Prochainement documenté :
mimikatz # [...] kListNotifyProcesses [00] FFFFF80002C971E0 [ntoskrnl.exe+295392] [01] FFFFF880017D91E0 [ksecdd.sys+74208] [02] FFFFF8800126A3D0 [cng.sys+50128] [03] FFFFF88001AE9950 [tcpip.sys+469328] [04] FFFFF88000E8DBA0 [CI.dll+97184] [05] FFFFF88004516D10 [MpFilter.sys+146704] [06] FFFFF88006AE3954 [vmci.sys+35156] [07] FFFFF8800681CD2C [peauth.sys+101676] [08] FFFFF880071D2EF4 [PROCMON20.SYS+12020] mimikatz # [...] kListNotifyThreads [00] FFFFF88004517584 [MpFilter.sys+148868] [01] FFFFF880071D3094 [PROCMON20.SYS+12436] mimikatz # [...] kListNotifyImages [00] FFFFF80002FE87C0 [ntoskrnl.exe+3774400] [01] FFFFF880045172D4 [MpFilter.sys+148180] [02] FFFFF880071D3338 [PROCMON20.SYS+13112] mimikatz # [...] kListNotifyRegistry [00] FFFFF8800450E9B8 [MpFilter.sys+113080] - alt 425000 - cookie 0x1ccc334922c6342 [01] FFFFF880071D69D0 [PROCMON20.SYS+27088] - alt 425000 - cookie 0x1ccc334922c6343 mimikatz # [...] kMiniFiltersList PROCMON20 [...] Instance 1 @ \Device\HarddiskVolume2 [0x16 CREATE ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184] [0x17 CREATE_NAMED_PIPE ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184] [0x18 CLOSE ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184] [0x19 READ ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184] [0x1a WRITE ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184] [0x1b QUERY_INFORMATION ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184] [0x1c SET_INFORMATION ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184] [0x1d QUERY_EA ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184] [0x1e SET_EA ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184] [0x1f FLUSH_BUFFERS ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184] [0x20 QUERY_VOLUME_INFORMATION] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184] [0x21 SET_VOLUME_INFORMATION ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184] [0x22 DIRECTORY_CONTROL ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184] [0x23 FILE_SYSTEM_CONTROL ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184] [0x24 DEVICE_CONTROL ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184] [0x25 INTERNAL_DEVICE_CONTROL ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184] [0x26 SHUTDOWN ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / 0000000000000000 [?] [0x27 LOCK_CONTROL ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184] [0x28 CLEANUP ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184] [0x29 CREATE_MAILSLOT ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184] [0x2a QUERY_SECURITY ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184] [0x2b SET_SECURITY ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184] [0x2f QUERY_QUOTA ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184] [0x30 SET_QUOTA ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184] [0x31 PNP ] FFFFF880071D49E8 [PROCMON20.SYS+18920] / FFFFF880071D4ED8 [PROCMON20.SYS+20184] [...] MpFilter [...] Instance 1 @ \Device\HarddiskVolume2 [0x16 CREATE ] FFFFF88004500E90 [MpFilter.sys+56976] / FFFFF88004503BBC [MpFilter.sys+68540] [0x1a WRITE ] FFFFF8800450B0D0 [MpFilter.sys+98512] / FFFFF880044F5778 [MpFilter.sys+10104] [0x1c SET_INFORMATION ] FFFFF88004505144 [MpFilter.sys+74052] / FFFFF88004505428 [MpFilter.sys+74792] [0x23 FILE_SYSTEM_CONTROL ] FFFFF88004514D88 [MpFilter.sys+138632] / FFFFF88004514F10 [MpFilter.sys+139024] [0x28 CLEANUP ] FFFFF880044FBD54 [MpFilter.sys+36180] / 0000000000000000 [?] [...] luafv Instance 0 @ \Device\HarddiskVolume2 [0x16 CREATE ] FFFFF88000DE8DAC [luafv.sys+73132] / FFFFF88000DE9474 [luafv.sys+74868] [0x17 CREATE_NAMED_PIPE ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?] [0x18 CLOSE ] FFFFF88000DE984C [luafv.sys+75852] / 0000000000000000 [?] [0x19 READ ] FFFFF88000DD833C [luafv.sys+4924] / FFFFF88000DD83CC [luafv.sys+5068] [0x1a WRITE ] FFFFF88000DD8414 [luafv.sys+5140] / FFFFF88000DD83CC [luafv.sys+5068] [0x1b QUERY_INFORMATION ] FFFFF88000DE9E68 [luafv.sys+77416] / FFFFF88000DD8570 [luafv.sys+5488] [0x1c SET_INFORMATION ] FFFFF88000DE9C84 [luafv.sys+76932] / FFFFF88000DD851C [luafv.sys+5404] [0x1d QUERY_EA ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?] [0x1e SET_EA ] FFFFF88000DD8414 [luafv.sys+5140] / 0000000000000000 [?] [0x1f FLUSH_BUFFERS ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?] [0x20 QUERY_VOLUME_INFORMATION] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?] [0x21 SET_VOLUME_INFORMATION ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?] [0x22 DIRECTORY_CONTROL ] FFFFF88000DE9FA4 [luafv.sys+77732] / FFFFF88000DD85D8 [luafv.sys+5592] [0x23 FILE_SYSTEM_CONTROL ] FFFFF88000DEA0FC [luafv.sys+78076] / FFFFF88000DEA288 [luafv.sys+78472] [0x24 DEVICE_CONTROL ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?] [0x25 INTERNAL_DEVICE_CONTROL ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?] [0x26 SHUTDOWN ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?] [0x27 LOCK_CONTROL ] FFFFF88000DEA2D4 [luafv.sys+78548] / 0000000000000000 [?] [0x28 CLEANUP ] FFFFF88000DE9A58 [luafv.sys+76376] / FFFFF88000DE9BAC [luafv.sys+76716] [0x29 CREATE_MAILSLOT ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?] [0x2a QUERY_SECURITY ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?] [0x2b SET_SECURITY ] FFFFF88000DD8414 [luafv.sys+5140] / 0000000000000000 [?] [0x2c POWER ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?] [0x2d SYSTEM_CONTROL ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?] [0x2e DEVICE_CHANGE ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?] [0x2f QUERY_QUOTA ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?] [0x30 SET_QUOTA ] FFFFF88000DD82D8 [luafv.sys+4824] / 0000000000000000 [?] [0x31 PNP ] FFFFF88000DEA314 [luafv.sys+78612] / 0000000000000000 [?] FileInfo [...] Instance 1 @ \Device\HarddiskVolume2 [0x16 CREATE ] FFFFF8800159C7B8 [fileinfo.sys+30648] / FFFFF8800159CA14 [fileinfo.sys+31252] [0x18 CLOSE ] FFFFF8800159CF5C [fileinfo.sys+32604] / FFFFF88001596980 [fileinfo.sys+6528] [0x19 READ ] FFFFF88001596078 [fileinfo.sys+4216] / FFFFF880015962F4 [fileinfo.sys+4852] [0x1a WRITE ] FFFFF88001596078 [fileinfo.sys+4216] / FFFFF880015962F4 [fileinfo.sys+4852] [0x1b QUERY_INFORMATION ] FFFFF8800159689C [fileinfo.sys+6300] / FFFFF88001596980 [fileinfo.sys+6528] [0x1c SET_INFORMATION ] FFFFF88001596404 [fileinfo.sys+5124] / FFFFF88001596578 [fileinfo.sys+5496] [0x1f FLUSH_BUFFERS ] FFFFF8800159CFDC [fileinfo.sys+32732] / FFFFF88001596980 [fileinfo.sys+6528] [0x22 DIRECTORY_CONTROL ] FFFFF8800159D020 [fileinfo.sys+32800] / FFFFF88001596980 [fileinfo.sys+6528] [0x23 FILE_SYSTEM_CONTROL ] FFFFF8800159CCD4 [fileinfo.sys+31956] / FFFFF880015967D4 [fileinfo.sys+6100] [0x28 CLEANUP ] FFFFF8800159CE58 [fileinfo.sys+32344] / FFFFF8800159CE84 [fileinfo.sys+32388] [0x31 PNP ] FFFFF8800159D1C0 [fileinfo.sys+33216] / FFFFF8800159696C [fileinfo.sys+6508] [...]
Cf: http://blog.gentilkiwi.com/retro-ingenierie/windbg-notifications-kernel