### Driver IOCTL Interface Definitions and Usage (C++) Source: https://context7.com/jthuraisamy/telemetrysourcerer/llms.txt Defines IOCTL codes for communication with the kernel driver and provides an example of how to use the `IOCTL_GET_MODULES` command to retrieve a list of loaded kernel modules. This involves opening a handle to the device and using `DeviceIoControl`. Dependencies include Windows API functions like `GetDeviceHandle` and `DeviceIoControl`. ```cpp // IOCTL codes for driver communication #define TELEMETRY_SOURCERER_DEVICE 0x8000 // Get list of loaded kernel modules #define IOCTL_GET_MODULES CTL_CODE(TELEMETRY_SOURCERER_DEVICE, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS) // Get registered kernel callbacks #define IOCTL_GET_CALLBACKS CTL_CODE(TELEMETRY_SOURCERER_DEVICE, 0x802, METHOD_BUFFERED, FILE_ANY_ACCESS) // Read 8 bytes from kernel memory #define IOCTL_GET_QWORD CTL_CODE(TELEMETRY_SOURCERER_DEVICE, 0x803, METHOD_BUFFERED, FILE_ANY_ACCESS) // Write 8 bytes to kernel memory #define IOCTL_SET_QWORD CTL_CODE(TELEMETRY_SOURCERER_DEVICE, 0x804, METHOD_BUFFERED, FILE_ANY_ACCESS) // Example: Get kernel modules HANDLE hDevice = GetDeviceHandle(); MODULE_INFO modules[MAX_MODULES]; DWORD bytesReturned; BOOL success = DeviceIoControl( hDevice, IOCTL_GET_MODULES, NULL, 0, // No input buffer modules, sizeof(modules), // Output buffer &bytesReturned, NULL ); if (success) { int moduleCount = bytesReturned / sizeof(MODULE_INFO); for (int i = 0; i < moduleCount; i++) { printf("Module: %s at %p (size: %lu)\n", modules[i].Name, modules[i].Address, modules[i].Size); } } ``` -------------------------------- ### Kernel Callback Type Enumeration (C++) Source: https://context7.com/jthuraisamy/telemetrysourcerer/llms.txt Defines an enumeration `CALLBACK_TYPE` that lists various types of kernel callbacks supported by the driver, including process, thread, image, registry, object manager, and minifilter callbacks. An example demonstrates how to filter these callbacks, for instance, to identify process-related notifications. Dependencies include C++ enum definitions. ```cpp // Supported callback types enum class CALLBACK_TYPE { Unknown = 0, // Process/Thread/Image callbacks PsLoadImage, // Image load notifications PsProcessCreation, // Process creation notifications PsThreadCreation, // Thread creation notifications // Registry callbacks CmRegistry, // Registry operation notifications // Object manager callbacks ObProcessHandlePre, // Pre-operation process handle callbacks ObProcessHandlePost, // Post-operation process handle callbacks ObThreadHandlePre, // Pre-operation thread handle callbacks ObThreadHandlePost, // Post-operation thread handle callbacks ObDesktopHandlePre, // Pre-operation desktop handle callbacks ObDesktopHandlePost, // Post-operation desktop handle callbacks // Minifilter callbacks (file system) MfCreatePre, // Pre-create file operations MfCreatePost, // Post-create file operations MfReadPre, // Pre-read operations MfReadPost, // Post-read operations MfWritePre, // Pre-write operations MfWritePost, // Post-write operations // ... many more minifilter callbacks }; // Example: Filter for process-related callbacks for (auto& callback : callbacks) { if (callback->Type == CALLBACK_TYPE::PsProcessCreation || callback->Type == CALLBACK_TYPE::ObProcessHandlePre) { wprintf(L"Process monitoring callback in %s\n", callback->ModuleName); } } ``` -------------------------------- ### Disable ETW Provider (C++) Source: https://context7.com/jthuraisamy/telemetrysourcerer/llms.txt Disables a specific ETW provider within a given tracing session, identified by its logger ID and provider GUID. This function stops event collection for the specified provider. It returns ERROR_SUCCESS on successful disabling or an error code otherwise. Dependencies include Windows ETW APIs. ```cpp // Disable a specific ETW provider USHORT loggerId = targetSession->LoggerId; LPCGUID providerGuid = &targetProvider->ProviderId; DWORD result = DisableProvider(loggerId, providerGuid); if (result == ERROR_SUCCESS) { wprintf(L"Provider disabled successfully\n"); } else { wprintf(L"Failed to disable provider: %lu\n", result); } ``` -------------------------------- ### Configure Windows Test Signing Mode Source: https://github.com/jthuraisamy/telemetrysourcerer/blob/master/README.md Commands to enable test signing mode for loading unsigned drivers required by the tool. Requires administrative privileges and a system reboot. ```batch bcdedit.exe -set TESTSIGNING ON ``` -------------------------------- ### Sign Kernel-Mode Driver Source: https://github.com/jthuraisamy/telemetrysourcerer/blob/master/README.md Command to sign the Telemetry Sourcerer driver using the Windows SDK SignTool. This is the recommended approach for loading the driver without disabling system security features. ```batch signtool sign /a /ac "cross-cert.cer" /f "cert.pfx" /p "password" TelemetrySourcererDriver.sys ``` -------------------------------- ### Retrieve Kernel Mode Callbacks (C++) Source: https://context7.com/jthuraisamy/telemetrysourcerer/llms.txt Retrieves a list of all registered kernel-mode callbacks, including those for process/thread creation, image loading, registry operations, object manager interactions, and minifilter callbacks. Each callback entry contains its type, memory address, the module it belongs to, and a flag indicating if it's security-relevant. ```cpp // Get all registered kernel callbacks std::vector callbacks; callbacks = GetCallbacks(callbacks); for (auto& callback : callbacks) { // callback->Type: PsLoadImage, PsProcessCreation, PsThreadCreation, // CmRegistry, ObProcessHandlePre/Post, MfCreatePre/Post, etc. // callback->Address: Memory address of the callback // callback->ModuleName: Module hosting the callback (e.g., "WdFilter.sys") // callback->Notable: TRUE if this is a security-relevant callback wprintf(L"Callback Type: %d, Module: %s, Address: %p\n", callback->Type, callback->ModuleName, callback->Address); } ``` -------------------------------- ### Scan Loaded Modules for Inline Hooks (C++) Source: https://context7.com/jthuraisamy/telemetrysourcerer/llms.txt Scans all modules loaded within the current process to detect inline hooks, which are often used by security products to intercept function calls. The function returns a list of modules, each containing information about any hooked functions, including their names, addresses, and original on-disk bytes. ```cpp // Check all loaded modules for inline hooks std::vector modules = CheckAllModulesForHooks(); for (auto& module : modules) { wprintf(L"Module: %s\n", module->Path); for (auto& hook : module->HookedFunctions) { // hook->Name: Function name (e.g., "NtCreateFile") // hook->Address: Address of the hooked function // hook->FreshBytes: Original bytes from disk wprintf(L" Hooked: %s at %p\n", hook->Name, hook->Address); } } ``` -------------------------------- ### Load Kernel Driver for Callback Enumeration (C++) Source: https://context7.com/jthuraisamy/telemetrysourcerer/llms.txt Loads the TelemetrySourcerer kernel driver, which is necessary for enumerating kernel-mode callbacks. The driver requires specific loading conditions, such as being signed or running in test signing mode. It returns an error code if loading fails, often due to insufficient privileges or Data Execution Prevention (DEP) being enabled. ```cpp // Load the kernel driver for callback enumeration // Returns ERROR_SUCCESS on success, or an error code DWORD result = LoadDriver(); if (result == ERROR_SUCCESS) { // Driver loaded successfully // Now you can enumerate kernel callbacks HANDLE hDevice = GetDeviceHandle(); // Perform operations... // Unload when done UnloadDriver(); } else { // Handle error - likely needs elevation or DSE disabled printf("Failed to load driver: %lu\n", result); } ``` -------------------------------- ### Enumerate ETW Tracing Sessions (C++) Source: https://context7.com/jthuraisamy/telemetrysourcerer/llms.txt Retrieves a list of all active ETW tracing sessions on the system, including security-relevant ones. It then populates provider information for each session and iterates through them, printing session details and their enabled providers. Dependencies include standard C++ libraries and Windows ETW APIs. ```cpp // Get all active ETW tracing sessions std::vector sessions = GetSessions(); // Populate provider information for each session PopulateSessionProviders(sessions); for (auto& session : sessions) { // session->LoggerId: Unique session identifier // session->InstanceName: Session name (e.g., "Circular Kernel Context Logger") // session->Notable: TRUE if security-relevant wprintf(L"Session [%d]: %s\n", session->LoggerId, session->InstanceName); for (auto& provider : session->EnabledProviders) { // provider->ProviderName: ETW provider name // provider->ProviderId: Provider GUID // provider->Notable: TRUE if security-relevant wprintf(L" Provider: %s\n", provider->ProviderName); } } ``` -------------------------------- ### Restore Hooked Function to Original State (C++) Source: https://context7.com/jthuraisamy/telemetrysourcerer/llms.txt Restores a function that has been inline hooked back to its original state. This is achieved by overwriting the hook with the original bytes retrieved from the on-disk module. Successful restoration bypasses the security product's interception mechanism for that specific function. ```cpp // Restore a hooked function to bypass security product monitoring PHOOKED_FUNCTION hookedFunc = /* selected hooked function */; if (RestoreHookedFunction(hookedFunc)) { // Function restored - calls will no longer be intercepted wprintf(L"Successfully restored %s\n", hookedFunc->Name); } else { // Restoration failed - may need different permissions wprintf(L"Failed to restore %s\n", hookedFunc->Name); } ``` -------------------------------- ### Disable Driver Signature Enforcement via KDU Source: https://github.com/jthuraisamy/telemetrysourcerer/blob/master/README.md Commands to temporarily disable and re-enable Windows Driver Signature Enforcement (DSE) using the KDU utility. This allows the loading of the Telemetry Sourcerer driver without a valid signature. ```batch kdu -dse 0 :: Launch Telemetry Sourcerer kdu -dse 6 ``` -------------------------------- ### Suppress and Revert Kernel Callback Execution (C++) Source: https://context7.com/jthuraisamy/telemetrysourcerer/llms.txt Temporarily disables a kernel-mode callback by overwriting its initial bytes, preventing its execution and thus blocking associated telemetry. The original functionality can be restored using the RevertCallback function. This is useful for testing the impact of disabling specific monitoring points. ```cpp // Suppress a specific callback to prevent it from executing PCALLBACK_ENTRY targetCallback = /* selected callback */; if (SuppressCallback(targetCallback)) { // Callback is now suppressed - security product won't receive events targetCallback->Suppressed = TRUE; // Perform testing... // Restore the callback when done if (RevertCallback(targetCallback)) { targetCallback->Suppressed = FALSE; } } ``` -------------------------------- ### Stop ETW Tracing Session (C++) Source: https://context7.com/jthuraisamy/telemetrysourcerer/llms.txt Completely stops an ETW tracing session identified by its logger ID. This action prevents all associated providers from collecting events. The function returns ERROR_SUCCESS if the session is stopped successfully, or an error code if it fails. Dependencies include Windows ETW APIs. ```cpp // Stop an entire ETW tracing session USHORT loggerId = targetSession->LoggerId; DWORD result = StopTracingSession(loggerId); if (result == ERROR_SUCCESS) { wprintf(L"Tracing session stopped\n"); } else { wprintf(L"Failed to stop session: %lu\n", result); } ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.