The interesting write-up you're referring to likely covers the , a relatively obscure publisher/subscriber mechanism within the Windows kernel that has become a "holy grail" for exploit developers.
While NtQueryWnfStateData is undocumented by Microsoft and subject to change between OS versions, it offers distinct advantages for specialized tasks: ntquerywnfstatedata ntdlldll better
(a 64-bit identifier) to get the exact data buffer the system just published. The "Shadow" Advantage : Because it’s an undocumented function in The interesting write-up you're referring to likely covers
int main() HMODULE hNtdll = GetModuleHandleW(L"ntdll.dll"); pNtQueryWnfStateData NtQueryWnfStateData = (pNtQueryWnfStateData)GetProcAddress(hNtdll, "NtQueryWnfStateData"); When you call NtQueryWnfStateData , the function transitions
The function NtQueryWnfStateData allows a program to retrieve the current data associated with a specific WNF state name.
When you call NtQueryWnfStateData , the function transitions from user mode to kernel mode via a syscall instruction. The kernel then:
NTSYSCALLAPI NTSTATUS NTAPI NtQueryWnfStateData( _In_ PCWNF_STATE_NAME StateName, // 64-bit WNF State Name _In_opt_ PCWNF_TYPE_ID TypeId, // Optional Type GUID VOID *ExplicitScope, // Optional Scope _Out_ PWNF_CHANGE_STAMP ChangeStamp, // Current version/stamp of the data _Out_ PVOID Buffer, // Output buffer for data _Inout_ PULONG BufferSize // Buffer size (in/out) Use code with caution. Copied to clipboard GitHub - sbousseaden/injection-1 Key Use Cases System Monitoring