In windows 10 there is no good old EtwpGuidHashTable and all registered Etw stored in SILO. Let`s see how we can extract them
Check first function exported function EtwRegister:
Function PsGetCurrentServerSiloGlobals returns processes SILO or default SILO PspHostSiloGlobals stored in kernel which has type ESERVERSILO_GLOBALS. Field EtwSiloState has type ETW_SILODRIVERSTATE:
So we almost found our hashtable - this is EtwpGuidHashTable[64] with type ETW_HASH_BUCKET:
I don`t know why 3 list was used but we need to traverse all of them. Each list contains ETW_GUID_ENTRY:
ETW_GUID_ENTRY are chained by list GuidList
Sample of output:
Check first function exported function EtwRegister:
call _PsGetCurrentServerSiloGlobals@0 ; PsGetCurrentServerSiloGlobals()
push [ebp+arg_C]
mov edx, [ebp+arg_0]
push dword ptr [ebp+4]
mov ecx, [eax+1F0h] ; ESERVERSILO_GLOBALS.EtwSiloState
push [ebp+arg_8]
push [ebp+arg_4]
push 3
call _EtwpRegisterProvider@28 ; EtwpRegisterProvider(x,x,x,x,x,x,x)Function PsGetCurrentServerSiloGlobals returns processes SILO or default SILO PspHostSiloGlobals stored in kernel which has type ESERVERSILO_GLOBALS. Field EtwSiloState has type ETW_SILODRIVERSTATE:
struct _ETW_SILODRIVERSTATE {
/* 0x0 */ /*|0x4|*/ struct _ESERVERSILO_GLOBALS* SiloGlobals;
/* 0x8 */ /*|0x168|*/ struct _ETW_GUID_ENTRY EtwpSecurityProviderGuidEntry;
/* 0x170 */ /*|0x100|*/ struct _EX_RUNDOWN_REF_CACHE_AWARE* EtwpLoggerRundown[64];
/* 0x270 */ /*|0x100|*/ struct _WMI_LOGGER_CONTEXT* WmipLoggerContext[64];
/* 0x370 */ /*|0x700|*/ struct _ETW_HASH_BUCKET EtwpGuidHashTable[64];
/* 0xa70 */ /*|0x10|*/ unsigned short EtwpSecurityLoggers[8];
/* 0xa80 */ /*|0x1|*/ unsigned char EtwpSecurityProviderEnableMask;
/* 0xa84 */ /*|0x4|*/ long EtwpShutdownInProgress;
/* 0xa88 */ /*|0x4|*/ unsigned long EtwpSecurityProviderPID;
/* 0xa8c */ /*|0x10|*/ struct _ETW_PRIV_HANDLE_DEMUX_TABLE PrivHandleDemuxTable;
/* 0xa9c */ /*|0x10|*/ struct _ETW_COUNTERS EtwpCounters;
/* 0xab0 */ /*|0x8|*/ union _LARGE_INTEGER LogfileBytesWritten;
/* 0xab8 */ /*|0x4|*/ struct _ETW_SILO_TRACING_BLOCK* ProcessorBlocks;
}; So we almost found our hashtable - this is EtwpGuidHashTable[64] with type ETW_HASH_BUCKET:
struct _ETW_HASH_BUCKET {
/* 0x0 */ /*|0x18|*/ struct _LIST_ENTRY ListHead[3];
/* 0x18 */ /*|0x4|*/ struct _EX_PUSH_LOCK BucketLock;
}; I don`t know why 3 list was used but we need to traverse all of them. Each list contains ETW_GUID_ENTRY:
struct _ETW_GUID_ENTRY {
/* 0x0 */ /*|0x8|*/ struct _LIST_ENTRY GuidList;
/* 0x8 */ /*|0x4|*/ long RefCount;
/* 0xc */ /*|0x10|*/ struct _GUID Guid;
/* 0x1c */ /*|0x8|*/ struct _LIST_ENTRY RegListHead;
/* 0x24 */ /*|0x4|*/ void* SecurityDescriptor;
/* 0x28 */ /*|0x10|*/ struct _ETW_LAST_ENABLE_INFO LastEnable;
/* 0x28 */ /*|0x8|*/ unsigned __int64 MatchId;
/* 0x38 */ /*|0x20|*/ struct _TRACE_ENABLE_INFO ProviderEnableInfo;
/* 0x58 */ /*|0x100|*/ struct _TRACE_ENABLE_INFO EnableInfo[8];
/* 0x158 */ /*|0x4|*/ struct _ETW_FILTER_HEADER* FilterData;
/* 0x15c */ /*|0x4|*/ struct _ETW_SILODRIVERSTATE* SiloState;
/* 0x160 */ /*|0x4|*/ struct _EX_PUSH_LOCK Lock;
/* 0x164 */ /*|0x4|*/ struct _ETHREAD* LockOwner;
}; ETW_GUID_ENTRY are chained by list GuidList
Sample of output:
KEtw10[18] list 0 - 17 items
KEtw10[18.0]: RefCount 1 (C755EF4D-DE1C-4E7D-A10D-B8D1E26F5035) CTLGUID_EfsWrtCtlGuid
KEtw10[18.1]: RefCount 1 (C906ED7B-D3D9-435B-97CD-22F4E7445F2A) Microsoft.Windows.WorkFolders
KEtw10[18.2]: RefCount 2, KProvider - C1A60542-0621-455E-9326-FC12A2437B43
KEtw10[18.3]: RefCount 2, KProvider - B702D31C-F586-4FC0-BCF5-F929745199A4
KEtw10[18.4]: RefCount 1 (81F307DB-F5FB-4C3E-9B9D-8B39A9CB6198) CTLGUID_LmhsvcWppGuid
KEtw10[18.5]: RefCount 4 (6966FE51-E224-4BAA-99BC-897B3ED3B823) Microsoft.Windows.BrokerBase
KEtw10[18.6]: RefCount 1 (D0B639E0-E650-4D1D-8F39-1580ADE72784) CTLGUID_LsaTraceControlGuid
KEtw10[18.7]: RefCount 1 (C1661A64-0A98-48E3-847F-70FFEA51C2EB) CTLGUID_COMPOSITE_BUS
KEtw10[18.8]: RefCount 3 (CE8DEE0B-D539-4000-B0F8-77BED049C590) ControlGuid_UserModePowerService
KEtw10[18.9]: RefCount 1, KProvider - BAD49E08-45BE-4E45-BECF-29965AA7D967
KEtw10[18.10]: RefCount 6 (B92D1FF0-92EC-444D-B7EC-C016F971C000) Microsoft.Windows.Notifications.WpnCore.ToastInteractedWith
KEtw10[18.11]: RefCount 2 (AA6F6A10-8A13-417D-8799-52361684BD76) Microsoft.Windows.ForegroundManager.RequestExtendedExecution
KEtw10[18.12]: RefCount 1, KProvider - 72D164BF-FD64-4B2B-87A0-62DBCEC9AE2A
KEtw10[18.13]: RefCount 4 (3DA5AA05-5152-551F-A243-80A4E743C70E) Microsoft.Windows.Skype.App.SkypeHomePageConversationSelected
KEtw10[18.14]: RefCount 2 (22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716) PsProvGuid
KEtw10[18.15]: RefCount 3 (0879871C-E412-4C6A-87A6-74581B0AFAC5) MicrosoftWindowsShellNetworkUX.PNILaunchNetworkUI
KEtw10[18.16]: RefCount 3 (E18D0FC9-9515-4232-98E4-89E456D8551B) Microsoft-Windows-RTWorkQueue-Threading
KEtw10[18] list 2 - 1 items
KEtw10[18.0]: RefCount 1, KProvider - 0D943590-B235-5BDB-F854-89520F32FC0B