBJ_ulGetBrushColor
NtGdiBeginGdiRendering
NtGdiCLIPOBJ_bEnum
NtGdiCLIPOBJ_cEnumStart
NtGdiCLIPOBJ_ppoGetPath
NtGdiCancelDC
NtGdiChangeGhostFont
NtGdiCheckBitmapBits
NtGdiClearBitmapAttributes
NtGdiClearBrushAttributes
NtGdiColorCorrectPalette
NtGdiConfigureOPMProtectedOutput
NtGdiConvertMetafileRect
NtGdiCreateBitmapFromDxSurface
NtGdiCreateBitmapFromDxSurface2
NtGdiCreateColorTransform
NtGdiCreateEllipticRgn
NtGdiCreateHatchBrushInternal
NtGdiCreateMetafileDC
NtGdiCreateOPMProtectedOutput
NtGdiCreateOPMProtectedOutputs
NtGdiCreateRoundRectRgn
NtGdiCreateServerMetaFile
NtGdiCreateSessionMappedDIBSection
NtGdiDDCCIGetCapabilitiesString
NtGdiDDCCIGetCapabilitiesStringLength
NtGdiDDCCIGetTimingReport
NtGdiDDCCIGetVCPFeature
NtGdiDDCCISaveCurrentSettings
NtGdiDDCCISetVCPFeature
NtGdiDdCreateFullscreenSprite
NtGdiDdDDIAbandonSwapChain
NtGdiDdDDIAcquireKeyedMutex
NtGdiDdDDIAcquireKeyedMutex2
NtGdiDdDDIAcquireSwapChain
NtGdiDdDDIAddSurfaceToSwapChain
NtGdiDdDDIAdjustFullscreenGamma
NtGdiDdDDICacheHybridQueryValue
NtGdiDdDDIChangeVideoMemoryReservation
NtGdiDdDDICheckExclusiveOwnership
NtGdiDdDDICheckMonitorPowerState
NtGdiDdDDICheckMultiPlaneOverlaySupport
NtGdiDdDDICheckMultiPlaneOverlaySupport2
NtGdiDdDDICheckMultiPlaneOverlaySupport3
NtGdiDdDDICheckOcclusion
NtGdiDdDDICheckSharedResourceAccess
NtGdiDdDDICheckVidPnExclusiveOwnership
NtGdiDdDDICloseAdapter
NtGdiDdDDIConfigureSharedResource
NtGdiDdDDICreateAllocation
NtGdiDdDDICreateBundleObject
NtGdiDdDDICreateContext
NtGdiDdDDICreateContextVirtual
NtGdiDdDDICreateDCFromMemory
NtGdiDdDDICreateDevice
NtGdiDdDDICreateHwContext
NtGdiDdDDICreateHwQueue
NtGdiDdDDICreateKeyedMutex
NtGdiDdDDICreateKeyedMutex2
NtGdiDdDDICreateOutputDupl
NtGdiDdDDICreateOverlay
NtGdiDdDDICreatePagingQueue
NtGdiDdDDICreateProtectedSession
NtGdiDdDDICreateSwapChain
NtGdiDdDDICreateSynchronizationObject
NtGdiDdDDIDDisplayEnum
NtGdiDdDDIDestroyAllocation
NtGdiDdDDIDestroyAllocation2
NtGdiDdDDIDestroyContext
NtGdiDdDDIDestroyDCFromMemory
NtGdiDdDDIDestroyDevice
NtGdiDdDDIDestroyHwContext
NtGdiDdDDIDestroyHwQueue
NtGdiDdDDIDestroyKeyedMutex
NtGdiDdDDIDestroyOutputDupl
NtGdiDdDDIDestroyOverlay
NtGdiDdDDIDestroyPagingQueue
NtGdiDdDDIDestroyProtectedSession
NtGdiDdDDIDestroySynchronizationObject
NtGdiDdDDIDispMgrCreate
NtGdiDdDDIDispMgrSourceOperation
NtGdiDdDDIDispMgrTargetOperation
NtGdiDdDDIEnumAdapters
NtGdiDdDDIEnumAdapters2
NtGdiDdDDIEscape
NtGdiDdDDIEvict
NtGdiDdDDIExtractBundleObject
NtGdiDdDDIFlipOverlay
NtGdiDdDDIFlushHeapTransitions
NtGdiDdDDIFreeGpuVirtualAddress
NtGdiDdDDIGetAllocationPriority
NtGdiDdDDIGetCachedHybridQueryValue
NtGdiDdDDIGetContextInProcessSchedulingPriority
NtGdiDdDDIGetContextSchedulingPriority
NtGdiDdDDIGetDWMVerticalBlankEvent
NtGdiDdDDIGetDeviceState
NtGdiDdDDIGetDisplayModeList
NtGdiDdDDIGetMemoryBudgetTarget
NtGdiDdDDIGetMultiPlaneOverlayCaps
NtGdiDdDDIGetMultisampleMethodList
NtGdiDdDDIGetOverlayState
NtGdiDdDDIGetPostCompositionCaps
NtGdiDdDDIGetPresentHistory
NtGdiDdDDIGetPresentQueueEvent
NtGdiDdDDIGetProcessDeviceRemovalSupport
NtGdiDdDDIGetProcessSchedulingPriorityBand
NtGdiDdDDIGetProcessSchedulingPriorityClass
NtGdiDdDDIGetResourcePresentPrivateDriverData
NtGdiDdDDIGetRuntimeData
NtGdiDdDDIGetScanLine
NtGdiDdDDIGetSetSwapChainMetadata
NtGdiDdDDIGetSharedPrimaryHandle
NtGdiDdDDIGetSharedResourceAdapterLuid
NtGdiDdDDIGetSharedResourceAdapterLuidFlipManager
NtGdiDdDDIGetYieldPercentage
NtGdiDdDDIInvalidateActiveVidPn
NtGdiDdDDIInvalidateCache
NtGdiDdDDILock
NtGdiDdDDILock2
NtGdiDdDDIMakeResident
NtGdiDdDDIMapGpuVirtualAddress
NtGdiDdDDIMarkDeviceAsError
NtGdiDdDDINetDispGetNextChunkInfo
NtGdiDdDDINetDispQueryMiracastDisplayDeviceStatus
NtGdiDdDDINetDispQueryMiracastDisplayDeviceSupport
NtGdiDdDDINetDispStartMiracastDisplayDevice
NtGdiDdDDINetDispStopMiracastDisplayDevice
NtGdiDdDDIOfferAllocations
NtGdiDdDDIOpenAdapterFromDeviceName
NtGdiDdDDIOpenAdapterFromHdc
NtGdiDdDDIOpenAdapterFromLuid
NtGdiDdDDIOpenBundleObjectNtHandleFromName
NtGdiDdDDIOpenKeyedMutex
NtGdiDdDDIOpenKeyedMutex2
NtGdiDdDDIOpenKeyedMutexFromNtHandle
NtGdiDdDDIOpenNtHandleFromName
NtGdiDdDDIOpenProtectedSessionFromNtHandle
NtGdiDdDDIOpenResource
NtGdiDdDDIOpenResourceFromNtHandle
NtGdiDdDDIOpenSwapChain
NtGdiDdDDIOpenSyncObjectFromNtHandle
NtGdiDdDDIOpenSyncObjectFromNtHandle2
NtGdiDdDDIOpenSyncObjectNtHandleFromName
NtGdiDdDDIOpenSynchronizationObject
NtGdiDdDDIOutputDuplGetFrameInfo
NtGdiDdDDIOutputDuplGetMetaData
NtGdiDdDDIOutputDuplGetPointerShapeData
NtGdiDdDDIOutputDuplPresent
NtGdiDdDDIOutputDuplReleaseFrame
NtGdiDdDDIPollDisplayChildren
NtGdiDdDDIPresent
NtGdiDdDDIPresentMultiPlaneOverlay
NtGdiDdDDIPresentMultiPlaneOverlay2
NtGdiDdDDIPresentMultiPlaneOverlay3
NtGdiDdDDIPresentRedirected
NtGdiDdDDIQueryAdapterInfo
NtGdiDdDDIQueryAllocationResidency
NtGdiDdDDIQueryClockCalibration
NtGdiDdDDIQueryFSEBlock
NtGdiDdDDIQueryProcessOfferInfo
NtGdiDdDDIQueryProtectedSessionInfoFromNtHandle
NtGdiDdDDIQueryProtectedSessionStatus
NtGdiDdDDIQueryRemoteVidPnSourceFromGdiDisplayName
NtGdiDdDDIQueryResourceInfo
NtGdiDdDDIQueryResourceInfoFromNtHandle
NtGdiDdDDIQueryStatistics
NtGdiDdDDIQueryVidPnExclusiveOwnership
NtGdiDdDDIQueryVideoMemoryInfo
NtGdiDdDDIReclaimAllocations
NtGdiDdDDIReclaimAllocations2
NtGdiDdDDIReleaseKeyedMutex
NtGdiDdDDIReleaseKeyedMutex2
NtGdiDdDDIReleaseProcessVidPnSourceOwners
NtGdiDdDDIReleaseSwapChain
NtGdiDdDDIRemoveSurfaceFromSwapChain
NtGdiDdDDIRender
NtGdiDdDDIReserveGpuVirtualAddress
NtGdiDdDDISetAllocationPriority
NtGdiDdDDISetContextInProcessSchedulingPriority
NtGdiDdDDISetContextSchedulingPriority
NtGdiDdDDISetDisplayMode
NtGdiDdDDISetDodIndirectSwapchain
NtGdiDdDDISetFSEBlock
NtGdiDdDDISetGammaRamp
NtGdiDdDDISetHwProtectionTeardownRecovery
NtGdiDdDDISetMemoryBudgetTarget
NtGdiDdDDISetMonitorColorSpaceTransform
NtGdiDdDDISetProcessDeviceRemovalSupport
NtGdiDdDDISetProcessSchedulingPriorityBand
NtGdiDdDDISetProcessSchedulingPriorityClass
NtGdiDdDDISetQueuedLimit
NtGdiDdDDISetStablePowerState
NtGdiDdDDISetStereoEnabled
NtGdiDdDDISetSyncRefreshCountWaitTarget
NtGdiDdDDISetVidPnSourceHwProtection
NtGdiDdDDISetVidPnSourceOwner
NtGdiDdDDISetYieldPercentage
NtGdiDdDDIShareObjects
NtGdiDdDDISharedPrimaryLockNotification
NtGdiDdDDISharedPrimaryUnLockNotification
NtGdiDdDDISignalSynchronizationObject
NtGdiDdDDISignalSynchronizationObjectFromCpu
NtGdiDdDDISignalSynchronizationObjectFromGpu
NtGdiDdDDISignalSynchronizationObjectFromGpu2
NtGdiDdDDISubmitCommand
NtGdiDdDDISubmitCommandToHwQueue
NtGdiDdDDISubmitSignalSyncObjectsToHwQueue
NtGdiDdDDISubmitWaitForSyncObjectsToHwQueue
NtGdiDdDDITrimProcessCommitment
NtGdiDdDDIUnOrderedPresentSwapChain
NtGdiDdDDIUnlock
NtGdiDdDDIUnlock2
NtGdiDdDDIUpdateAllocationProperty
NtGdiDdDDIUpdateGpuVirtualAddress
NtGdiDdDDIUpdateOverlay
NtGdiDdDDIWaitForIdle
NtGdiDdDDIWaitForSynchronizationObject
NtGdiDdDDIWaitForSynchronizationObjectFromCpu
NtGdiDdDDIWaitForSynchronizationObjectFromGpu
NtGdiDdDDIWaitForVerticalBlankEvent
NtGdiDdDDIWaitForVerticalBlankEvent2
NtGdiDdDestroyFullscreenSprite
NtGdiDdNotifyFullscreenSpriteUpdate
NtGdiDdQueryVisRgnUniqueness
NtGdiDeleteColorTransform
NtGdiDescribePixelFormat
NtGdiDestroyOPMProtectedOutput
NtGdiDestroyPhysicalMonitor
NtGdiDoBanding
NtGdiDrawEscape
NtGdiDwmCreatedBitmapRemotingOutput
NtGdiEllipse
NtGdiEnableEudc
NtGdiEndDoc
NtGdiEndGdiRendering
NtGdiEndPage
NtGdiEngAlphaBlend
NtGdiEngAssociateSurface
NtGdiEngBitBlt
NtGdiEngCheckAbort
NtGdiEngComputeGlyphSet
NtGdiEngCopyBits
NtGdiEngCreateBitmap
NtGdiEngCreateClip
NtGdiEngCreateDeviceBitmap
NtGdiEngCreateDeviceSurface
NtGdiEngCreatePalette
NtGdiEngDeleteClip
NtGdiEngDeletePalette
NtGdiEngDeletePath
NtGdiEngDeleteSurface
NtGdiEngEraseSurface
NtGdiEngFillPath
NtGdiEngGradientFill
NtGdiEngLineTo
NtGdiEngLockSurface
NtGdiEngMarkBandingSurface
NtGdiEngPaint
NtGdiEngPlgBlt
NtGdiEngStretchBlt
NtGdiEngStretchBltROP
NtGdiEngStrokeAndFillPath
NtGdiEngStrokePath
NtGdiEngTextOut
NtGdiEngTransparentBlt
NtGdiEngUnlockSurface
NtGdiEnsureDpiDepDefaultGuiFontForPlateau
NtGdiEnumFonts
NtGdiEnumObjects
NtGdiEudcLoadUnloadLink
NtGdiExtFloodFill
NtGdiFONTOBJ_cGetAllGlyphHandles
NtGdiFONTOBJ_cGetGlyphs
NtGdiFONTOBJ_pQueryGlyphAttrs
NtGdiFONTOBJ_pfdg
NtGdiFONTOBJ_pifi
NtGdiFONTOBJ_pvTrueTypeFontFile
NtGdiFONTOBJ_pxoGetXform
NtGdiFONTOBJ_vGetInfo
NtGdiFlattenPath
NtGdiFontIsLinked
NtGdiForceUFIMapping
NtGdiFrameRgn
NtGdiFullscreenControl
NtGdiGetBitmapDpiScaleValue
NtGdiGetBoundsRect
NtGdiGetCOPPCompatibleOPMInformation
NtGdiGetCertificate
NtGdiGetCertificateByHandle
NtGdiGetCertificateSize
NtGdiGetCertificateSizeByHandle
NtGdiGetCharABCWidthsW
NtGdiGetCharacterPlacementW
NtGdiGetColorAdjustment
NtGdiGetColorSpaceforBitmap
NtGdiGetCurrentDpiInfo
NtGdiGetDCDpiScaleValue
NtGdiGetDeviceCaps
NtGdiGetDeviceCapsAll
NtGdiGetDeviceWidth
NtGdiGetDhpdev
NtGdiGetETM
NtGdiGetEmbUFI
NtGdiGetEmbedFonts
NtGdiGetEntry
NtGdiGetEudcTimeStampEx
NtGdiGetFontFileData
NtGdiGetFontFileInfo
NtGdiGetFontResourceInfoInternalW
NtGdiGetFontUnicodeRanges
NtGdiGetGlyphIndicesW
NtGdiGetGlyphIndicesWInternal
NtGdiGetGlyphOutline
NtGdiGetKerningPairs
NtGdiGetLinkedUFIs
NtGdiGetMiterLimit
NtGdiGetMonitorID
NtGdiGetNumberOfPhysicalMonitors
NtGdiGetOPMInformation
NtGdiGetOPMRandomNumber
NtGdiGetObjectBitmapHandle
NtGdiGetPath
NtGdiGetPerBandInfo
NtGdiGetPhysicalMonitorDescription
NtGdiGetPhysicalMonitors
NtGdiGetProcessSessionFonts
NtGdiGetPublicFontTableChangeCookie
NtGdiGetRealizationInfo
NtGdiGetServerMetaFileBits
NtGdiGetSpoolMessage
NtGdiGetStats
NtGdiGetStringBitmapW
NtGdiGetSuggestedOPMProtectedOutputArraySize
NtGdiGetTextExtentExW
NtGdiGetUFI
NtGdiGetUFIPathname
NtGdiGradientFill
NtGdiHLSurfGetInformation
NtGdiHLSurfSetInformation
NtGdiHT_Get8BPPFormatPalette
NtGdiHT_Get8BPPMaskPalette
NtGdiIcmBrushInfo
NtGdiInit
NtGdiInitSpool
NtGdiMakeFontDir
NtGdiMakeInfoDC
NtGdiMakeObjectUnXferable
NtGdiMakeObjectXferable
NtGdiMirrorWindowOrg
NtGdiMonoBitmap
NtGdiMoveTo
NtGdiOffsetClipRgn
NtGdiPATHOBJ_bEnum
NtGdiPATHOBJ_bEnumClipLines
NtGdiPATHOBJ_vEnumStart
NtGdiPATHOBJ_vEnumStartClipLines
NtGdiPATHOBJ_vGetBounds
NtGdiPathToRegion
NtGdiPlgBlt
NtGdiPolyDraw
NtGdiPolyTextOutW
NtGdiPtInRegion
NtGdiPtVisible
NtGdiQueryFonts
NtGdiRemoveFontResourceW
NtGdiRemoveMergeFont
NtGdiResetDC
NtGdiResizePalette
NtGdiRoundRect
NtGdiSTROBJ_bEnum
NtGdiSTROBJ_bEnumPositionsOnly
NtGdiSTROBJ_bGetAdvanceWidths
NtGdiSTROBJ_dwGetCodePage
NtGdiSTROBJ_vEnumStart
NtGdiScaleRgn
NtGdiScaleValues
NtGdiScaleViewportExtEx
NtGdiScaleWindowExtEx
NtGdiSelectBrush
NtGdiSelectClipPath
NtGdiSelectPen
NtGdiSetBitmapAttributes
NtGdiSetBrushAttributes
NtGdiSetColorAdjustment
NtGdiSetColorSpace
NtGdiSetFontXform
NtGdiSetIcmMode
NtGdiSetLinkedUFIs
NtGdiSetMagicColors
NtGdiSetOPMSigningKeyAndSequenceNumbers
NtGdiSetPUMPDOBJ
NtGdiSetPixelFormat
NtGdiSetRectRgn
NtGdiSetSizeDevice
NtGdiSetSystemPaletteUse
NtGdiSetTextJustification
NtGdiSetUMPDSandboxState
NtGdiStartDoc
NtGdiStartPage
NtGdiStrokeAndFillPath
NtGdiStrokePath
NtGdiSwapBuffers
NtGdiTransparentBlt
NtGdiUMPDEngFreeUserMem
NtGdiUnloadPrinterDriver
NtGdiUnmapMemFont
NtGdiUpdateColors
NtGdiUpdateTransform
NtGdiWidenPath
NtGdiXFORMOBJ_bApplyXform
NtGdiXFORMOBJ_iGetXform
NtGdiXLATEOBJ_cGetPalette
NtGdiXLATEOBJ_hGetColorTransform
NtGdiXLATEOBJ_iXlate
NtHWCursorUpdatePointer
NtInputSpaceRegionFromPoint
NtIsOneCoreTransformMode
NtMITAccessibilityTimerNotification
NtMITActivateInputProcessing
NtMITCoreMsgKOpenConnectionTo
NtMITDeactivateInputProcessing
NtMITDisableMouseIntercept
NtUserGetOwnerTransformedMonitorRect
NtMITDispatchCompletion
NtMITEnableMouseIntercept
NtMITGetCursorUpdateHandle
NtMITInitMinuserThread
NtMITMinuserSetInputTransformOffset
NtMITMinuserWindowDestroyed
NtMITPostMouseInputMessage
NtMITPostThreadEventMessage
NtMITPostWindowEventMessage
NtMITPrepareReceiveInputMessage
NtMITPrepareSendInputMessage
NtMITProcessDelegateCapturedPointers
NtMITSetInputCallbacks
NtMITSetInputDelegationMode
NtMITSetInputObservationState
NtMITSetKeyboardInputRoutingPolicy
NtMITSetKeyboardOverriderState
NtMITSetLastInputRecipient
NtMITSynthesizeKeyboardInput
NtMITSynthesizeMouseInput
NtMITSynthesizeTouchInput
NtMITUninitMinuserThread
NtMITUpdateInputGlobals
NtMapVisualRelativePoints
NtMinGetInputTransform
NtMinInteropCoreMessagingWithInput
NtMinQPeekForInput
NtMinQSuspendInputProcessing
NtMinQUpdateWakeMask
NtModerncoreBeginLayoutUpdate
NtModerncoreCreateDCompositionHwndTarget
NtModerncoreCreateGDIHwndTarget
NtModerncoreDestroyDCompositionHwndTarget
NtModerncoreDestroyGDIHwndTarget
NtModerncoreEnableResizeLayoutSynchronization
NtModerncoreGetNavigationWindowVisual
NtModerncoreGetResizeDCompositionSynchronizationObject
NtModerncoreGetWindowContentVisual
NtModerncoreIdleTimerThread
NtModerncoreIsResizeLayoutSynchronizationEnabled
NtModerncoreProcessConnect
NtModerncoreRegisterEnhancedNavigationWindowHandle
NtModerncoreRegisterNavigationWindowHandle
NtModerncoreSetNavigationServiceSid
NtModerncoreUnregisterNavigationWindowHandle
NtNotifyPresentToCompositionSurface
NtOpenCompositionSurfaceDirtyRegion
NtOpenCompositionSurfaceSectionInfo
NtOpenCompositionSurfaceSwapChainHandleInfo
NtQueryCompositionInputIsImplicit
NtQueryCompositionInputQueueAndTransform
NtQueryCompositionInputSink
NtQueryCompositionInputSinkLuid
NtQueryCompositionInputSinkViewId
NtQueryCompositionSurfaceBinding
NtQueryCompositionSurfaceHDRMetaData
NtQueryCompositionSurfaceRenderingRealization
NtQueryCompositionSurfaceStatistics
NtRIMAddInputObserver
NtRIMAreSiblingDevices
NtRIMDeviceIoControl
NtRIMEnableMonitorMappingForDevice
NtRIMFreeInputBuffer
NtRIMGetDevicePreparsedData
NtRIMGetDevicePreparsedDataLockfree
NtRIMGetDeviceProperties
NtRIMGetDevicePropertiesLockfree
NtRIMGetPhysicalDeviceRect
NtRIMGetSourceProcessId
NtRIMObserveNextInput
NtRIMOnPnpNotification
NtRIMOnTimerNotification
NtRIMQueryDevicePath
NtRIMReadInput
NtRIMRegisterForInput
NtRIMRemoveInputObserver
NtRIMSetExtendedDeviceProperty
NtRIMSetTestModeStatus
NtRIMUnregisterForInput
NtRIMUpdateInputObserverRegistration
NtSetCompositionSurfaceAnalogExclusive
NtSetCompositionSurfaceBufferUsage
NtSetCompositionSurfaceDirectFlipState
NtSetCompositionSurfaceIndependentFlipInfo
NtSetCompositionSurfaceStatistics
NtSetCursorInputSpace
NtSetPointerDeviceInputSpace
NtSetShellCursorState
NtTokenManagerConfirmOutstandingAnalogToken
NtTokenManagerCreateCompositionTokenHandle
NtTokenManagerCreateFlipObjectReturnTokenHandle
NtTokenManagerCreateFlipObjectTokenHandle
NtTokenManagerGetAnalogExclusiveSurfaceUpdates
NtTokenManagerGetAnalogExclusiveTokenEvent
NtTokenManagerOpenSectionAndEvents
NtTokenManagerThread
NtUnBindCompositionSurface
NtUpdateInputSinkTransforms
NtUserAcquireIAMKey
NtUserAcquireInteractiveControlBackgroundAccess
NtUserAddClipboardFormatListener
NtUserAddVisualIdentifier
NtUserAllowForegroundActivation
NtUserAllowSetForegroundWindow
NtUserArrangeIconicWindows
NtUserAssociateInputContext
NtUserAutoPromoteMouseInPointer
NtUserAutoRotateScreen
NtUserBeginDeferWindowPos
NtUserBeginLayoutUpdate
NtUserBlockInput
NtUserBroadcastImeShowStatusChange
NtUserBroadcastThemeChangeEvent
NtUserBuildHimcList
NtUserBuildPropList
NtUserCalculatePopupWindowPosition
NtUserCallHwndLockSafe
NtUserCallHwndOpt
NtUserCallHwndParamLockSafe
NtUserCallHwndSafe
NtUserCanBrokerForceForeground
NtUserCancelQueueEventCompletionPacket
NtUserChangeDisplaySettings
NtUserChangeWindowMessageFilter
NtUserChangeWindowMessageFilterEx
NtUserCheckAccessForIntegrityLevel
NtUserCheckImeShowStatusInThread
NtUserCheckProcessForClipboardAccess
NtUserCheckProcessSession
NtUserCheckWindowThreadDesktop
NtUserChildWindowFromPointEx
NtUserCitSetInfo
NtUserClearForeground
NtUserClearWakeMask
NtUserClearWindowState
NtUserClipCursor
NtUserCompositionInputSinkLuidFromPoint
NtUserCompositionInputSinkViewInstanceIdFromPoint
NtUserConfigureActivationObject
NtUserConfirmResizeCommit
NtUserCreateActivationObject
NtUserCreateBaseWindow
NtUserCreateDCompositionHwndTarget
NtUserCreateDesktopEx
NtUserCreateEmptyCursorObject
NtUserCreateInputContext
NtUserCreateMenu
NtUserCreatePalmRejectionDelayZone
NtUserCreatePopupMenu
NtUserCreateSystemThreads
NtUserCreateWindowGroup
NtUserCreateWindowStation
NtUserCsDdeUninitialize
NtUserCtxDisplayIOCtl
NtUserDWP_GetEnabledPopupOffset
NtUserDeferWindowDpiChanges
NtUserDeferWindowPosAndBand
NtUserDeferredDesktopRotation
NtUserDelegateCapturePointers
NtUserDelegateInput
NtUserDeleteWindowGroup
NtUserDeregisterShellHookWindow
NtUserDestroyActivationObject
NtUserDestroyCaret
NtUserDestroyDCompositionHwndTarget
NtUserDestroyInputContext
NtUserDestroyPalmRejectionDelayZone
NtUserDirectedYield
NtUserDisableImmersiveOwner
NtUserDisableProcessWindowFiltering
NtUserDisableProcessWindowsGhosting
NtUserDisableThreadIme
NtUserDiscardPointerFrameMessages
NtUserDisplayConfigGetDeviceInfo
NtUserDisplayConfigSetDeviceInfo
NtUserDoInitMessagePumpHook
NtUserDoSoundConnect
NtUserDoSoundDisconnect
NtUserDoUninitMessagePumpHook
NtUserDownlevelTouchpad
NtUserDragDetect
NtUserDragObject
NtUserDrainThreadCoreMessagingCompletions
NtUserDrawAnimatedRects
NtUserDrawCaption
NtUserDrawCaptionTemp
NtUserDrawMenuBar
NtUserDrawMenuBarTemp
NtUserDwmGetRemoteSessionOcclusionEvent
NtUserDwmGetRemoteSessionOcclusionState
NtUserDwmKernelShutdown
NtUserDwmKernelStartup
NtUserDwmLockScreenUpdates
NtUserDwmValidateWindow
NtUserEnableChildWindowDpiMessage
NtUserEnableIAMAccess
NtUserEnableModernAppWindowKeyboardIntercept
NtUserEnableMouseInPointer
NtUserEnableMouseInPointerForThread
NtUserEnableMouseInPointerForWindow
NtUserEnableMouseInputForCursorSuppression
NtUserEnableNonClientDpiScaling
NtUserEnablePerMonitorMenuScaling
NtUserEnableResizeLayoutSynchronization
NtUserEnableSessionForMMCSS
NtUserEnableShellWindowManagementBehavior
NtUserEnableSoftwareCursorForScreenCapture
NtUserEnableTouchPad
NtUserEnableWindow
NtUserEnableWindowGDIScaledDpiMessage
NtUserEnableWindowGroupPolicy
NtUserEnableWindowResizeOptimization
NtUserEndMenu
NtUserEnsureDpiDepSysMetCacheForPlateau
NtUserEnumClipboardFormats
NtUserEvent
NtUserFlashWindowEx
NtUserForceEnableNumpadTranslation
NtUserForceWindowToDpiForTest
NtUserFrostCrashedWindow
NtUserFunctionalizeDisplayConfig
NtUserGetActiveProcessesDpis
NtUserGetAppImeLevel
NtUserGetAutoRotationState
NtUserGetCIMSSM
NtUserGetCaretPos
NtUserGetClassIcoCur
NtUserGetClipCursor
NtUserGetClipboardAccessToken
NtUserGetClipboardViewer
NtUserGetComboBoxInfo
NtUserSetSensorPresence
NtUserGetCurrentDpiInfoForWindow
NtUserGetCurrentInputMessageSource
NtUserGetCursor
NtUserGetCursorInfo
NtUserGetCursorPos
NtUserGetDManipHookInitFunction
NtUserGetDesktopID
NtUserGetDesktopVisualTransform
NtUserGetDeviceChangeInfo
NtUserGetDisplayAutoRotationPreferences
NtUserGetDisplayAutoRotationPreferencesByProcessId
NtUserGetDisplayConfigBufferSizes
NtUserGetDpiForCurrentProcess
NtUserGetDpiForMonitor
NtUserGetExtendedPointerDeviceProperty
NtUserGetGestureConfig
NtUserGetGestureExtArgs
NtUserGetGestureInfo
NtUserGetGuiResources
NtUserGetHDevName
NtUserGetHimetricScaleFactorFromPixelLocation
NtUserGetIMEShowStatus
NtUserGetImeHotKey
NtUserGetImeInfoEx
NtUserGetInputContainerId
NtUserGetInputDesktop
NtUserGetInputEvent
NtUserGetInputLocaleInfo
NtUserGetInteractiveControlDeviceInfo
NtUserGetInteractiveControlInfo
NtUserGetInteractiveCtrlSupportedWaveforms
NtUserGetInternalWindowPos
NtUserGetKeyNameText
NtUserGetKeyboardLayout
NtUserGetKeyboardLayoutName
NtUserGetKeyboardType
NtUserGetLayeredWindowAttributes
NtUserGetListBoxInfo
NtUserGetMenuIndex
NtUserGetMenuItemRect
NtUserGetMessagePos
NtUserGetMinuserIdForBaseWindow
NtUserGetModernAppWindow
NtUserGetMouseMovePointsEx
NtUserGetOemBitmapSize
NtUserGetPhysicalDeviceRect
NtUserGetPointerCursorId
NtUserGetPointerDevice
NtUserGetPointerDeviceCursors
NtUserGetPointerDeviceInputSpace
NtUserGetPointerDeviceOrientation
NtUserGetPointerDeviceProperties
NtUserGetPointerDeviceRects
NtUserGetPointerDevices
NtUserGetPointerFrameTimes
NtUserGetPointerInfoList
NtUserGetPointerInputTransform
NtUserGetPointerProprietaryId
NtUserGetPointerType
NtUserGetPrecisionTouchPadConfiguration
NtUserGetPriorityClipboardFormat
NtUserGetProcessDefaultLayout
NtUserGetProcessDpiAwarenessContext
NtUserGetProcessUIContextInformation
NtUserGetQueueIocp
NtUserGetQueueStatus
NtUserGetQueueStatusReadonly
NtUserGetRawInputBuffer
NtUserGetRawInputData
NtUserGetRawInputDeviceInfo
NtUserGetRawInputDeviceList
NtUserGetRawPointerDeviceData
NtUserGetRegisteredRawInputDevices
NtUserGetRequiredCursorSizes
NtUserGetResizeDCompositionSynchronizationObject
NtUserGetSendMessageReceiver
NtUserGetSharedWindowData
NtUserGetSysMenuOffset
NtUserGetSystemContentRects
NtUserGetSystemDpiForProcess
NtUserGetTopLevelWindow
NtUserGetTouchInputInfo
NtUserGetTouchValidationStatus
NtUserGetUniformSpaceMapping
NtUserGetUnpredictedMessagePos
NtUserGetUpdatedClipboardFormats
NtUserGetWOWClass
NtUserGetWinStationInfo
NtUserGetWindowBand
NtUserYieldTask
NtUserGetWindowCompositionAttribute
NtUserGetWindowCompositionInfo
NtUserGetWindowContextHelpId
NtUserGetWindowDisplayAffinity
NtUserGetWindowFeedbackSetting
NtUserGetWindowGroupId
NtUserGetWindowMinimizeRect
NtUserGetWindowProcessHandle
NtUserGetWindowRgnEx
NtUserGetWindowThreadProcessId
NtUserGetWindowTrackInfoAsync
NtUserGhostWindowFromHungWindow
NtUserHandleDelegatedInput
NtUserHandleSystemThreadCreationFailure
NtUserHardErrorControl
NtUserHideCursorNoCapture
NtUserHidePointerContactVisualization
NtUserHiliteMenuItem
NtUserHungWindowFromGhostWindow
NtUserHwndQueryRedirectionInfo
NtUserHwndSetRedirectionInfo
NtUserImpersonateDdeClientWindow
NtUserInheritWindowMonitor
NtUserInitAnsiOem
NtUserInitTask
NtUserInitThreadCoreMessagingIocp
NtUserInitialize
NtUserInitializeClientPfnArrays
NtUserInitializeGenericHidInjection
NtUserInitializeInputDeviceInjection
NtUserInitializePointerDeviceInjection
NtUserInitializePointerDeviceInjectionEx
NtUserInitializeTouchInjection
NtUserInjectDeviceInput
NtUserInjectGenericHidInput
NtUserInjectGesture
NtUserInjectKeyboardInput
NtUserInjectMouseInput
NtUserInjectPointerInput
NtUserInjectTouchInput
NtUserInteractiveControlQueryUsage
NtUserInternalGetWindowIcon
NtUserInternalToUnicode
NtUserIsChildWindowDpiMessageEnabled
NtUserIsMouseInPointerEnabled
NtUserIsMouseInputEnabled
NtUserIsNonClientDpiScalingEnabled
NtUserIsQueueAttached
NtUserIsResizeLayoutSynchronizationEnabled
NtUserIsTopLevelWindow
NtUserIsTouchWindow
NtUserIsWindowBroadcastingDpiToChildren
NtUserIsWindowGDIScaledDpiMessageEnabled
NtUserKillSystemTimer
NtUserLW_LoadFonts
NtUserLayoutCompleted
NtUserLinkDpiCursor
NtUserLoadCursorsAndIcons
NtUserLoadKeyboardLayoutEx
NtUserLoadUserApiHook
NtUserLockCursor
NtUserLockSetForegroundWindow
NtUserLockWindowStation
NtUserLockWorkStation
NtUserLogicalToPerMonitorDPIPhysicalPoint
NtUserLogicalToPhysicalDpiPointForWindow
NtUserLogicalToPhysicalPoint
NtUserMNDragLeave
NtUserMNDragOver
NtUserMagControl
NtUserMagGetContextInformation
NtUserMagSetContextInformation
NtUserMapDesktopObject
NtUserMapPointsByVisualIdentifier
NtUserMarkWindowForRawMouse
NtUserMenuItemFromPoint
NtUserMessageBeep
NtUserMinInitialize
NtUserMinMaximize
NtUserModifyWindowTouchCapability
NtUserMsgWaitForMultipleObjectsEx
NtUserNavigateFocus
NtUserNlsKbdSendIMENotification
NtUserNotifyIMEStatus
NtUserNotifyOverlayWindow
NtUserOpenInputDesktop
NtUserOpenThreadDesktop
NtUserPaintMonitor
NtUserPerMonitorDPIPhysicalToLogicalPoint
NtUserPhysicalToLogicalDpiPointForWindow
NtUserPhysicalToLogicalPoint
NtUserPlayEventSound
NtUserPostKeyboardInputMessage
NtUserPostQuitMessage
NtUserPostUIActions
NtUserPrepareForLogoff
NtUserPrintWindow
NtUserProcessInkFeedbackCommand
NtUserPromoteMouseInPointer
NtUserPromotePointer
NtUserQueryActivationObject
NtUserQueryBSDRWindow
NtUserQueryDisplayConfig
NtUserQueryInformationThread
NtUserQueryInputContext
NtUserQuerySendMessage
NtUserRealChildWindowFromPoint
NtUserRealWaitMessageEx
NtUserRealizePalette
NtUserReassociateQueueEventCompletionPacket
NtUserRedrawFrame
NtUserRedrawFrameAndHook
NtUserRedrawTitle
NtUserRegisterBSDRWindow
NtUserRegisterDManipHook
NtUserRegisterEdgy
NtUserRegisterErrorReportingDialog
NtUserRegisterGhostWindow
NtUserRegisterHotKey
NtUserRegisterKeyboardCorrectionCallout
NtUserRegisterLPK
NtUserRegisterLogonProcess
NtUserRegisterManipulationThread
NtUserRegisterPointerDeviceNotifications
NtUserRegisterPointerInputTarget
NtUserRegisterRawInputDevices
NtUserRegisterServicesProcess
NtUserRegisterSessionPort
NtUserRegisterShellHookWindow
NtUserRegisterShellPTPListener
NtUserRegisterSiblingFrostWindow
NtUserRegisterSystemThread
NtUserRegisterTasklist
NtUserRegisterTouchHitTestingWindow
NtUserRegisterTouchPadCapable
NtUserRegisterUserApiHook
NtUserRegisterUserHungAppHandlers
NtUserRegisterWindowArrangementCallout
NtUserReleaseCapture
NtUserReleaseDC
NtUserReleaseDwmHitTestWaiters
NtUserRemoteConnect
NtUserRemoteConnectState
NtUserRemoteConsoleShadowStop
NtUserRemoteDisconnect
NtUserRemoteNotify
NtUserRemotePassthruDisable
NtUserRemotePassthruEnable
NtUserRemoteReconnect
NtUserRemoteRedrawRectangle
NtUserRemoteRedrawScreen
NtUserRemoteShadowCleanup
NtUserRemoteShadowSetup
NtUserRemoteShadowStart
NtUserRemoteShadowStop
NtUserRemoteStopScreenUpdates
NtUserRemoteThinwireStats
NtUserRemoveClipboardFormatListener
NtUserRemoveInjectionDevice
NtUserRemoveQueueCompletion
NtUserRemoveVisualIdentifier
NtUserReplyMessage
NtUserReportInertia
NtUserRequestMoveSizeOperation
NtUserResetDblClk
NtUserResolveDesktopForWOW
NtUserRestoreWindowDpiChanges
NtUserScaleSystemMetricForDPIWithoutCache
NtUserScheduleDispatchNotification
NtUserSendEventMessage
NtUserSendInteractiveControlHapticsReport
NtUserSetActivationFilter
NtUserSetActiveProcessForMonitor
NtUserSetAppImeLevel
NtUserSetAutoRotation
NtUserSetBridgeWindowChild
NtUserSetBrokeredForeground
NtUserSetCalibrationData
NtUserSetCancelRotationDelayHintWindow
NtUserSetCaretBlinkTime
NtUserSetCaretPos
NtUserSetChildWindowNoActivate
NtUserSetClassWord
NtUserSetCoreWindow
NtUserSetCoreWindowPartner
NtUserSetCursorContents
NtUserSetCursorPos
NtUserSetDesktopColorTransform
NtUserSetDesktopVisualInputSink
NtUserSetDialogControlDpiChangeBehavior
NtUserSetDialogPointer
NtUserSetDialogSystemMenu
NtUserSetDisplayAutoRotationPreferences
NtUserSetDisplayConfig
NtUserSetDisplayMapping
NtUserSetDoubleClickTime
NtUserSetFallbackForeground
NtUserSetFeatureReportResponse
NtUserSetForegroundRedirectionForActivationObject
NtUserSetForegroundWindow
NtUserSetForegroundWindowForApplication
NtUserSetFullscreenMagnifierOffsetsDWMUpdated
NtUserSetGestureConfig
NtUserSetImeHotKey
NtUserSetImeInfoEx
NtUserSetImeOwnerWindow
NtUserSetInputServiceState
NtUserSetInteractiveControlFocus
NtUserSetInteractiveCtrlRotationAngle
NtUserSetInternalWindowPos
NtUserSetLayeredWindowAttributes
NtUserSetMagnificationDesktopMagnifierOffsetsDWMUpdated
NtUserSetManipulationInputTarget
NtUserSetMenu
NtUserSetMenuContextHelpId
NtUserSetMenuFlagRtoL
NtUserSetMessageExtraInfo
NtUserSetMirrorRendering
NtUserSetModernAppWindow
NtUserSetMonitorWorkArea
NtUserSetMouseInputRateLimitingTimer
NtUserSetMsgBox
NtUserSetObjectInformation
NtUserSetPrecisionTouchPadConfiguration
NtUserSetProcessDefaultLayout
NtUserSetProcessDpiAwarenessContext
NtUserSetProcessInteractionFlags
NtUserSetProcessLaunchForegroundPolicy
NtUserSetProcessMousewheelRoutingMode
NtUserSetProcessRestrictionExemption
NtUserSetProcessUIAccessZorder
NtUserSetProgmanWindow
NtUserSetSharedWindowData
NtUserSetShellChangeNotifyHWND
NtUserSetShellWindowEx
NtUserSetSysColors
NtUserSetSysMenu
NtUserSetSystemContentRects
NtUserSetSystemCursor
NtUserSetSystemTimer
NtUserSetTSFEventState
NtUserSetTargetForResourceBrokering
NtUserSetTaskmanWindow
NtUserSetThreadInputBlocked
NtUserSetThreadLayoutHandles
NtUserSetThreadQueueMergeSetting
NtUserSetVisible
NtUserSetWaitForQueueAttach
NtUserSetWatermarkStrings
NtUserSetWindowArrangement
NtUserSetWindowBand
NtUserSetWindowCompositionAttribute
NtUserSetWindowCompositionTransition
NtUserSetWindowContextHelpId
NtUserSetWindowDisplayAffinity
NtUserSetWindowFeedbackSetting
NtUserSetWindowGroup
NtUserSetWindowRgnEx
NtUserSetWindowShowState
NtUserSetWindowState
NtUserSetWindowStationUser
NtUserShowCursor
NtUserShowOwnedPopups
NtUserShowStartGlass
NtUserShowSystemCursor
NtUserShutdownBlockReasonCreate
NtUserShutdownBlockReasonQuery
NtUserShutdownReasonDestroy
NtUserSignalRedirectionStartComplete
NtUserSlicerControl
NtUserSoundSentry
NtUserStopAndEndInertia
NtUserSwapMouseButton
NtUserSwitchDesktop
NtUserSwitchToThisWindow
NtUserSystemParametersInfoForDpi
NtUserTestForInteractiveUser
NtUserThreadMessageQueueAttached
NtUserTraceLoggingSendMixedModeTelemetry
NtUserTrackPopupMenuEx
NtUserTransformPoint
NtUserTransformRect
NtUserUndelegateInput
NtUserUnhookWindowsHook
NtUserUnloadKeyboardLayout
NtUserUnlockWindowStation
NtUserUnregisterHotKey
NtUserUnregisterSessionPort
NtUserUnregisterUserApiHook
NtUserUpdateClientRect
NtUserUpdateDefaultDesktopThumbnail
NtUserUpdateInputContext
NtUserUpdateInstance
NtUserUpdateLayeredWindow
NtUserUpdatePerUserImmEnabling
NtUserUpdatePerUserSystemParameters
NtUserUpdateWindow
NtUserUpdateWindowInputSinkHints
NtUserUpdateWindowTrackingInfo
NtUserUpdateWindows
NtUserUserHandleGrantAccess
NtUserUserPowerCalloutWorker
NtUserValidateRgn
NtUserWOWCleanup
NtUserWOWModuleUnload
NtUserWaitAvailableMessageEx
NtUserWaitForInputIdle
NtUserWaitForMsgAndEvent
NtUserWaitForRedirectionStartComplete
NtUserWakeRITForShutdown
NtUserWindowFromDC
NtUserWindowFromPhysicalPoint
NtUserZapActiveAndFocus
NtValidateCompositionSurfaceHandle
NtVisualCaptureBits
NtUserSetClassLongPtr
NtUserSetWindowLongPtr

In windows 8 in fltmgr was introduced feature for filter operation Etw logging - structure WMI_FLTIO_NOTIFY_ROUTINES in GLOBALS:
 void  (TimeStampRoutine*)(struct _ETW_KERNEL_TRACE_TIMESTAMP*, unsigned long);
 void  (FailureNotifyRoutine*)(void*, unsigned long, unsigned long, unsigned short);
 void  (InitiationNotifyRoutine*)(void*, unsigned long, unsigned long, unsigned short);
 void  (CompletionNotifyRoutine*)(void*, unsigned long, unsigned long, unsigned short, struct _ETW_KERNEL_TRACE_TIMESTAMP*);

in windows 10 new entry was added:
void  (IoRedirectionNotifyRoutine*)(struct _IRP*, struct _FILE_OBJECT*);

This structure initialized in DriverEntry - PerfTraceRoutines assigned address of GLOBALS.DummyPerfTraceRoutines and then called function WmiQueryTraceInformation with class FltIoNotifyRoutinesClass (where this structure filled with content of EtwpFltIoNotifyRoutines)
So patching this functions pointers you can have real-time info about operations in file filters (or perhaps disable Etw logging for them)

On freshly installed system only two pfns are initialized:


[0] TimeStampRoutine: FFFFF80753B2BAC0 \SystemRoot\system32\ntoskrnl.exe
[5] IoRedirectionNotifyRoutine: FFFFF80753E04570 \SystemRoot\system32\ntoskrnl.exe


You can find GLOBALS!PerfTraceRoutines with disasm of exported function FltCompletePendedPostOperation

It seems that in w10 build 19569 new verifier table has appeared - VfDifThunks along with new exported function DifRegisterPlugin (which is used only in VerifierExt.sys for now). List of intercepted functions:

[0] CcCopyWrite
[1] CcCopyWriteEx
[2] CcDeferWrite
[3] CcFastCopyWrite
[4] CcWaitForCurrentLazyWriterActivity
[5] CmRegisterCallback
[6] CmUnRegisterCallback
[7] CmRegisterCallbackEx
[8] DbgBreakPointWithStatus
[9] ExAcquireRundownProtection
[A] ExAcquireRundownProtectionCacheAware
[B] ExAcquireRundownProtectionCacheAwareEx
[C] ExAcquireRundownProtectionEx
[D] ExConvertExclusiveToSharedLite
[E] ExCreateCallback
[F] ExEnterCriticalRegionAndAcquireSharedWaitForExclusive
[10] ExGetExclusiveWaiterCount
[11] ExGetSharedWaiterCount
[12] ExInterlockedAddLargeInteger
[13] ExInterlockedInsertHeadList
[14] ExInterlockedInsertTailList
[15] ExInterlockedPopEntryList
[16] ExInterlockedPushEntryList
[17] ExInterlockedRemoveHeadList
[18] ExIsProcessorFeaturePresent
[19] ExIsResourceAcquiredExclusiveLite
[1A] ExIsResourceAcquiredSharedLite
[1B] ExpInterlockedFlushSList
[1C] ExpInterlockedPopEntrySList
[1D] ExpInterlockedPushEntrySList
[1E] ExRaiseAccessViolation
[1F] ExRaiseDatatypeMisalignment
[20] ExRaiseStatus
[21] ExRegisterCallback
[22] ExReinitializeResourceLite
[23] ExReleaseRundownProtection
[24] ExReleaseRundownProtectionCacheAware
[25] ExReleaseRundownProtectionEx
[26] ExSetResourceOwnerPointer
[27] ExSetResourceOwnerPointerEx
[28] ExSetTimerResolution
[29] ExUnregisterCallback
[2A] ExUuidCreate
[2B] ExWaitForRundownProtectionRelease
[2C] ExWaitForRundownProtectionReleaseCacheAware
[2D] FsRtlAllocateFileLock
[2E] FsRtlAreNamesEqual
[2F] FsRtlBalanceReads
[30] FsRtlCancellableWaitForMultipleObjects
[31] FsRtlCancellableWaitForSingleObject
[32] FsRtlCheckLockForReadAccess
[33] FsRtlCheckLockForWriteAccess
[34] FsRtlCopyWrite
[35] FsRtlDeregisterUncProvider
[36] FsRtlDissectName
[37] FsRtlDoesNameContainWildCards
[38] FsRtlFastCheckLockForRead
[39] FsRtlFastCheckLockForWrite
[3A] FsRtlFastUnlockAll
[3B] FsRtlFastUnlockAllByKey
[3C] FsRtlFastUnlockSingle
[3D] FsRtlFreeFileLock
[3E] FsRtlGetFileSize
[3F] FsRtlGetNextFileLock
[40] FsRtlIncrementCcFastReadNoWait
[41] FsRtlIncrementCcFastReadWait
[42] FsRtlInitializeFileLock
[43] FsRtlIsNameInExpression
[44] FsRtlMdlReadCompleteDev
[45] FsRtlMdlWriteCompleteDev
[46] FsRtlNotifyFilterChangeDirectory
[47] FsRtlNotifyFilterReportChange
[48] FsRtlNotifyFullChangeDirectory
[49] FsRtlNotifyFullReportChange
[4A] FsRtlPrivateLock
[4B] FsRtlProcessFileLock
[4C] FsRtlRegisterUncProvider
[4D] FsRtlRegisterUncProviderEx
[4E] FsRtlRemoveDotsFromPath
[4F] FsRtlUninitializeFileLock
[50] FsRtlValidateReparsePointBuffer
[51] HalExamineMBR
[52] IoAcquireCancelSpinLock
[53] IoAcquireVpbSpinLock
[54] IoAllocateController
[55] IoAttachDevice
[56] IoAttachDeviceToDeviceStack
[57] IoAttachDeviceToDeviceStackSafe
[58] IoCancelIrp
[59] IoCheckShareAccess
[5A] IoCreateController
[5B] IoCreateFile
[5C] IoCreateFileEx
[5D] IoCreateFileSpecifyDeviceObjectHint
[5E] IoCreateNotificationEvent
[5F] IoCreateSymbolicLink
[60] IoCreateSynchronizationEvent
[61] IoCreateUnprotectedSymbolicLink
[62] IoDeleteController
[63] IoDeleteDevice
[64] IoDeleteSymbolicLink
[65] IoDetachDevice
[66] IoFreeController
[67] IoGetAttachedDeviceReference
[68] IoGetConfigurationInformation
[69] IoGetDeviceDirectory
[6A] IoGetDriverDirectory
[6B] IoGetDeviceInterfaceAlias
[6C] IoGetDeviceInterfaces
[6D] IoGetDeviceNumaNode
[6E] IoGetDeviceObjectPointer
[6F] IoGetDeviceProperty
[70] IoGetDevicePropertyData
[71] IoGetDeviceToVerify
[72] IoSetDeviceToVerify
[73] IoGetFileObjectGenericMapping
[74] IoGetInitialStack
[75] IoInitializeIrp
[76] IoInvalidateDeviceRelations
[77] IoIsWdmVersionAvailable
[78] IoOpenDeviceInterfaceRegistryKey
[79] IoOpenDeviceRegistryKey
[7A] IoOpenDriverRegistryKey
[7B] IoRaiseHardError
[7C] IoRaiseInformationalHardError
[7D] IoReadPartitionTable
[7E] IoReadPartitionTableEx
[7F] IoRegisterBootDriverReinitialization
[80] IoRegisterDeviceInterface
[81] IoRegisterDriverReinitialization
[82] IoRegisterLastChanceShutdownNotification
[83] IoRegisterPlugPlayNotification
[84] IoRegisterShutdownNotification
[85] IoReleaseCancelSpinLock
[86] IoReleaseVpbSpinLock
[87] IoRemoveShareAccess
[88] IoReplacePartitionUnit
[89] IoReportDetectedDevice
[8A] IoReportTargetDeviceChange
[8B] IoReportTargetDeviceChangeAsynchronous
[8C] IoReuseIrp
[8D] IoSetDeviceInterfaceState
[8E] IoSetDevicePropertyData
[8F] IoSetPartitionInformation
[90] IoSetPartitionInformationEx
[91] IoSetShareAccess
[92] IoSetStartIoAttributes
[93] IoStartNextPacket
[94] IoUnregisterPlugPlayNotification
[95] IoUnregisterPlugPlayNotificationEx
[96] IoUnregisterShutdownNotification
[97] IoUpdateShareAccess
[98] IoWMIAllocateInstanceIds
[99] IoWritePartitionTable
[9A] IoWritePartitionTableEx
[9B] KeAcquireGuardedMutex
[9C] KeAcquireGuardedMutexUnsafe
[9D] KeAcquireInterruptSpinLock
[9E] KeAcquireQueuedSpinLock
[9F] KeAcquireSpinLockForDpc
[A0] KeAreAllApcsDisabled
[A1] KeAreApcsDisabled
[A2] KeCancelTimer
[A3] KeClearEvent
[A4] KeDeregisterNmiCallback
[A5] KeEnterGuardedRegion
[A6] KeFlushQueuedDpcs
[A7] KeInitializeDeviceQueue
[A8] KeInitializeGuardedMutex
[A9] KeInsertByKeyDeviceQueue
[AA] KeInsertDeviceQueue
[AB] KeInsertHeadQueue
[AC] KeInsertQueue
[AD] KeLeaveGuardedRegion
[AE] KePulseEvent
[AF] KeQueryPriorityThread
[B0] KeQueryRuntimeThread
[B1] KeReadStateEvent
[B2] KeReadStateMutex
[B3] KeReadStateSemaphore
[B4] KeReadStateTimer
[B5] KeRegisterNmiCallback
[B6] KeReleaseGuardedMutex
[B7] KeReleaseGuardedMutexUnsafe
[B8] KeReleaseInterruptSpinLock
[B9] KeReleaseQueuedSpinLock
[BA] KeReleaseSemaphore
[BB] KeReleaseSpinLockForDpc
[BC] KeRemoveByKeyDeviceQueue
[BD] KeRemoveDeviceQueue
[BE] KeRemoveEntryDeviceQueue
[BF] KeRemoveQueue
[C0] KeResetEvent
[C1] KeSetSystemGroupAffinityThread
[C2] KeSetTimer
[C3] KeSetTimerEx
[C4] KeTestSpinLock
[C5] KeTryToAcquireGuardedMutex
[C6] MmAddPhysicalMemory
[C7] MmCreateMirror
[C8] MmDoesFileHaveUserWritableReferences
[C9] MmGetPhysicalMemoryRanges
[CA] MmLockPagableDataSection
[CB] MmLockPagableSectionByHandle
[CC] MmMapLockedPagesWithReservedMapping
[CD] MmPageEntireDriver
[CE] MmPrefetchPages
[CF] MmRemovePhysicalMemory
[D0] MmResetDriverPaging
[D1] MmSecureVirtualMemory
[D2] MmUnlockPagableImageSection
[D3] MmUnsecureVirtualMemory
[D4] NtLockFile
[D5] NtSetInformationFile
[D6] NtUnlockFile
[D7] ObfDereferenceObject
[D8] ObfDereferenceObjectWithTag
[D9] ObfReferenceObjectWithTag
[DA] ObGetObjectSecurity
[DB] ObReferenceObjectByHandleWithTag
[DC] ObReferenceObjectByPointerWithTag
[DD] ObReleaseObjectSecurity
[DE] PoCallDriver
[DF] PoFxActivateComponent
[E0] PoFxCompleteDevicePowerNotRequired
[E1] PoFxCompleteIdleCondition
[E2] PoFxCompleteIdleState
[E3] PoFxIdleComponent
[E4] PoFxNotifySurprisePowerOn
[E5] PoFxPowerControl
[E6] PoFxRegisterDevice
[E7] PoFxReportDevicePoweredOn
[E8] PoFxSetComponentLatency
[E9] PoFxSetComponentResidency
[EA] PoFxSetComponentWake
[EB] PoFxSetDeviceIdleTimeout
[EC] PoFxStartDevicePowerManagement
[ED] PoFxUnregisterDevice
[EE] PoRequestPowerIrp
[EF] ProbeForRead
[F0] ProbeForWrite
[F1] PsAssignImpersonationToken
[F2] PsCreateSystemThread
[F3] PsDereferenceImpersonationToken
[F4] PsDereferencePrimaryToken
[F5] PsDisableImpersonation
[F6] PsGetVersion
[F7] PsImpersonateClient
[F8] PsReferenceImpersonationToken
[F9] PsReferencePrimaryToken
[FA] PsRemoveLoadImageNotifyRoutine
[FB] PsRestoreImpersonation
[FC] PsRevertToSelf
[FD] PsSetCreateProcessNotifyRoutine
[FE] PsSetCreateProcessNotifyRoutineEx
[FF] PsSetCreateThreadNotifyRoutine
[100] PsSetLoadImageNotifyRoutine
[101] PsTerminateSystemThread
[102] RtlCompareUnicodeString
[103] RtlDeleteRegistryValue
[104] RtlWriteRegistryValue
[105] RtlCheckRegistryKey
[106] RtlQueryRegistryValues
[107] RtlQueryRegistryValuesEx
[108] RtlQueryRegistryValueWithFallback
[109] RtlCreateRegistryKey
[10A] RtlCreateSystemVolumeInformationFolder
[10B] RtlDowncaseUnicodeChar
[10C] RtlEqualUnicodeString
[10D] RtlFreeUnicodeString
[10E] RtlGenerateClass5Guid
[10F] RtlGUIDFromString
[110] RtlHashUnicodeString
[111] RtlStringFromGUID
[112] RtlUnicodeToUTF8N
[113] RtlUpcaseUnicodeChar
[114] RtlUTF8ToUnicodeN
[115] RtlxAnsiStringToUnicodeSize
[116] RtlxUnicodeStringToAnsiSize
[117] SeAccessCheck
[118] SeAssignSecurity
[119] SeAssignSecurityEx
[11A] SeDeassignSecurity
[11B] SeLockSubjectContext
[11C] SeReleaseSubjectContext
[11D] SeSinglePrivilegeCheck
[11E] SeUnlockSubjectContext
[11F] SeValidSecurityDescriptor
[120] ZwAllocateLocallyUniqueId
[121] ZwClose
[122] ZwCommitComplete
[123] ZwCommitTransaction
[124] ZwCreateKeyTransacted
[125] ZwCreateResourceManager
[126] ZwDeleteKey
[127] ZwEnumerateTransactionObject
[128] ZwFlushBuffersFile
[129] ZwFlushBuffersFileEx
[12A] ZwFlushKey
[12B] ZwGetNotificationResourceManager
[12C] ZwLockFile
[12D] ZwMakeTemporaryObject
[12E] ZwOpenKeyEx
[12F] ZwOpenKeyTransacted
[130] ZwOpenKeyTransactedEx
[131] ZwOpenResourceManager
[132] ZwPrePrepareComplete
[133] ZwQueryInformationResourceManager
[134] ZwQueryQuotaInformationFile
[135] ZwReadOnlyEnlistment
[136] ZwRecoverEnlistment
[137] ZwRecoverTransactionManager
[138] ZwRenameKey
[139] ZwSetInformationKey
[13A] ZwRollbackComplete
[13B] ZwRollbackTransaction
[13C] ZwSetInformationResourceManager
[13D] ZwSetInformationToken
[13E] ZwSetQuotaInformationFile
[13F] ZwSetTimerEx
[140] ZwTerminateProcess
[141] ZwUnlockFile
[142] ZwUnmapViewOfSection

This cool article is good case to show how you can employ static code analysis for extracting some unexported symbols from binary code - in this case we need ExNPagedLookasideLock & ExNPagedLookasideListHead

Sure the first thing you need is disassembler. If you search at GitHub "x86 disasm" you will get something about 20 repositories, but we need one that satisfies some requirements:

• disasm to some intermediate code and not in string output
• can be used in kernel mode (just in case if you want to do it) which means that it must be written in C

So just choose the one with the most comprehensible code - bcs they all contains bugs and you anyway will fix them and/or add missed instructions

Lets start with exported function ExInitializeNPagedLookasideList. Simplest cases - xp 64bit:


...
 mov     [rcx+54h], r10d
 lea     rdx, [rcx+40h]
 lea     r8, ExNPagedLookasideLock
 lea     rcx, ExNPagedLookasideListHead
 add     rsp, 28h
 jmp     ExInterlockedInsertTailList

You can just collect all lea instructions which loading addresses from .data section, r8 will hold address of lock and rcx list. ok, this was simple, so lets see more complex case - w2k3 64bit
 sub     rsp, 28h
 test    cl, 0Fh
 jz      short loc_52A748
 mov     r8, [rsp+28h]
 mov     rdx, rcx
 lea     rcx, aInitializeslis
 call    DbgPrint
 mov     ecx, 80000002h
 call    ExRaiseStatus
 int     3                              ; Trap to Debugger

Ups, Bad Thing happened - you can`t disasm after int3 instruction bcs this is something that should not happen during normal execution. This is where you need graph codeflow. Obvious choice is to consider codeblocks as nodes and jumps to other code blocks as edges. Sure each node can have lots of directed edged (and some of this edges even can point to the same node - so we have directed graph with loops). The good news is that you don`t need to build whole graph - bcs you anyway discovering all your nodes and edges dynamically. It`s like Lee algo for pathfinding in maze - you just need to have set of codeblocks which you processing, another set of edges which you will process in next cycle, and some storage for already processed blocks. So algo is simple:

1. add your initial address (in this case address of ExInitializeNPagedLookasideList) in current set
2. process all of codeblocks in your current set and extract links to other codeblocks in next set
3. when you finished with current set - add all processed blocks to some "storage of processed" - it can be something simple like std::list<std::pair< PBYTE, DWORD >> or some heavy weapon like Boost interval container library (or some interval tree written in plain C) . The main idea is that this storage can tell you if your address already was processed
4. now you have set of newly discovered addresses, filter out already processed and put them in your current set
5. if this set is empty - algo ends
6. goto step 2

So in our sample from w2k3 disasm will stop at address of int3 but set of newly discovered addresses will contains new address 52A748:
loc_52A748:  
 ...
 lea     r8, ExNPagedLookasideLock
 lea     rcx, ExNPagedLookasideListHead
 add     rsp, 28h
 jmp     ExInterlockedInsertTailList

exactly like in previous case. Lets see more complex case - w7 64bit:

ExInitializeNPagedLookasideList:
 sub     rsp, 48h
 and     [rsp+48h+var_10], 0
 movzx   eax, [rsp+48h+Depth]
 mov     [rsp+48h+var_18], ax
 mov     eax, [rsp+48h+Tag]
 mov     [rsp+48h+var_20], eax
 mov     rax, [rsp+48h+Size]
 mov     [rsp+48h+var_28], rax
 call    ExInitializeNPagedLookasideListInternal
 add     rsp, 48h
 retn

Ups-2, there was nothing like loading some addresses. But you can collect calls and also add them to edge storage. Function ExInitializeNPagedLookasideListInternal is very big and complex so lets see something interesting at address 140166277:
loc_140166277:
 add     [rbx+4B00h], edi
 lock bts cs:ExNPagedLookasideLock, 0
 jnb     short loc_1401662A6
 lea     rcx, ExNPagedLookasideLock
 call    KxWaitForSpinLockAndAcquire
 add     [rbx+4B04h], edi
 add     [rbx+4B08h], eax
 mov     r9d, eax
 jmp     short loc_1401662A9

Function KxWaitForSpinLockAndAcquire is not exported but you can recognize lock with instruction lock bts [address in .data section]. Now you know that you have lock address and in one of two blocks after this you will have safely access to list - so you need associate some State with all of your edges. Lets say for this simple case that state 0 means that we still search for lock and state 1 means that we got lock and now expect list address. So you can mark addresses 1401662A6 and 1401662A9 as having state 1 and then process them in some other way

There is one important question - how safe you can skip processing of nodes with state 0 when you already have some edges with state 1? Answer - it depends from your state machine. You can draw on paper all your states and if this graph has no branches - you can skip all processing in this cycle blocks with lower state:

But lets see other state graph (branches can occur when we try to find several addresses or there are several way to find the same address. And you clearly doing something wrong if your state graph has loops):

In this case you can safely skip only edges with state 0 when you in state 1. But you can`t skip edges with state 1 or 2 when you processing block with state 3

Several days ago I started my new pet project on GitHub, bcs

• quarantine is boring
• reading a book "ARM 64-Bit Assembly Language" without practice is useless

So I just forked arm64 disasm called armadillo, ported it on windows, added naïve pe loader (btw attempt to use MapViewOfFile function was unsuccessful with GetLastError 1132) and today add some practical usage of static code analysis to extract lists and lock of lookaside lists from arm64 windows kernel

Main magic happens in ntoskrnl_hack::find_lock_list function

As you can notice code not emulate every instruction. I just check if after pair ADRP/ADD target register holds some address in .data section. If we encounter call to (exported) KeAcquireSpinLockRaiseToDpc - we change state to 1 and assign value of x0 register to lock, and then next loaded from .data section address must be list

Lets see in ida pro some arm64 windows kernel, for example good old function PspSetCreateThreadNotifyRoutine:
 ADRP            X8, #PspNotifyEnableMask@PAGE
 ADD             X11, X8, #PspNotifyEnableMask@PAGEOFF
 TBNZ            W20, #0, loc_140690960
 ADD             X10, X11, #0x33C

register x11 contains address of PspNotifyEnableMask - in my case this is 0x1408AE6B0 and then x10 loading address of PspNotifyEnableMask + 0x33c = 0x1408AE9EC - this is actually PspCreateThreadNotifyRoutineCount. And no - you cannot fix last instruction with pressing O or Ctrl + O
Given that cross-refs in arm64 is highly dependent from correct code analysis - this is very annoing
Tested in ida pro 6.9 and 7.2

As you can guess from name this is array of functions for which you can`t set kernel tracepoint. Curious that this lists differs in x64 and arm64
x64
memmove
memset
memcmp
_alloca_probe
_guard_dispatch_icall
_guard_dispatch_icall_nop
__security_check_cookie
ReadNoFence8
ReadNoFence8
memcpy_s
KiDispatchException
PsGetCurrentProcess
KeGetCurrentThread
PsGetCurrentProcessByThread
KeGetCurrentThread
KeGetCurrentPrcb
KeGetPcr
KeGetCurrentProcessorIndex
KeQueryCurrentStackInformationEx
RtlGetExtendedContextLength
RtlpGetLegacyContextLength
RtlGetExtendedContextLength2
RtlpGetEntireXStateAreaLength
RtlInitializeExtendedContext
RtlInitializeExtendedContext2
RtlLocateExtendedFeature
RtlLocateExtendedFeature2
RtlpValidateContextFlags
RtlCaptureContext
RtlRestoreContext
RtlpGetStackLimits
RtlpGetStackLimitsEx
ExtEnvZeroMemory
KeContextFromKframes
KeContextToKframes
KiGetTrapFrameMode
SANITIZE_VA
KeGetCurrentIrql
ObGetCurrentIrql
KeAreAllApcsDisabled
KeAreInterruptsEnabled
KeThawExecution
KeFreezeExecution
KiSendThawExecution
KeStallExecutionProcessor
KiTpHandleTrap
KiTpCompletion
KeInvalidAccessAllowed
KiIsTraceMemoryAccess
KiBugCheckDebugBreak
DbgBreakPoint
DbgBreakPointWithStatus
RtlCaptureStackBackTrace
RtlpSearchFunctionTable
RtlWalkFrameChain
RtlpWalkFrameChain
RtlVirtualUnwind
RtlpVirtualUnwind
RtlpxVirtualUnwind
RtlLookupFunctionEntry
RtlpLookupFunctionEntryForStackWalks
RtlpIsFrameInBounds
RtlpLogExceptionHandler
RtlpLogExceptionDisposition
RtlpExecuteHandlerForException
HalpTimerClockIpiRoutine
HalpHvCounterQueryCounter
HalpTimerClockInterrupt
PsGetProcessImageFileName
IoThreadToProcess
PsGetCurrentThreadId
PsGetProcessId
PsGetProcessInheritedFromUniqueProcessId
PsGetBaseTrapFrame
PspGetBaseTrapFrame
PsIsSystemThread
KeIsAttachedProcess
KiGetTrapFrameRegister
KiFreezeTargetExecution
KiCheckStall
EtwpLogKernelEvent
EtwpReserveTraceBuffer
PpmIdleUpdateConcurrency
KdPollBreakIn
KeAccumulateTicks
KiBeginThreadAccountingPeriod
KiEndThreadAccountingPeriod
KiAbThreadRemoveBoosts
KeAbPostRelease
KiGetNextTimerExpirationDueTime
KiCheckForTimerExpiration
KiQuantumEnd
HvcallInitInputControl
HvlpAcquireHypercallPage
HvcallInitiateHypercall
HvlpReleaseHypercallPage
HvlpGetRegister64
HvlpSetRegister64
HvlpGetRegister128
HvlGetReferenceTimeUsingTscPage
RtlUnsignedMultiplyHigh
KeZeroPages
KeZeroSinglePage
SymCryptWipeAsm
KeQueryPerformanceCounter
PoIdle
KiIdleLoop
PfpLogPageAccess
HalpGetPteAddress
KiBeginCounterAccumulation
KiEndDebugAccumulation
KiAccumulateProcessorCycleStats
MiAgePte
MiAgePteWorker
MiWalkPageTables
MiAgeWorkingSet
MiAgeWorkingSetTail
MiWalkPageTablesRecursively
MiTrimOrAgeWorkingSet
MiProcessWorkingSets
MiWorkingSetManager
MiComputePxeWalkAction
MiFastLockLeafPageTable
MiLockNestedPageAtDpcInline
MiIsPfn
MiIdentifyPfnWrapper
MiIdentifyPfn
MiGetPfnPageSizeIndex
MiGetBaseResidentPage
MI_PFN_IS_PROTO
MI_READ_PTE_LOCK_FREE
MiDeleteVa
MiSetVaAgeList
MiGetNextPageTablePte
MiLockPageTableInternal
MiUnlockPageTableInternal
MiLogPageAccess
MiClearPteAccessed
MiGetSystemRegionIndex
MiGetSystemRegionType
MmIsSessionAddress
KeIdleSpecCtrl
KiGeneralProtectionFault
KeCopyLastBranchInformation
KiExceptionDispatch
KiExceptionDispatchOnExceptionStack
KxExceptionDispatchOnExceptionStack
KiInterruptDispatchNoLockNoEtw
KiInterruptSubDispatchNoLockNoEtw
KiInterruptSubDispatch
KiBreakpointTrap
KiBreakpointTrapShadow
KiDoubleFaultAbort
KxContextToKframes
KzRaiseIrql
KzLowerIrql
SANITIZE_EFLAGS
SANITIZE_DRADDR
KiGetAllocatedXSaveArea
KiCopyXStateArea
RtlXSave
KiUmsExceptionEntry
RtlpConvertFunctionEntry
RtlCaptureContext2
KiNmiInterruptStart
KxNmiInterrupt
KiProcessNMI
KiCheckForFreezeExecution
HalPerformEndOfInterrupt
HvlEndSystemInterrupt
HalpTscQueryCounterOrdered
KiDpcInterruptBypass
HvlWriteApicCommandRegister
HvlPerformEndOfInterrupt
KeRestoreSupervisorState
KiIpiInterruptSubDispatch
KiIpiInterrupt
KiRaiseAssertion
MiPteInShadowRange
VfIsVerifierEnabled
HalpApicRequestInterrupt
HvlWriteApicCommandRegister
KeShouldYieldProcessor

arm64
memmove
memset
memcmp
_alloca_probe
_guard_dispatch_icall
_guard_dispatch_icall_nop
__security_check_cookie
ReadNoFence8
ReadBooleanNoFence
memcpy_s
KiDispatchException
PsGetCurrentProcess
KeGetCurrentThread
PsGetCurrentProcessByThread
KeGetCurrentThread
KeGetCurrentPrcb
KeGetPcr
KeGetCurrentProcessorIndex
KeQueryCurrentStackInformationEx
RtlGetExtendedContextLength
RtlpGetLegacyContextLength
RtlGetExtendedContextLength2
RtlpGetEntireXStateAreaLength
RtlInitializeExtendedContext
RtlInitializeExtendedContext2
RtlLocateExtendedFeature
RtlLocateExtendedFeature2
RtlpValidateContextFlags
RtlCaptureContext
RtlRestoreContext
RtlpGetStackLimits
RtlpGetStackLimitsEx
RtlZeroMemory
KeContextFromKframes
KeContextToKframes
KiGetTrapFrameMode
SANITIZE_VA
KeGetCurrentIrql
KeGetEffectiveIrql
KeAreAllApcsDisabled
KeAreInterruptsEnabled
KeThawExecution
KeFreezeExecution
KiSendThawExecution
KeStallExecutionProcessor
KiTpHandleTrap
KiTpCompletion
KeInvalidAccessAllowed
KiIsTraceMemoryAccess
KiBugCheckDebugBreak
DbgBreakPoint
DbgBreakPointWithStatus
RtlCaptureStackBackTrace
RtlpSearchFunctionTable
RtlWalkFrameChain
RtlpWalkFrameChain
RtlVirtualUnwind
RtlpVirtualUnwind
RtlpxVirtualUnwind
RtlLookupFunctionEntry
RtlpLookupFunctionEntryForStackWalks
RtlpIsFrameInBounds
RtlpLogExceptionHandler
RtlpLogExceptionDisposition
RtlpExecuteHandlerForException
HalpTimerClockIpiRoutine
HalpHvCounterQueryCounter
HalpTimerClockInterrupt
PsGetProcessImageFileName
IoThreadToProcess
PsGetCurrentThreadId
PsGetProcessId
PsGetProcessInheritedFromUniqueProcessId
PsGetBaseTrapFrame
PspGetBaseTrapFrame
PsIsSystemThread
KeIsAttachedProcess
KiGetTrapFrameRegister
KiFreezeTargetExecution
KiCheckStall
EtwpLogKernelEvent
EtwpReserveTraceBuffer
PpmIdleUpdateConcurrency
KdPollBreakIn
KeAccumulateTicks
KiBeginThreadAccountingPeriod
KiEndThreadAccountingPeriod
KiAbThreadRemoveBoosts
KeAbPostRelease
KiGetNextTimerExpirationDueTime
KiCheckForTimerExpiration
KiQuantumEnd
HvcallInitInputControl
HvlpAcquireHypercallPage
HvcallInitiateHypercall
HvlpReleaseHypercallPage
HvlpGetRegister64
HvlpSetRegister64
HvlpGetRegister128
HvlGetReferenceTimeUsingTscPage
RtlUnsignedMultiplyHigh
KeZeroPages
KeZeroSinglePage
SymCryptWipeAsm
KeQueryPerformanceCounter
PoIdle
KiIdleLoop
PfpLogPageAccess
HalpGetPteAddress
KiBeginCounterAccumulation
KiEndDebugAccumulation
KiAccumulateProcessorCycleStats
MiAgePte
MiAgePteWorker
MiWalkPageTables
MiAgeWorkingSet
MiAgeWorkingSetTail
MiWalkPageTablesRecursively
MiTrimOrAgeWorkingSet
MiProcessWorkingSets
MiWorkingSetManager
MiComputePxeWalkAction
MiFastLockLeafPageTable
MiLockNestedPageAtDpcInline
MiIsPfn
MiIdentifyPfnWrapper
MiIdentifyPfn
MiGetPfnPageSizeIndex
MiGetBaseResidentPage
MI_PFN_IS_PROTO
MiGetPfnLink
MiDeleteVa
MiSetVaAgeList
MiGetNextPageTablePte
MiLockPageTableInternal
MiUnlockPageTableInternal
MiLogPageAccess
MiClearPteAccessed
MiGetSystemRegionIndex
MiGetSystemRegionType
MmIsSessionAddress

IDA Pro supports arm64 very poorly - it also cannot parse switch tables. Let`s see how they looks on arm64 - for example in function NtQueryInformationThread:
 CMP             W1, #0x2D           ; check index
 B.HI            loc_140673294
 ADR             X9, dword_14066E9EC ; switch tab address
 LDRSW           X8, [X9,W1,UXTW#2]  ; index in W1 << 2
 ADR             X9, loc_14066E358   ; base address
 ADD             X8, X9, X8,LSL#2    ; base address + offset << 2
 BR              X8
What happens here? first "ADR x9, addr" loads address of switch table
Next LDRSW is like "mov x8, [x9 + 4 * w1]" on Intel - load DWORD at x9 + index w1 left shifted by 2
Then second ADR loads address of base for this switch table
ADD x8, x9, x8 << 2 sets in x8 address of actual jumps
and finally BR go to this address

So I just wrote quick and dirty plugin arm64sw.p64 based on armpatched for switch tables processing

can be found using the same old trick
Sure constants are now different, so now KUSER_SHARED_DATA.SystemCall is 0xFFFFF78000000308 and KUSER_SHARED_DATA.ProcessorFeatures is 0xFFFFF78000000274

Commited today simple logic to find and parse it in my armpatched