[redp]

CmRegistryCallback introduced in Windows XP and it's internals also varies from NT5 to NT6 versions. There is no generic way to get what you want. You need a separate callback handling code for two different kernels and data signatures also can depends from service pack version.

internal callback data don`t changed on vista/windows7/windows8 and looks like

Code: Select all

typedef struct _CM_REGISTER_HOOK
{
/* Win32 Win64 offsets */
/*  0x00  0x00 */ LIST_ENTRY List;
/*  0x08  0x10 */ LIST_ENTRY List2;
/*  0x10  0x20 */ LARGE_INTEGER Cookie;
/*  0x18  0x28 */ PVOID      Context;
/*  0x1C  0x30 */ PVOID      Function;
/*  0x20  0x38 */ UNICODE_STRING Altitude;
} CM_REGISTER_HOOK, *PCM_REGISTER_HOOK;

results of some lame reversing (in russian only)

[swirl]

also have a look at this article: http://zairon.wordpress.com/2011/06/18/ ... callbacks/

[Brock]

@Swirl

I'm sure this link is appreciated to some :D

[Tigzy]

Thanks all!
That really helps!