hfiref0x · March 19, 2024 23:18
diff --git a/pnp.c b/pnp.c
 IoRegisterPlugPlayNotification, always PAGE 
 7601 

 F7 E1 
 mul ecx 

 48 8D 05 lea rcx, PnpDeviceClassNotifyList 

 C1 EA 02 6B D2 0D 

 9200 

 C1 EA 02 6B D2 0D 

 48 8D 0D lea rcx, PnpDeviceClassNotifyList 

 case 9600: 
 case 10240: 
 case 10586: 
 case 14393: 
 case 15063: 
 case 16299: 
 case 17134: 
 case 17763: 
 case 18362: 
 case 18363: 
 case 19041: 
 ... 
 case 19045: 
 case 22000: 
 case 22621: 
 case 22631: 
 case 23601: 
 case 26080: 

 C1 EA 02 6B C2 0D 
 shr edx, 2 
 imul eax, edx, 0Dh 

 48 8D 0D lea rcx, PnpDeviceClassNotifyList 

 typedef enum _IO_NOTIFICATION_EVENT_CATEGORY { 
 EventCategoryReserved, 
 EventCategoryHardwareProfileChange, 
 EventCategoryDeviceInterfaceChange, 
 EventCategoryTargetDeviceChange 
 } IO_NOTIFICATION_EVENT_CATEGORY; 

 typedef 
 NTSTATUS 
 (*PDRIVER_NOTIFICATION_CALLBACK_ROUTINE) ( 
 IN PVOID NotificationStructure, 
 IN PVOID Context 
 ); 

 typedef struct _KGUARDED_MUTEX { 
 LONG Count; 
 PKTHREAD Owner; 
 ULONG Contention; 
 KEVENT Event; 
 union { 
 struct { 
 SHORT KernelApcDisable; 
 SHORT SpecialApcDisable; 
 }; 

 ULONG CombinedApcDisable; 
 }; 

 } KGUARDED_MUTEX, *PKGUARDED_MUTEX; 

 typedef struct _DEVICE_CLASS_NOTIFY_ENTRY { 

 // 
 // Header entries 
 // 

 LIST_ENTRY ListEntry; 
 IO_NOTIFICATION_EVENT_CATEGORY EventCategory; 
 ULONG SessionId; 
 PVOID OpaqueSession; 
 PDRIVER_NOTIFICATION_CALLBACK_ROUTINE CallbackRoutine; 
 PVOID Context; 
 PDRIVER_OBJECT DriverObject; 
 USHORT RefCount; 
 BOOLEAN Unregistered; 
 PKGUARDED_MUTEX Lock; 

 // 
 // ClassGuid - the guid of the device class we are interested in 
 // 

 GUID ClassGuid; 

 } DEVICE_CLASS_NOTIFY_ENTRY, *PDEVICE_CLASS_NOTIFY_ENTRY;
	IoRegisterPlugPlayNotification, always PAGE
	7601

	F7 E1
	mul ecx

	48 8D 05 lea rcx, PnpDeviceClassNotifyList

	C1 EA 02 6B D2 0D

	9200

	C1 EA 02 6B D2 0D

	48 8D 0D lea rcx, PnpDeviceClassNotifyList

	case 9600:
	case 10240:
	case 10586:
	case 14393:
	case 15063:
	case 16299:
	case 17134:
	case 17763:
	case 18362:
	case 18363:
	case 19041:
	...
	case 19045:
	case 22000:
	case 22621:
	case 22631:
	case 23601:
	case 26080:

	C1 EA 02 6B C2 0D
	shr edx, 2
	imul eax, edx, 0Dh

	48 8D 0D lea rcx, PnpDeviceClassNotifyList

	typedef enum _IO_NOTIFICATION_EVENT_CATEGORY {
	EventCategoryReserved,
	EventCategoryHardwareProfileChange,
	EventCategoryDeviceInterfaceChange,
	EventCategoryTargetDeviceChange
	} IO_NOTIFICATION_EVENT_CATEGORY;

	typedef
	NTSTATUS
	(*PDRIVER_NOTIFICATION_CALLBACK_ROUTINE) (
	IN PVOID NotificationStructure,
	IN PVOID Context
	);

	typedef struct _KGUARDED_MUTEX {
	LONG Count;
	PKTHREAD Owner;
	ULONG Contention;
	KEVENT Event;
	union {
	struct {
	SHORT KernelApcDisable;
	SHORT SpecialApcDisable;
	};

	ULONG CombinedApcDisable;
	};

	} KGUARDED_MUTEX, *PKGUARDED_MUTEX;

	typedef struct _DEVICE_CLASS_NOTIFY_ENTRY {

	//
	// Header entries
	//

	LIST_ENTRY ListEntry;
	IO_NOTIFICATION_EVENT_CATEGORY EventCategory;
	ULONG SessionId;
	PVOID OpaqueSession;
	PDRIVER_NOTIFICATION_CALLBACK_ROUTINE CallbackRoutine;
	PVOID Context;
	PDRIVER_OBJECT DriverObject;
	USHORT RefCount;
	BOOLEAN Unregistered;
	PKGUARDED_MUTEX Lock;

	//
	// ClassGuid - the guid of the device class we are interested in
	//

	GUID ClassGuid;

	} DEVICE_CLASS_NOTIFY_ENTRY, *PDEVICE_CLASS_NOTIFY_ENTRY;