• On February 16, 2024
  • By

Experimenting with Object Initializers in Windows – See PG-compliance Disclaimer*

Overview

In this article, I wanted to introduce a fun approach to performing functions similar to those enabled by Windows Object Callbacks but through an alternative means (experimentally). It’s well known that anti-malware, anti-cheat, and generic monitoring tools on Windows systems often use these callbacks. However, their usability is limited to parties with signed modules, and the callbacks come with some risks, mainly the ease with which these callbacks can be tampered with if not adequately validated. I’ll be showcasing a simple example of leveraging this undocumented method. We’ll explore how the proposed method could achieve comparable outcomes while operating under the constraint of temporal use or while PG is disabled. I won’t spend much time on high-level details of Windows objects – I highly recommend Windows Internals or Windows Kernel Programming for more details. In no particular order, we’ll cover object construction, the various types, notification routines, and use cases, especially in anti-malware and anti-cheat software, before examining a few issues and then detailing the implementation of alt-process notifications and an anti-debugging method.

Disclaimer

This implementation was tested on Windows 11 23H2 (OS Build 22631.3085). The methods may work for prior versions of Windows if they leverage the same mechanism, minus those with PatchGuard hashing them, as described in this article. Future deployments of Windows 11 are subject to change these mechanisms and their organization or protections.

Later Windows versions show that PatchGuard throws a fit anywhere from 5mins – 6hrs. The PsProcessType and IoDriverObjectType two are overtly placed in the PG context, along with ObpTypeObjectType. The ObpObjectTypes list is also hashed w/ SHA256 and placed in the PG context. Be wary of potential crashes when dealing with any object types. The structures are all protected by PG. However, the _OBJECT_TYPE.CallbackList entries are not and can be unlinked/reorganized at runtime to insert or remove callbacks. Modifying the callback lists for various object types (such as PsProcessType) could allow for similar effects.

109 is a shorthand reference to the CRITICAL_STRUCTURE_CORRUPTION bugcheck (BSOD) code for Windows.

Building Blocks

Objects within the Windows kernel are fundamental to the operation and bookkeeping of the OS. I’m assuming mild familiarity with Windows objects, but if you need a refresher, some examples are Process, Thread, File, Mutant, Semaphore, IoRing, etc. They’re all constructed by their respective component during OS initialization and managed by the Object Manager (routines are prefixed Ob in ntoskrnl). We’ll stick with a familiar object for the following subsections: the Process.

Process Creation and Notification

Process Notification Callbacks in Windows are a cornerstone of system monitoring and security. These callbacks, primarily utilized by anti-malware and anti-cheat systems, offer real-time notifications about process creation and termination events. They’ll initialize the appropriate structures and then call PsSetCreateProcessNotifyRoutine to register the callback. It may be obvious why security products utilize this mechanism. Still, it enables a wide range of actions for those unfamiliar, from general logging to first-chance validations or process termination based on the information provided within the callback.

When software registers this notification routine, it will be appended to a list of callbacks managed in the kernel labeled PspCreateProcessNotifyRoutine. Whenever a process is created by an API such as NtCreateUserProcess or NtCreateProcess the result will always include the enumeration of this list and subsequent execution of any added callbacks. The general flow from invocation to notification is given below:

|- ntdll.dll!NtCreateUserProcess
|    |- ntoskrnl.exe!NtCreateUserProcess
|    |    |- ntoskrnl.exe!PspInsertThread
|    |    |    |- ntoskrnl.exe!PspCallProcessNotifyRoutines
|    |    |    |    |- <N_module>!NmHandleProcessNotification
|    |    |    |    |    |- etc...

If we look at the internals of PspCallProcessNotifyRoutines, we’ll see the enumeration and execution of each callback as they were added.

Several methods have been documented for attackers to prevent this first-chance access to process creation. An older article on this blog addresses one potential method, and the next logical step from seeing the above is to locate the callback entry of interest and remove it from the PspCreateProcessNotifyRoutine list. There is an article that details this approach thoroughly. The takeaway is that anti-malware/anti-cheat/general security products typically rely on these callbacks and may assume they’re untampered with; however, as mentioned — attacking the reliability and usability of these mechanisms is somewhat trivial through the abuse of the never-ending number of WHQL-signed drivers that hardware and/or security vendors push out.

Now, let’s consider the less legitimate perspective. In years prior, you could register object callbacks and process notification callbacks with an unsigned driver (i.e., using one of those WHQL-signed drivers that allowed unrestricted access to system resources to map your own driver). One method was to perform a little wizardry on the DriverObject->DriverSection that is documented here. However, nowadays, you’ll be met with the STATUS_ACCESS_DENIED result upon attempting to register object notifications when Windows is not in test-signing mode or without a signed module. This method bypasses the need to modify driver section attributes, sign your driver, or run in test-signing mode to get the same capability as the traditional object callbacks.

Function Pointer Rebinding

Alright, no more snooze fest explanation. Let’s dive right into how to implement Process Notification callbacks by avoiding the object callback lists altogether. I will present a single image; I’m sure you will see how this works immediately. If not, fear not… it’ll make sense when the first proof-of-concept is presented. Ready?

 

Ah… nice.

Immediately after applying the appropriate types to variables within PspInitPhase0 the function, pointers to several methods stand out. Great, yeah, so how do we find the invocations of these? I’m glad you didn’t ask, let me show you. I slapped an IDA Python script together to find references to functions at N depth from a starting point. It’s terrific for pinpointing opportunities within a target module (yeah, I could’ve set a breakpoint on PspProcessOpen, but I was curious about all indirect invocations in the call graph).

Let’s look at a handful of results from the thousands dumped:

[1] ----------------------------------------------------------------------------------
|    |- ntoskrnl.exe!NtCreateUserProcess
|    |    |- ntoskrnl.exe!PspInsertProcess
|    |    |    |- ntoskrnl.exe!ObInsertObjectEx
|    |    |    |    |- ntoskrnl.exe!ObpCreateHandle
|    |    |    |    |    |- ntoskrnl.exe!ObpIncrementHandleCountEx
|    |    |    |    |    |    |- ntoskrnl.exe!PspChargeQuota
|    |    |    |    |    |    |    |- ntoskrnl.exe!PspExpandQuota @ 0x14048494E
[2] ----------------------------------------------------------------------------------
|    |- ntoskrnl.exe!NtCreateUserProcess
|    |    |- ntoskrnl.exe!PspInsertProcess
|    |    |    |- ntoskrnl.exe!ObInsertObjectEx
|    |    |    |    |- ntoskrnl.exe!ObpCreateHandle
|    |    |    |    |    |- ntoskrnl.exe!ObpIncrementHandleCountEx @ 0x14064B733
[3] ----------------------------------------------------------------------------------
|    |- ntoskrnl.exe!NtCreateUserProcess
|    |    |- ntoskrnl.exe!PspInsertProcess
|    |    |    |- ntoskrnl.exe!ObInsertObjectEx
|    |    |    |    |- ntoskrnl.exe!ObpCreateHandle
|    |    |    |    |    |- ntoskrnl.exe!ObpIncrementHandleCountEx
|    |    |    |    |    |    |- ntoskrnl.exe!KiUnstackDetachProcess
|    |    |    |    |    |    |    |- ntoskrnl.exe!HalRequestSoftwareInterrupt @ 0x140308C63
[4] ----------------------------------------------------------------------------------
|    |- ntoskrnl.exe!NtCreateUserProcess
|    |    |- ntoskrnl.exe!PspInsertProcess
|    |    |    |- ntoskrnl.exe!ObInsertObjectEx
|    |    |    |    |- ntoskrnl.exe!ObpCreateHandle
|    |    |    |    |    |- ntoskrnl.exe!ObpInsertOrLocateNamedObject
|    |    |    |    |    |    |- ntoskrnl.exe!ObpLookupObjectName @ 0x14064A502
[5] ----------------------------------------------------------------------------------
|    |- ntoskrnl.exe!NtCreateUserProcess
|    |    |- ntoskrnl.exe!PspInsertProcess
|    |    |    |- ntoskrnl.exe!ObInsertObjectEx
|    |    |    |    |- ntoskrnl.exe!ObpCreateHandle
|    |    |    |    |    |- ntoskrnl.exe!ObpInsertOrLocateNamedObject
|    |    |    |    |    |    |- ntoskrnl.exe!ObpGetObjectSecurity @ 0x140625CF3
[6] ----------------------------------------------------------------------------------
|    |- ntoskrnl.exe!NtCreateUserProcess
|    |    |- ntoskrnl.exe!PspInsertProcess
|    |    |    |- ntoskrnl.exe!ObInsertObjectEx
|    |    |    |    |- ntoskrnl.exe!ObpCreateHandle
|    |    |    |    |    |- ntoskrnl.exe!ObpInsertOrLocateNamedObject
|    |    |    |    |    |    |- ntoskrnl.exe!ObpGetObjectSecurity @ 0x140625D97
[7] ----------------------------------------------------------------------------------
|    |- ntoskrnl.exe!NtCreateUserProcess
|    |    |- ntoskrnl.exe!PspInsertProcess
|    |    |    |- ntoskrnl.exe!ObInsertObjectEx
|    |    |    |    |- ntoskrnl.exe!ObpCreateHandle
|    |    |    |    |    |- ntoskrnl.exe!ObpInsertOrLocateNamedObject
|    |    |    |    |    |    |- ntoskrnl.exe!ObpDecrementHandleCount @ 0x140674E28
[8] ----------------------------------------------------------------------------------
|    |- ntoskrnl.exe!NtCreateUserProcess
|    |    |- ntoskrnl.exe!PspInsertThread
|    |    |    |- ntoskrnl.exe!ObInsertObjectEx
|    |    |    |    |- ntoskrnl.exe!ObpCreateHandle
|    |    |    |    |    |- ntoskrnl.exe!ObpIncrementHandleCountEx
|    |    |    |    |    |    |- ntoskrnl.exe!PspChargeQuota
|    |    |    |    |    |    |    |- ntoskrnl.exe!PspExpandQuota @ 0x14048494E
[9] ----------------------------------------------------------------------------------
|    |- ntoskrnl.exe!NtCreateUserProcess
|    |    |- ntoskrnl.exe!PspInsertThread
|    |    |    |- ntoskrnl.exe!ObInsertObjectEx
|    |    |    |    |- ntoskrnl.exe!ObpCreateHandle
|    |    |    |    |    |- ntoskrnl.exe!ObpIncrementHandleCountEx @ 0x14064B733

The items at [2] and [9] were immediately interesting, as I’m unfamiliar with the indirect calls performed within these routines. Upon inspecting the address 0x14064B733 further…

Let’s symbolize this a bit.

Who needs to open WinDbag when you have DFS? We do… if we’re gonna be thorough and verify this gets hit. If we look back at the initial image, we’ll see the ObTypeInit.OpenProcedure for PsProcessType points to PspProcessOpen. I’ll set a breakpoint in WinDbg to confirm my assumptions: bp nt!PspProcessOpen "kb;g". The results are numerous, but one confirms:

00 fffff806`62b432c3     : 00000000`00000001 ffffc309`606ff040 ffffc309`606b3e60 ffffc309`00000000 : nt!PspProcessOpen
01 fffff806`62b404ba     : 00000000`00000200 00000000`00000401 ffffe480`633b0da0 00000000`00000000 : nt!ObpIncrementHandleCountEx+0x4d3
02 fffff806`62afef42     : 00000000`00000000 00000000`00000200 ffffc309`67538080 ffffc309`606b3e60 : nt!ObpCreateHandle+0x21a
03 fffff806`675d9eb8     : ffffaf06`01719570 ffffbf85`2ea9ea68 ffffbf85`2ea9ea20 ffffaf06`01719570 : nt!ObOpenObjectByPointer+0x152
04 fffff806`675ee472     : 00000000`00001558 ffffc309`67538080 00000000`00000424 ffffbf85`2ea9ea20 : WdFilter!MpCreateProcessContext+0x208
05 fffff806`675ee04a     : ffffbf85`2ea9ebc0 ffffbf85`2ea9eb00 ffffbf85`2ea9f538 ffffbf85`2ea9ebc0 : WdFilter!MpHandleProcessNotification+0xe6
06 fffff806`62b24ab8     : ffffbf85`2ea9ebc0 ffffbf85`2ea9ebc0 00000000`00000000 ffffbf85`2ea9f538 : WdFilter!MpCreateProcessNotifyRoutineEx+0xaa
07 fffff806`62b235db     : 00000000`00000000 00000000`00000000 00000000`00000001 ffffc309`713050c0 : nt!PspCallProcessNotifyRoutines+0x204
08 fffff806`62b742ce     : ffffc309`707d9080 ffffc309`67538080 ffffbf85`2ea9f400 ffffbf85`2ea9f2b8 : nt!PspInsertThread+0x72f
09 fffff806`6282bbe5     : 00000000`00000000 00000000`00000000 ffffc309`702ca080 fffff806`62aee7f6 : nt!NtCreateUserProcess+0xa2e
0a 00007fff`3b130d44     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25

That’s a hit on process creation and was all I needed to justify wasting time messing with this. Alright, so now, how the hell do we utilize this? Well, let’s lay out a few things that we know.

  • Object Types are created at kernel initialization.
    • REF: PspInitPhase0
  • Every Object Type has a name associated with it.
    • REF: ObCreateObjectType(&ObjectTypeName, ...)
  • Object Type objects are stored in the ObTypeIndexTable at their respective indexes.
    • REF: ObCreateObjectTypeEx[Index] = ObTypeObjectN
  • The procedures in the initial image are stored in the TypeInfo field of the _OBJECT_TYPE structure, which is the type of every entry in the ObTypeIndexTable.
  • PG checks the structures, but either you are operating under the assumption that PG is disabled, or this will be left in place for a very brief period.
  • ObGetObjectType can be acquired via MmGetSystemRoutineAddress.
  • Zydis exists.
  • lock xchg go brrr.
  • ???
  • Profit.

Knowing the above, we can instrument these functions to achieve our objective. First, here are some structure definitions you’ll want if you want to replicate:

typedef struct __declspec( align( 8 ) ) _object_dump_control
{
    void* Stream;
    unsigned int Detail;
} object_dump_control, object_dump_control;

enum e_ob_open_reason : int
{
    ob_create_handle = 0x0,
    ob_open_handle = 0x1,
    ob_duplicate_handle = 0x2,
    ob_inherit_handle = 0x3,
    ob_max_reason = 0x4,
};

typedef struct _ob_extended_parse_paramters
{
    unsigned short length;
    unsigned int restricted_access_mask;
    _EJOB* silo;
} ob_extended_parse_parameters, * pob_extended_parse_parameters;

typedef struct _object_name_information
{
    UNICODE_STRING Name;
} object_name_information, * pobject_name_information;

using dump_procedure_ty = void( __fastcall* )( void*, object_dump_control* );
using open_procedure_ty = int( __fastcall* )( e_ob_open_reason, char, PEPROCESS, void*, unsigned int*, unsigned int );
using close_procedure_ty = void( __fastcall* )( PEPROCESS, void*, unsigned long long, unsigned long long );
using delete_procedure_ty = void( __fastcall* )( void* );
using parse_procedure_ty = int( __fastcall* )( void*, void*, ACCESS_STATE*, char, unsigned int, UNICODE_STRING*, UNICODE_STRING*, void*, SECURITY_QUALITY_OF_SERVICE*, void** );
using parse_procedure_ex_ty = int( __fastcall* )( void*, void*, ACCESS_STATE*, char, unsigned int, UNICODE_STRING*, UNICODE_STRING*, void*, SECURITY_QUALITY_OF_SERVICE*, ob_extended_parse_parameters*, void** );
using security_procedure_ty = int( __fastcall* )( void*, SECURITY_OPERATION_CODE, unsigned int*, void*, unsigned int*, void**, POOL_TYPE, GENERIC_MAPPING*, char );
using query_name_procedure_ty = int( __fastcall* )( void*, unsigned char, object_name_information*, unsigned int, unsigned int*, char );
using okay_to_close_procedure_ty = unsigned char( __fastcall* )( PEPROCESS, void*, void*, char );

union parse_procedure_detail_ty
{
    parse_procedure_ty parse_procedure;
    parse_procedure_ex_ty parse_procedure_ex;
};

struct object_type_initializer
{
    unsigned short length;

    union
    {
        unsigned short flags;
        unsigned char case_insensitive : 1;
        unsigned char unnamed_objects_only : 1;
        unsigned char use_default_object : 1;
        unsigned char security_required : 1;
        unsigned char maintain_handle_count : 1;
        unsigned char maintain_type_list : 1;
        unsigned char supports_object_callbacks : 1;
        unsigned char cache_aligned : 1;
        unsigned char use_extended_parameters : 1;
        unsigned char reserved : 7;
    } object_type_flags;
    unsigned int object_type_code;
    unsigned int invalid_attributes;
    GENERIC_MAPPING generic_mapping;
    unsigned int valid_access_mask;
    unsigned int retain_access;
    POOL_TYPE pool_type;
    unsigned int default_paged_pool_charge;
    unsigned int default_non_paged_pool_charge;
    void( __fastcall* dump_procedure )( void*, object_dump_control* );
    int( __fastcall* open_procedure )( e_ob_open_reason, char, PEPROCESS, void*, unsigned int*, unsigned int );
    void( __fastcall* close_procedure )( PEPROCESS, void*, unsigned long long, unsigned long long );
    void( __fastcall* delete_procedure )( void* );
    union
    {
        int( __fastcall* parse_procedure )( void*, void*, ACCESS_STATE*, char, unsigned int, UNICODE_STRING*, UNICODE_STRING*, void*, SECURITY_QUALITY_OF_SERVICE*, void** );
        int( __fastcall* parse_procedure_ex )( void*, void*, ACCESS_STATE*, char, unsigned int, UNICODE_STRING*, UNICODE_STRING*, void*, SECURITY_QUALITY_OF_SERVICE*, ob_extended_parse_parameters*, void** );
    } parse_procedure_detail;
    int( __fastcall* security_procedure )( void*, SECURITY_OPERATION_CODE, unsigned int*, void*, unsigned int*, void**, POOL_TYPE, GENERIC_MAPPING*, char );
    int( __fastcall* query_name_procedure )( void*, unsigned char, object_name_information*, unsigned int, unsigned int*, char );
    unsigned char( __fastcall* okay_to_close_procedure )( PEPROCESS, void*, void*, char );
    unsigned int wait_object_flag_mask;
    unsigned short wait_object_flag_offset;
    unsigned short wait_object_pointer_offset;
};

typedef struct _ex_push_lock_flags
{
    unsigned long long Locked : 1;
    unsigned long long Waiting : 1;
    unsigned long long Waking : 1;
    unsigned long long MultipleShared : 1;
    unsigned long long Shared : 60;
} ex_push_lock_flags;

typedef struct _ex_push_lock
{
    union
    {
        ex_push_lock_flags flags;
        unsigned long long value;
        void* ptr;
    } u;
} ex_push_lock, * pex_push_lock;

typedef struct object_type
{
    LIST_ENTRY type_list;
    UNICODE_STRING name;
    void* default_object;
    unsigned char index;
    unsigned int total_number_of_objects;
    unsigned int total_number_of_handles;
    unsigned int high_water_number_of_objects;
    unsigned int high_water_number_of_handles;
    object_type_initializer type_info;
    ex_push_lock type_lock;
    unsigned int key;
    LIST_ENTRY callback_list;
} object_type, *p_object_type;

struct ob_type_hook_pair
{
    object_type* target_object;

    dump_procedure_ty               o_dump_procedure;
    open_procedure_ty               o_open_procedure;
    close_procedure_ty              o_close_procedure;
    delete_procedure_ty             o_delete_procedure;
    parse_procedure_detail_ty       o_parse_procedure_detail;
    security_procedure_ty           o_security_procedure;
    query_name_procedure_ty         o_query_name_procedure;
    okay_to_close_procedure_ty      o_okay_to_close_procedure;
};

As we noted in our list of “things we know”… we can find the ObGetObjectType function, and within it we find the ObTypeIndexTable. We’ll do this using Zydis:

bool find_ob_type_index_table( void** fn )
{
    auto ob_get_object_type = utils::nt::get_kernel_function( "ObGetObjectType"_w );

    if ( ob_get_object_type == nullptr )
        return false;

    ZydisDecoder zydis_decoder;
    ZydisStatus zydis_status = ZydisDecoderInit(
        &zydis_decoder,
        ZYDIS_MACHINE_MODE_LONG_64,
        ZYDIS_ADDRESS_WIDTH_64
    );

    if ( !ZYDIS_SUCCESS( zydis_status ) )
        return false;

    void* p_ob_type_index_table = nullptr;
    for ( unsigned long it = 0, len = 0; it < 64; it++ )
    {
        ZydisDecodedInstruction inst;
        zydis_status = ZydisDecoderDecodeBuffer(
            &zydis_decoder,
            MAKE_PTR( PVOID, ob_get_object_type, len ),
            16,
            MAKE_PTR( ZydisU64, ob_get_object_type, len ),
            &inst
        );

        if ( !ZYDIS_SUCCESS( zydis_status ) )
            break;

        len += inst.length;

        if ( inst.mnemonic != ZYDIS_MNEMONIC_LEA &&
             inst.operands[ 0 ].type != ZYDIS_OPERAND_TYPE_REGISTER &&
             inst.operands[ 0 ].size != 64 &&
             inst.operands[ 0 ].reg.value != ZYDIS_REGISTER_RCX ||
             inst.mnemonic == ZYDIS_MNEMONIC_MOVZX
             )
        {
            continue;
        }

        zydis_status = ZydisCalcAbsoluteAddress(
            &inst,
            &inst.operands[ 1 ],
            reinterpret_cast< ZydisU64* >( fn )
        );

        if ( !ZYDIS_SUCCESS( zydis_status ) )
            continue;

        return true;
    }

    return false;
}

Let’s tie it in with our DriverEntry and verify the result.

extern "C" NTSTATUS
DriverEntry(
    const PDRIVER_OBJECT driver_object,
    const PUNICODE_STRING registry_path
)
{
    __do_global_ctors_aux();

    UNREFERENCED_PARAMETER( registry_path );

    driver_object->DriverUnload = driver_unload;

#ifdef _SERIAL_LOGGING
    io_initialize_serial_port();
#endif

    void* ob_type_index_table = nullptr;
    if ( !find_ob_type_index_table( &ob_type_index_table ) )
    {
        OUT_ERR(
            "Unable to locate ObTypeIndexTable."
        );
    }
    else
    {
        OUT_INF(
            "ObTypeIndexTable located @ %p",
            ob_type_index_table
        );
    }

    if ( ob_type_index_table )
    {
        // Process the type index table, and rebind the function pointers for our target object.
        //
    }

    return STATUS_SUCCESS;
}

Processing the ObTypeIndexTable

The name might be self-explanatory to some of the readers already. Still, for completeness, the ObTypeIndexTable is an array of pointers to _OBJECT_TYPE structures that describe the various Windows Kernel Objects created/registered at OS initialization. If we dump the first few entries and then cast the 3rd element of the array to _OBJECT_TYPE, we’ll see the data below.

This array’s 0th and 1st index are invalid entries, so we will skip these when enumerating the table. If we consider that this is an array of _OBJECT_TYPE* and we want to start at a specific index (2, the first valid entry), we can write a helper function like so:

auto get_object = [ ob_type_index_table ] ( size_t idx ) -> object_type*
{
    return *reinterpret_cast< object_type** >(
        static_cast< uint8_t* >( ob_type_index_table ) + idx * sizeof( object_type* )
        );
};

 Weird Legacy

The requirement to index into the ObTypeIndexTable past the first two entries is a bit odd. It appears that these are placeholder entries. The reasoning for their invalidity is likely historical; my best guess is that they used a different structure for the object type list. The second entry points to MmBadPointer. However, this is more recent. In late 2018, they used some other magic value 0x0bad0b0b as described here. All of the current initialization code sets the starting index for the ObTypeIndexTable to 2. This can be verified by analyzing ObInitSystem and ObCreateObjectTypeEx. I verified that these indexes were not used when Hyper-V and the Windows Sandbox were enabled; only two new object types were introduced: CrossVmMutant and CrossVmEvent.

If someone knows why the first two entries are invalid, I’d like to learn why.

Updating DriverEntry

All that’s left is to add some logic to our DriverEntry and verify we have the correct logic for enumerating and singling out our target type (PsProcessType).

extern "C" NTSTATUS
DriverEntry(
    const PDRIVER_OBJECT driver_object,
    const PUNICODE_STRING registry_path
)
{
    __do_global_ctors_aux();

    UNREFERENCED_PARAMETER( registry_path );

    driver_object->DriverUnload = driver_unload;

#ifdef _SERIAL_LOGGING
    io_initialize_serial_port();
#endif

    void* ob_type_index_table = nullptr;
    if ( !find_ob_type_index_table( &ob_type_index_table ) )
    {
        OUT_ERR(
            "Unable to locate ObTypeIndexTable."
        );
    }
    else
    {
        OUT_INF(
            "ObTypeIndexTable located @ %p",
            ob_type_index_table
        );
    }

    if ( ob_type_index_table )
    {
        void* fnc = nullptr;

        auto get_object = [ ob_type_index_table ] ( size_t idx ) -> object_type*
        {
            return *reinterpret_cast< object_type** >(
                static_cast< uint8_t* >( ob_type_index_table ) + idx * sizeof( object_type* )
                );
        };

        // Start at the first valid object table index.
        //
        uint64_t index = 2;
        for ( object_type* obj = get_object( index ); obj != nullptr; obj = get_object( ++index ) )
        {
            ANSI_STRING ob_type_name{};
            RtlUnicodeStringToAnsiString( &ob_type_name, &obj->name, TRUE );
            OUT_INF( "%llu, 0x%p, %s", index, obj, ob_type_name.Buffer );
        }
    }

    return STATUS_SUCCESS;
}

Object Type Dump Verification

Looks good; these are all the object types in the object table. I verified against other references from previous dumps via WinDbg, and all looked good. All that is left is for us to write our function to replace the original function pointer in the _OBJECT_TYPE_INITIALIZER structure for the PsProcessType object entry. However, to do this, we need to reverse PspProcessOpen to understand how it works. All we know is that it’s called at some point during process initialization based on initial analysis. The PspProcessOpen function prototype looks like this:

NTSTATUS
__fastcall
PspProcessOpen(
        _OB_OPEN_REASON OpenReason,
        INT8 AccessMode,
        _EPROCESS *TargetProcess,
        _EPROCESS *Object,
        UINT64 *GrantedAccess,
        UINT64 HandleCount);

PsProcessType.OpenProcedure (PspProcessOpen) Hook

NTSTATUS 
process_open_procedure( 
    e_ob_open_reason open_reason, 
    uint8_t access_mode, 
    PEPROCESS process, 
    PEPROCESS object_body, 
    unsigned int* granted_access, 
    unsigned long handle_count)
{
    NTSTATUS status = STATUS_SUCCESS;

    if (open_reason == e_ob_open_reason::ob_open_handle && process && access_mode == 0)
    {
        auto allocate_unicode_string = [](size_t size) -> xstd::anyptr<UNICODE_STRING> {
            auto ptr = static_cast<PUNICODE_STRING>(ExAllocatePool2(NonPagedPool, size, 0));
            return xstd::anyptr<UNICODE_STRING>(ptr, [](PUNICODE_STRING p) {
                if (p) {
                    ExFreePool2(p, 0, nullptr, 0);
                }
            });
        };

        auto primary_name = allocate_unicode_string(0x400);
        auto secondary_name = allocate_unicode_string(0x400);

        if (!primary_name || !secondary_name)
            return STATUS_INSUFFICIENT_RESOURCES;

        SeLocateProcessImageName(process, &primary_name);
        SeLocateProcessImageName(object_body, &secondary_name);

        if (primary_name->Length > 0 && secondary_name->Length > 0)
        {
            ANSI_STRING aname_parent{};
            RtlUnicodeStringToAnsiString(&aname_parent, primary_name.get(), TRUE);

            ANSI_STRING aname_child{};
            RtlUnicodeStringToAnsiString(&aname_child, secondary_name.get(), TRUE);

            if (aname_parent.Length > 0 && aname_child.Length > 0)
                OUT_INF("[PROCESS CREATED] => %s", aname_child.Buffer);
        }
    }

    return g_ob_type_hook_pair.o_open_procedure(open_reason, access_mode, process, object_body, granted_access, handle_count);
}

Finalized DriverEntry and Results

extern "C" NTSTATUS
DriverEntry(
    const PDRIVER_OBJECT driver_object,
    const PUNICODE_STRING registry_path
)
{
    __do_global_ctors_aux();

    UNREFERENCED_PARAMETER( registry_path );

    driver_object->DriverUnload = driver_unload;

#ifdef _SERIAL_LOGGING
    io_initialize_serial_port();
#endif

    void* ob_type_index_table = nullptr;
    if ( !find_ob_type_index_table( &amp;ob_type_index_table ) )
    {
        OUT_ERR(
            "Unable to locate ObTypeIndexTable."
        );
    }
    else
    {
        OUT_INF(
            "ObTypeIndexTable located @ %p",
            ob_type_index_table
        );
    }

    if ( ob_type_index_table )
    {
        void* fnc = nullptr;

        auto get_object = [ ob_type_index_table ] ( size_t idx ) -> object_type*
        {
            return *reinterpret_cast< object_type** >(
                static_cast< uint8_t* >( ob_type_index_table ) + idx * sizeof( object_type* )
                );
        };

        // Start at the first valid object table index.
        //
        uint64_t index = 2;
        for ( object_type* obj = get_object( index ); obj != nullptr; obj = get_object( ++index ) )
        {
            ANSI_STRING ob_type_name{};
            RtlUnicodeStringToAnsiString( &ob_type_name, &obj->name, TRUE );
            OUT_INF( "%llu, 0x%p, %s", index, obj, ob_type_name.Buffer );

            UNICODE_STRING type_name = RTL_CONSTANT_STRING( L"Process" );

            if ( RtlCompareUnicodeString( &obj->name, &type_name, TRUE ) == 0 )
            {
                OUT_TYPE_INF("%s", object_type, obj, 
                    key, 
                    total_number_of_objects, 
                    close_procedure, 
                    open_procedure, 
                    delete_procedure, 
                    dump_procedure, 
                    security_procedure, 
                    parse_procedure_detail, 
                    okay_to_close_procedure, 
                    query_name_procedure
                );

                g_ob_type_hook_pair.target_object = obj;
                g_ob_type_hook_pair.o_close_procedure = obj->type_info.close_procedure;
                g_ob_type_hook_pair.o_open_procedure = obj->type_info.open_procedure;
                g_ob_type_hook_pair.o_delete_procedure = obj->type_info.delete_procedure;
                g_ob_type_hook_pair.o_dump_procedure = obj->type_info.dump_procedure;
                g_ob_type_hook_pair.o_security_procedure = obj->type_info.security_procedure;
                g_ob_type_hook_pair.o_okay_to_close_procedure = obj->type_info.okay_to_close_procedure;
                g_ob_type_hook_pair.o_query_name_procedure = obj->type_info.query_name_procedure;

                _InterlockedExchangePointer(
                    reinterpret_cast< void** >( &obj->type_info.open_procedure ),
                    reinterpret_cast< void* >( process_open_procedure )
                );
            }
        }
    }

    return STATUS_SUCCESS;
}

The result is that only processes created following the rebinding of this function pointer will be logged. You must verify the access_mode is 0 and validate the name of the secondary object (not the primary process object) passed to the function, as this is the application being created. The primary process object (3rd argument) is the “parent.” The primary process object for new processes will be System when PspProcessOpen is called. If you log the objects regardless of access_mode and open_reason you’ll be spammed with irrelevant information.

Leverage the SecurityProcedure

An alternative is to leverage the security procedure within the object type initializers structure. During process initialization, it’s invoked with the operation code AssignSecurityDescriptor, and on process termination, you can catch the DeleteSecurityDescriptor case and check for the PsProcessType — during normal operations, these two will always indicate process startup/termination.

To determine where it occurred, I initially just traced with the aforementioned script to see where the method was invoked and… unsurprisingly, it was within ObInsertObjectEx.

[311] ----------------------------------------------------------------------------------
|    |- NtCreateUserProcess
|    |    |- PspInsertProcess
|    |    |    |- ObInsertObjectEx @ 0x14062018F

 For Future Reference

If you’re uncertain where to find references to these functions outside of just breaking on the function in WinDbg, think about the operation performed on the object. When an object, such as a mutant, section, semaphore, process, thread, etc., is created, it has to be inserted into the appropriate list. Logically, you may find calls to the respective object procedures in relevant functions like ObInsertObjectEx — which is typically the highest Ob-related entry on the call stack, and subsequent calls will invoke one of the procedures for OpenProcedure/SecurityProcedure at some point, sometimes more than once. Of course, if the object type doesn’t initialize those procedures, you won’t wind up down that path in practice.

The OkayToClose/Close/Delete procedures will be seen referenced in functions that deal with the release/closing of object handles, ex: ObCloseHandleTableEntry. You’ll also see the invocation of the SecurityProcedure in closing operations. It makes sense because when an object has a security descriptor assigned on construction, it must also have the SD released on destruction. As a thought exercise, consider where you might see the QueryName or ParseProcedure referenced. I’ll provide the answer later on.

After double-checking with WinDbg, the resulting sequence was:

|    |- ntoskrnl.exe!KiSystemServiceCopyEnd @ 0x15e2bce5
|    |    |- ntoskrnl.exe!NtCreateUserProcess @ 0x16174275
|    |    |    |- ntoskrnl.exe!PspInsertProcess @ 0x161756f3
|    |    |    |    |- ntoskrnl.exe!ObInsertObjectEx @ 0x160fd663
|    |    |    |    |    |- ntoskrnl.exe!SeDefaultObjectMethod

Given this information, we can implement similar to the OpenProcedure.

NTSTATUS generic_security_procedure(
    void* object,
    SECURITY_OPERATION_CODE operation_code,
    unsigned* security_information,
    void* security_descriptor,
    unsigned* captured_length,
    void** objects_security_descriptor,
    POOL_TYPE pool_type,
    GENERIC_MAPPING* generic_mapping,
    char access_mode
) {
    if (object == nullptr) {
        return g_ob_type_tracking_data[0]->o_security_procedure(
            object, operation_code, security_information, security_descriptor,
            captured_length, objects_security_descriptor, pool_type, generic_mapping, access_mode
        );
    }

    auto ob_type = ob_get_object_type(object);

    if (!ob_type) {
        return g_ob_type_tracking_data[0]->o_security_procedure(
            object, operation_code, security_information, security_descriptor,
            captured_length, objects_security_descriptor, pool_type, generic_mapping, access_mode
        );
    }

    if (operation_code == AssignSecurityDescriptor || 
        operation_code == DeleteSecurityDescriptor ||
        operation_code == SetSecurityDescriptor) {

        if (!ob_type->name.Buffer || ob_type->name.Length <= 0)
            return STATUS_INVALID_PARAMETER;

        auto ob_type_name = xstd::anystr( 0x100, 0x00 ).to_ansi(&ob_type->name);
        
        if (ob_type == *PsProcessType) {
            auto primary_name = xstd::anystr( 0x100, 0x00 );
            SeLocateProcessImageName(static_cast<PEPROCESS>(object), &primary_name);
            auto process_name = primary_name.to_ansi();

            OUT_INF("]] 0x%p %d %s => %s", object, operation_code, ob_type_name.c_str(), process_name.c_str());
        }
    }

    return g_ob_type_tracking_data[ob_type->index - 2]->o_security_procedure(
        object, operation_code, security_information, security_descriptor,
        captured_length, objects_security_descriptor, pool_type, generic_mapping, access_mode
    );
}

Below are the results after logging in and starting a handful of processes.

With a few other checks to determine if the process is in the initial startup phases, you can have your own process creation callbacks without registering with the object manager.

Simple System-wide Anti-debug

We used the process object because it’s likely the most familiar to those reading this. However, we don’t have to stop there. In the previous section, I noted that all object types with these procedures setup will invoke them at one point or another. What do we know about debugging? Well, if you’re not familiar with the internals of debugging then that’s something for another post. The only relevant thing to know for this part is that debuggers call DbgUiConnectToDbg API, which is called when a debugger attempts to attach to a process, or, for some, they directly implement their own DbgUiConnectToDbg. The same goes for DebugActiveProcess.

// Reference: https://github.dev/x64dbg/TitanEngine/blob/49f59781da9ef9ed8b14963a0ecf499695971b5f/TitanEngine/Global.Debugger.cpp#L271
//
static NTSTATUS NTAPI DbgUiConnectToDbg_()
{
    if(NtCurrentTeb()->DbgSsReserved[1] != NULL)
        return STATUS_SUCCESS;

    OBJECT_ATTRIBUTES ObjectAttributes;
    InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
    return NtCreateDebugObject(&NtCurrentTeb()->DbgSsReserved[1], DEBUG_ALL_ACCESS, &ObjectAttributes, 0);
}

The name is self-explanatory: NtCreateDebugObject; it will attempt to create and insert a DebugObject and the newly created handles into the appropriate object tables. I mentioned earlier that anything that will call into ObInsertObjectEx will wind up invoking one of these procedures if they exist and if we check on the “constructor” of DbgkDebugObjectType we’ll note that there is no overwriting of the SecurityProcedure, which means that it will be set to the SeDefaultObjectMethod.

 

And a quick trace to confirm this:

|    |- ntdll.exe!RtlUserThreadStart @ 0xd346aa58
|    |    |- KERNEL32.dll!BaseThreadInitThunk @ 0xd26f257d
|    |    |    |- x64dbg.exe!UnknownFunction @ 0x609cbd3e
|    |    |    |    |- x64dbg.exe!UnknownFunction @ 0x609d8207
|    |    |    |    |    |- TitanEngine.dll!AttachDebugger @ 0x8f7e5462
|    |    |    |    |    |    |- TitanEngine.dll!UnknownFunction @ 0x8f7d5b55
|    |    |    |    |    |    |    |- ntdll.dll!NtCreateDebugObject @ 0xd34b0884
|    |    |    |    |    |    |    |    |- ntoskrnl.exe!KiSystemServiceCopyEnd @ 0x15e2bce5
|    |    |    |    |    |    |    |    |    |- ntoskrnl.exe!NtCreateDebugObject @ 0x163366e2
|    |    |    |    |    |    |    |    |    |    |- ntoskrnl.exe!ObInsertObjectEx @ 0x160fd663
|    |    |    |    |    |    |    |    |    |    |    |- ntoskrnl.exe!SeDefaultObjectMethod

So, with this in mind, we can modify our function rebinding code to target the SecurityProcedure for PsProcessType and DbgkDebugObjectType; or the shorthand by comparing the type names to Process and DebugObject.

uint64_t index = 2;
for ( object_type* obj = get_object( index ); obj != nullptr; obj = get_object( ++index ) )
{
    auto ob_name = xstd::anystr( 0x100, 0x00 ).to_ansi( &obj->name );
    OUT_INF( "%llu, 0x%p, %s", index, obj, ob_name.c_str() );

    const auto ob_type_tracker = reinterpret_cast< ob_type_tracking_data* >( allocator->alloc( sizeof( ob_type_tracking_data ) ) );

    if ( !ob_type_tracker )
        return false;

    ob_type_tracker->ob_type_name = ob_name;
    ob_type_tracker->target_object = obj;
    ob_type_tracker->o_open_procedure = obj->type_info.open_procedure;
    ob_type_tracker->o_close_procedure = obj->type_info.close_procedure;
    ob_type_tracker->o_delete_procedure = obj->type_info.delete_procedure;
    ob_type_tracker->o_security_procedure = obj->type_info.security_procedure;
    ob_type_tracker->o_okay_to_close_procedure = obj->type_info.okay_to_close_procedure;
    ob_type_tracker->o_query_name_procedure = obj->type_info.query_name_procedure;
    ob_type_tracker->o_parse_procedure_detail.parse_procedure = obj->type_info.parse_procedure_detail.parse_procedure;

    g_ob_type_tracking_data.push_back( ob_type_tracker );

    if ( ob_name.compare( "Process" ) || ob_name.compare( "DebugObject" ) )
    {
        _InterlockedExchangePointer(
            reinterpret_cast< void** >( &obj->type_info.security_procedure ),
            reinterpret_cast< void* >( generic_security_procedure )
        );
    }
}

The last thing to be done is to modify our generic_security_procedure shared earlier to handle the case for DebugObject type. If you want to disable the ability to debug system-wide then you can simply return STATUS_DEBUG_ATTACH_FAILED in the case for DebugObject. If you want to deny debugging of a specific process or by a specific application you’ll have to do a little extra. The results of denying x64dbg and WinDbg specifically are given below.

 

Parting Notes

The methods and use cases described in this article are not the end-all-be-all. There are 71 object types, all of which will have various configurations and flexibility. Some have been documented more than others, but putting something to practice for fun is always entertaining. This article was not intended to be comprehensive concerning the details of all the internals, as you could write a book about those. All the examples are somewhat trivial but, when extended, have some very interesting use cases, especially if you consider the contents of some of the other articles here involving manipulating the stack to get control of other things that may otherwise be protected.

If you’re interested in the details of the various subsystems, I strongly recommend checking out Windows Internals 7th Edition Part 1 & 2 and Pavel Yosifovich’s Windows Kernel Programming.

As always, I hope you enjoyed the article despite the chaos and disorganization. If you have questions, comments, or feedback or just want to chat, feel free to reach out to me @daaximus.

Callback to earlier…

For those who might’ve still had it in the back of their mind, you’ll find references to QueryName procedures in pretty much any function that tries to capture object information/name information. These include EtwpEnumerateAddressSpace, MmGetFileNameForAddress, NtQueryObject (naturally), ObQueryNameString, etc. For Parse procedures, you might’ve already guessed that anything performing a lookup or trying to open some object by name will reference it. The primary caller for these procedures is ObpLookupObjectByName.

All Object Types and Procedures Dumped

[2/16/2024 5:59:58 PM] [INFO] [2] Type
[2/16/2024 5:59:58 PM] [INFO]   TypeObject->OpenProcedure = 0000000000000000
[2/16/2024 5:59:58 PM] [INFO]   TypeObject->CloseProcedure = 0000000000000000
[2/16/2024 5:59:58 PM] [INFO]   TypeObject->DeleteProcedure = 0000000000000000
[2/16/2024 5:59:58 PM] [INFO]   TypeObject->DumpProcedure = 0000000000000000
[2/16/2024 5:59:58 PM] [INFO]   TypeObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 5:59:58 PM] [INFO]   TypeObject->ParseProcedure = 0000000000000000
[2/16/2024 5:59:58 PM] [INFO]   TypeObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 5:59:58 PM] [INFO] [3] Directory
[2/16/2024 5:59:58 PM] [INFO]   DirectoryObject->OpenProcedure = 0000000000000000
[2/16/2024 5:59:58 PM] [INFO]   DirectoryObject->CloseProcedure = ObpCloseDirectoryObject
[2/16/2024 5:59:58 PM] [INFO]   DirectoryObject->DeleteProcedure = ObpDeleteDirectoryObject
[2/16/2024 5:59:59 PM] [INFO]   DirectoryObject->DumpProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   DirectoryObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   DirectoryObject->ParseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   DirectoryObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 5:59:59 PM] [INFO] [4] SymbolicLink
[2/16/2024 5:59:59 PM] [INFO]   SymbolicLinkObject->OpenProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   SymbolicLinkObject->CloseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   SymbolicLinkObject->DeleteProcedure = ObpDeleteSymbolicLink
[2/16/2024 5:59:59 PM] [INFO]   SymbolicLinkObject->DumpProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   SymbolicLinkObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   SymbolicLinkObject->ParseProcedure = ObpParseSymbolicLinkEx
[2/16/2024 5:59:59 PM] [INFO]   SymbolicLinkObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 5:59:59 PM] [INFO] [5] Token
[2/16/2024 5:59:59 PM] [INFO]   TokenObject->OpenProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   TokenObject->CloseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   TokenObject->DeleteProcedure = SepTokenDeleteMethod
[2/16/2024 5:59:59 PM] [INFO]   TokenObject->DumpProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   TokenObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   TokenObject->ParseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   TokenObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 5:59:59 PM] [INFO] [6] Job
[2/16/2024 5:59:59 PM] [INFO]   JobObject->OpenProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   JobObject->CloseProcedure = PspJobClose
[2/16/2024 5:59:59 PM] [INFO]   JobObject->DeleteProcedure = PspJobDelete
[2/16/2024 5:59:59 PM] [INFO]   JobObject->DumpProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   JobObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   JobObject->ParseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   JobObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 5:59:59 PM] [INFO] [7] Process
[2/16/2024 5:59:59 PM] [INFO]   ProcessObject->OpenProcedure = PspProcessOpen
[2/16/2024 5:59:59 PM] [INFO]   ProcessObject->CloseProcedure = PspProcessClose
[2/16/2024 5:59:59 PM] [INFO]   ProcessObject->DeleteProcedure = PspProcessDelete
[2/16/2024 5:59:59 PM] [INFO]   ProcessObject->DumpProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   ProcessObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   ProcessObject->ParseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   ProcessObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 5:59:59 PM] [INFO] [8] Thread
[2/16/2024 5:59:59 PM] [INFO]   ThreadObject->OpenProcedure = PspThreadOpen
[2/16/2024 5:59:59 PM] [INFO]   ThreadObject->CloseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   ThreadObject->DeleteProcedure = PspThreadDelete
[2/16/2024 5:59:59 PM] [INFO]   ThreadObject->DumpProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   ThreadObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   ThreadObject->ParseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   ThreadObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 5:59:59 PM] [INFO] [9] Partition
[2/16/2024 5:59:59 PM] [INFO]   PartitionObject->OpenProcedure = PspOpenPartitionHandle
[2/16/2024 5:59:59 PM] [INFO]   PartitionObject->CloseProcedure = PspClosePartitionHandle
[2/16/2024 5:59:59 PM] [INFO]   PartitionObject->DeleteProcedure = PspDeletePartition
[2/16/2024 5:59:59 PM] [INFO]   PartitionObject->DumpProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   PartitionObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   PartitionObject->ParseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   PartitionObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 5:59:59 PM] [INFO] [10] UserApcReserve
[2/16/2024 5:59:59 PM] [INFO]   UserApcReserveObject->OpenProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   UserApcReserveObject->CloseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   UserApcReserveObject->DeleteProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   UserApcReserveObject->DumpProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   UserApcReserveObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   UserApcReserveObject->ParseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   UserApcReserveObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 5:59:59 PM] [INFO] [11] IoCompletionReserve
[2/16/2024 5:59:59 PM] [INFO]   IoCompletionReserveObject->OpenProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   IoCompletionReserveObject->CloseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   IoCompletionReserveObject->DeleteProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   IoCompletionReserveObject->DumpProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   IoCompletionReserveObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   IoCompletionReserveObject->ParseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   IoCompletionReserveObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 5:59:59 PM] [INFO] [12] ActivityReference
[2/16/2024 5:59:59 PM] [INFO]   ActivityReferenceObject->OpenProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   ActivityReferenceObject->CloseProcedure = PspCloseActivityReference
[2/16/2024 5:59:59 PM] [INFO]   ActivityReferenceObject->DeleteProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   ActivityReferenceObject->DumpProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   ActivityReferenceObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   ActivityReferenceObject->ParseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   ActivityReferenceObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 5:59:59 PM] [INFO] [13] ProcessStateChange
[2/16/2024 5:59:59 PM] [INFO]   ProcessStateChangeObject->OpenProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   ProcessStateChangeObject->CloseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   ProcessStateChangeObject->DeleteProcedure = PspDeleteProcessStateChange
[2/16/2024 5:59:59 PM] [INFO]   ProcessStateChangeObject->DumpProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   ProcessStateChangeObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   ProcessStateChangeObject->ParseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   ProcessStateChangeObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 5:59:59 PM] [INFO] [14] ThreadStateChange
[2/16/2024 5:59:59 PM] [INFO]   ThreadStateChangeObject->OpenProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   ThreadStateChangeObject->CloseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   ThreadStateChangeObject->DeleteProcedure = PspDeleteThreadStateChange
[2/16/2024 5:59:59 PM] [INFO]   ThreadStateChangeObject->DumpProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   ThreadStateChangeObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   ThreadStateChangeObject->ParseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   ThreadStateChangeObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 5:59:59 PM] [INFO] [15] CpuPartition
[2/16/2024 5:59:59 PM] [INFO]   CpuPartitionObject->OpenProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   CpuPartitionObject->CloseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   CpuPartitionObject->DeleteProcedure = PspDeleteCpuPartition
[2/16/2024 5:59:59 PM] [INFO]   CpuPartitionObject->DumpProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   CpuPartitionObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   CpuPartitionObject->ParseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   CpuPartitionObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 5:59:59 PM] [INFO] [16] PsSiloContextPaged
[2/16/2024 5:59:59 PM] [INFO]   PsSiloContextPagedObject->OpenProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   PsSiloContextPagedObject->CloseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   PsSiloContextPagedObject->DeleteProcedure = PspDeleteSiloContext
[2/16/2024 5:59:59 PM] [INFO]   PsSiloContextPagedObject->DumpProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   PsSiloContextPagedObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   PsSiloContextPagedObject->ParseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   PsSiloContextPagedObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 5:59:59 PM] [INFO] [17] PsSiloContextNonPaged
[2/16/2024 5:59:59 PM] [INFO]   PsSiloContextNonPagedObject->OpenProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   PsSiloContextNonPagedObject->CloseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   PsSiloContextNonPagedObject->DeleteProcedure = PspDeleteSiloContext
[2/16/2024 5:59:59 PM] [INFO]   PsSiloContextNonPagedObject->DumpProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   PsSiloContextNonPagedObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   PsSiloContextNonPagedObject->ParseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   PsSiloContextNonPagedObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 5:59:59 PM] [INFO] [18] DebugObject
[2/16/2024 5:59:59 PM] [INFO]   DebugObjectObject->OpenProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   DebugObjectObject->CloseProcedure = DbgkpCloseObject
[2/16/2024 5:59:59 PM] [INFO]   DebugObjectObject->DeleteProcedure = AlpcConnectionCleanupProcedure
[2/16/2024 5:59:59 PM] [INFO]   DebugObjectObject->DumpProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   DebugObjectObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   DebugObjectObject->ParseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   DebugObjectObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 5:59:59 PM] [INFO] [19] Event
[2/16/2024 5:59:59 PM] [INFO]   EventObject->OpenProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   EventObject->CloseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   EventObject->DeleteProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   EventObject->DumpProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   EventObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   EventObject->ParseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   EventObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 5:59:59 PM] [INFO] [20] Mutant
[2/16/2024 5:59:59 PM] [INFO]   MutantObject->OpenProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   MutantObject->CloseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   MutantObject->DeleteProcedure = ExpDeleteMutant
[2/16/2024 5:59:59 PM] [INFO]   MutantObject->DumpProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   MutantObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   MutantObject->ParseProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   MutantObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 5:59:59 PM] [INFO] [21] Callback
[2/16/2024 5:59:59 PM] [INFO]   CallbackObject->OpenProcedure = 0000000000000000
[2/16/2024 5:59:59 PM] [INFO]   CallbackObject->CloseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   CallbackObject->DeleteProcedure = ExpDeleteCallback
[2/16/2024 6:00:00 PM] [INFO]   CallbackObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   CallbackObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   CallbackObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   CallbackObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:00 PM] [INFO] [22] Semaphore
[2/16/2024 6:00:00 PM] [INFO]   SemaphoreObject->OpenProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   SemaphoreObject->CloseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   SemaphoreObject->DeleteProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   SemaphoreObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   SemaphoreObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   SemaphoreObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   SemaphoreObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:00 PM] [INFO] [23] Timer
[2/16/2024 6:00:00 PM] [INFO]   TimerObject->OpenProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   TimerObject->CloseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   TimerObject->DeleteProcedure = ExpDeleteTimer
[2/16/2024 6:00:00 PM] [INFO]   TimerObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   TimerObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   TimerObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   TimerObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:00 PM] [INFO] [24] IRTimer
[2/16/2024 6:00:00 PM] [INFO]   IRTimerObject->OpenProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   IRTimerObject->CloseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   IRTimerObject->DeleteProcedure = ExpDeleteTimer2
[2/16/2024 6:00:00 PM] [INFO]   IRTimerObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   IRTimerObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   IRTimerObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   IRTimerObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:00 PM] [INFO] [25] Profile
[2/16/2024 6:00:00 PM] [INFO]   ProfileObject->OpenProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   ProfileObject->CloseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   ProfileObject->DeleteProcedure = ExpProfileDelete
[2/16/2024 6:00:00 PM] [INFO]   ProfileObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   ProfileObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   ProfileObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   ProfileObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:00 PM] [INFO] [26] KeyedEvent
[2/16/2024 6:00:00 PM] [INFO]   KeyedEventObject->OpenProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   KeyedEventObject->CloseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   KeyedEventObject->DeleteProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   KeyedEventObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   KeyedEventObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   KeyedEventObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   KeyedEventObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:00 PM] [INFO] [27] WindowStation
[2/16/2024 6:00:00 PM] [INFO]   WindowStationObject->OpenProcedure = ExpWin32OpenProcedure
[2/16/2024 6:00:00 PM] [INFO]   WindowStationObject->CloseProcedure = ExpWin32CloseProcedure
[2/16/2024 6:00:00 PM] [INFO]   WindowStationObject->DeleteProcedure = ExpWin32DeleteProcedure
[2/16/2024 6:00:00 PM] [INFO]   WindowStationObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   WindowStationObject->OkayToCloseProcedure = ExpWin32OkayToCloseProcedure
[2/16/2024 6:00:00 PM] [INFO]   WindowStationObject->ParseProcedure = ExpWin32ParseProcedure
[2/16/2024 6:00:00 PM] [INFO]   WindowStationObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:00 PM] [INFO] [28] Desktop
[2/16/2024 6:00:00 PM] [INFO]   DesktopObject->OpenProcedure = ExpWin32OpenProcedure
[2/16/2024 6:00:00 PM] [INFO]   DesktopObject->CloseProcedure = ExpWin32CloseProcedure
[2/16/2024 6:00:00 PM] [INFO]   DesktopObject->DeleteProcedure = ExpWin32DeleteProcedure
[2/16/2024 6:00:00 PM] [INFO]   DesktopObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   DesktopObject->OkayToCloseProcedure = ExpWin32OkayToCloseProcedure
[2/16/2024 6:00:00 PM] [INFO]   DesktopObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   DesktopObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:00 PM] [INFO] [29] Composition
[2/16/2024 6:00:00 PM] [INFO]   CompositionObject->OpenProcedure = ExpWin32OpenProcedure
[2/16/2024 6:00:00 PM] [INFO]   CompositionObject->CloseProcedure = ExpWin32CloseProcedure
[2/16/2024 6:00:00 PM] [INFO]   CompositionObject->DeleteProcedure = ExpWin32DeleteProcedure
[2/16/2024 6:00:00 PM] [INFO]   CompositionObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   CompositionObject->OkayToCloseProcedure = ExpWin32OkayToCloseProcedure
[2/16/2024 6:00:00 PM] [INFO]   CompositionObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   CompositionObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:00 PM] [INFO] [30] RawInputManager
[2/16/2024 6:00:00 PM] [INFO]   RawInputManagerObject->OpenProcedure = ExpWin32OpenProcedure
[2/16/2024 6:00:00 PM] [INFO]   RawInputManagerObject->CloseProcedure = ExpWin32CloseProcedure
[2/16/2024 6:00:00 PM] [INFO]   RawInputManagerObject->DeleteProcedure = ExpWin32DeleteProcedure
[2/16/2024 6:00:00 PM] [INFO]   RawInputManagerObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   RawInputManagerObject->OkayToCloseProcedure = ExpWin32OkayToCloseProcedure
[2/16/2024 6:00:00 PM] [INFO]   RawInputManagerObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   RawInputManagerObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:00 PM] [INFO] [31] CoreMessaging
[2/16/2024 6:00:00 PM] [INFO]   CoreMessagingObject->OpenProcedure = ExpWin32OpenProcedure
[2/16/2024 6:00:00 PM] [INFO]   CoreMessagingObject->CloseProcedure = ExpWin32CloseProcedure
[2/16/2024 6:00:00 PM] [INFO]   CoreMessagingObject->DeleteProcedure = ExpWin32DeleteProcedure
[2/16/2024 6:00:00 PM] [INFO]   CoreMessagingObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   CoreMessagingObject->OkayToCloseProcedure = ExpWin32OkayToCloseProcedure
[2/16/2024 6:00:00 PM] [INFO]   CoreMessagingObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   CoreMessagingObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:00 PM] [INFO] [32] ActivationObject
[2/16/2024 6:00:00 PM] [INFO]   ActivationObjectObject->OpenProcedure = ExpWin32OpenProcedure
[2/16/2024 6:00:00 PM] [INFO]   ActivationObjectObject->CloseProcedure = ExpWin32CloseProcedure
[2/16/2024 6:00:00 PM] [INFO]   ActivationObjectObject->DeleteProcedure = ExpWin32DeleteProcedure
[2/16/2024 6:00:00 PM] [INFO]   ActivationObjectObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   ActivationObjectObject->OkayToCloseProcedure = ExpWin32OkayToCloseProcedure
[2/16/2024 6:00:00 PM] [INFO]   ActivationObjectObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   ActivationObjectObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:00 PM] [INFO] [33] TpWorkerFactory
[2/16/2024 6:00:00 PM] [INFO]   TpWorkerFactoryObject->OpenProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   TpWorkerFactoryObject->CloseProcedure = ExpCloseWorkerFactory
[2/16/2024 6:00:00 PM] [INFO]   TpWorkerFactoryObject->DeleteProcedure = ExpDeleteWorkerFactory
[2/16/2024 6:00:00 PM] [INFO]   TpWorkerFactoryObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   TpWorkerFactoryObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   TpWorkerFactoryObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   TpWorkerFactoryObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:00 PM] [INFO] [34] Adapter
[2/16/2024 6:00:00 PM] [INFO]   AdapterObject->OpenProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   AdapterObject->CloseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   AdapterObject->DeleteProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   AdapterObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   AdapterObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   AdapterObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   AdapterObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:00 PM] [INFO] [35] Controller
[2/16/2024 6:00:00 PM] [INFO]   ControllerObject->OpenProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   ControllerObject->CloseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   ControllerObject->DeleteProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   ControllerObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   ControllerObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   ControllerObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   ControllerObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:00 PM] [INFO] [36] Device
[2/16/2024 6:00:00 PM] [INFO]   DeviceObject->OpenProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   DeviceObject->CloseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   DeviceObject->DeleteProcedure = IopDeleteDevice
[2/16/2024 6:00:00 PM] [INFO]   DeviceObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   DeviceObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   DeviceObject->ParseProcedure = IopParseDevice
[2/16/2024 6:00:00 PM] [INFO]   DeviceObject->SecurityProcedure = IopGetSetSecurityObject
[2/16/2024 6:00:00 PM] [INFO] [37] Driver
[2/16/2024 6:00:00 PM] [INFO]   DriverObject->OpenProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   DriverObject->CloseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   DriverObject->DeleteProcedure = IopDeleteDriver
[2/16/2024 6:00:00 PM] [INFO]   DriverObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   DriverObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   DriverObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   DriverObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:00 PM] [INFO] [38] IoCompletion
[2/16/2024 6:00:00 PM] [INFO]   IoCompletionObject->OpenProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   IoCompletionObject->CloseProcedure = IopCloseIoCompletion
[2/16/2024 6:00:00 PM] [INFO]   IoCompletionObject->DeleteProcedure = IopDeleteIoCompletion
[2/16/2024 6:00:00 PM] [INFO]   IoCompletionObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   IoCompletionObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   IoCompletionObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   IoCompletionObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:00 PM] [INFO] [39] WaitCompletionPacket
[2/16/2024 6:00:00 PM] [INFO]   WaitCompletionPacketObject->OpenProcedure = 0000000000000000
[2/16/2024 6:00:00 PM] [INFO]   WaitCompletionPacketObject->CloseProcedure = IopCloseWaitCompletionPacket
[2/16/2024 6:00:01 PM] [INFO]   WaitCompletionPacketObject->DeleteProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   WaitCompletionPacketObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   WaitCompletionPacketObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   WaitCompletionPacketObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   WaitCompletionPacketObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:01 PM] [INFO] [40] File
[2/16/2024 6:00:01 PM] [INFO]   FileObject->OpenProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   FileObject->CloseProcedure = IopCloseFile
[2/16/2024 6:00:01 PM] [INFO]   FileObject->DeleteProcedure = IopDeleteFile
[2/16/2024 6:00:01 PM] [INFO]   FileObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   FileObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   FileObject->ParseProcedure = IopParseFile
[2/16/2024 6:00:01 PM] [INFO]   FileObject->SecurityProcedure = FFFFF800487A78D0
[2/16/2024 6:00:01 PM] [INFO] [41] IoRing
[2/16/2024 6:00:01 PM] [INFO]   IoRingObject->OpenProcedure = EtwpOpenRealTimeConnectionObject
[2/16/2024 6:00:01 PM] [INFO]   IoRingObject->CloseProcedure = IopCloseIoRing
[2/16/2024 6:00:01 PM] [INFO]   IoRingObject->DeleteProcedure = IopDeleteIoRing
[2/16/2024 6:00:01 PM] [INFO]   IoRingObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   IoRingObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   IoRingObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   IoRingObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:01 PM] [INFO] [42] TmTm
[2/16/2024 6:00:01 PM] [INFO]   TmTmObject->OpenProcedure = DllUnload
[2/16/2024 6:00:01 PM] [INFO]   TmTmObject->CloseProcedure = TmpCloseTransactionManager
[2/16/2024 6:00:01 PM] [INFO]   TmTmObject->DeleteProcedure = TmpDeleteTransactionManager
[2/16/2024 6:00:01 PM] [INFO]   TmTmObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   TmTmObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   TmTmObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   TmTmObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:01 PM] [INFO] [43] TmTx
[2/16/2024 6:00:01 PM] [INFO]   TmTxObject->OpenProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   TmTxObject->CloseProcedure = TmpCloseTransaction
[2/16/2024 6:00:01 PM] [INFO]   TmTxObject->DeleteProcedure = TmpDeleteTransaction
[2/16/2024 6:00:01 PM] [INFO]   TmTxObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   TmTxObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   TmTxObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   TmTxObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:01 PM] [INFO] [44] TmRm
[2/16/2024 6:00:01 PM] [INFO]   TmRmObject->OpenProcedure = TmpOpenResourceManager
[2/16/2024 6:00:01 PM] [INFO]   TmRmObject->CloseProcedure = TmpCloseResourceManager
[2/16/2024 6:00:01 PM] [INFO]   TmRmObject->DeleteProcedure = TmpDeleteResourceManager
[2/16/2024 6:00:01 PM] [INFO]   TmRmObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   TmRmObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   TmRmObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   TmRmObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:01 PM] [INFO] [45] TmEn
[2/16/2024 6:00:01 PM] [INFO]   TmEnObject->OpenProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   TmEnObject->CloseProcedure = TmpCloseEnlistment
[2/16/2024 6:00:01 PM] [INFO]   TmEnObject->DeleteProcedure = TmpDeleteEnlistment
[2/16/2024 6:00:01 PM] [INFO]   TmEnObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   TmEnObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   TmEnObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   TmEnObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:01 PM] [INFO] [46] Section
[2/16/2024 6:00:01 PM] [INFO]   SectionObject->OpenProcedure = MiSectionOpen
[2/16/2024 6:00:01 PM] [INFO]   SectionObject->CloseProcedure = MiSectionClose
[2/16/2024 6:00:01 PM] [INFO]   SectionObject->DeleteProcedure = MiSectionDelete
[2/16/2024 6:00:01 PM] [INFO]   SectionObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   SectionObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   SectionObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   SectionObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:01 PM] [INFO] [47] Session
[2/16/2024 6:00:01 PM] [INFO]   SessionObject->OpenProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   SessionObject->CloseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   SessionObject->DeleteProcedure = MiSessionObjectDelete
[2/16/2024 6:00:01 PM] [INFO]   SessionObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   SessionObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   SessionObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   SessionObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:01 PM] [INFO] [48] Key
[2/16/2024 6:00:01 PM] [INFO]   KeyObject->OpenProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   KeyObject->CloseProcedure = CmpCloseKeyObject
[2/16/2024 6:00:01 PM] [INFO]   KeyObject->DeleteProcedure = CmpDeleteKeyObject
[2/16/2024 6:00:01 PM] [INFO]   KeyObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   KeyObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   KeyObject->ParseProcedure = CmpParseKey
[2/16/2024 6:00:01 PM] [INFO]   KeyObject->SecurityProcedure = FFFFF800486B0000
[2/16/2024 6:00:01 PM] [INFO] [49] RegistryTransaction
[2/16/2024 6:00:01 PM] [INFO]   RegistryTransactionObject->OpenProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   RegistryTransactionObject->CloseProcedure = CmpCloseLightWeightTransaction
[2/16/2024 6:00:01 PM] [INFO]   RegistryTransactionObject->DeleteProcedure = CmpDeleteLightWeightTransaction
[2/16/2024 6:00:01 PM] [INFO]   RegistryTransactionObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   RegistryTransactionObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   RegistryTransactionObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   RegistryTransactionObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:01 PM] [INFO] [50] DmaAdapter
[2/16/2024 6:00:01 PM] [INFO]   DmaAdapterObject->OpenProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   DmaAdapterObject->CloseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   DmaAdapterObject->DeleteProcedure = HalpDmaFreeChildAdapter
[2/16/2024 6:00:01 PM] [INFO]   DmaAdapterObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   DmaAdapterObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   DmaAdapterObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   DmaAdapterObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:01 PM] [INFO] [51] ALPC Port
[2/16/2024 6:00:01 PM] [INFO]   ALPC PortObject->OpenProcedure = AlpcpOpenPort
[2/16/2024 6:00:01 PM] [INFO]   ALPC PortObject->CloseProcedure = AlpcpClosePort
[2/16/2024 6:00:01 PM] [INFO]   ALPC PortObject->DeleteProcedure = AlpcpDeletePort
[2/16/2024 6:00:01 PM] [INFO]   ALPC PortObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   ALPC PortObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   ALPC PortObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   ALPC PortObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:01 PM] [INFO] [52] EnergyTracker
[2/16/2024 6:00:01 PM] [INFO]   EnergyTrackerObject->OpenProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   EnergyTrackerObject->CloseProcedure = PopEtEnergyTrackerClose
[2/16/2024 6:00:01 PM] [INFO]   EnergyTrackerObject->DeleteProcedure = PopEtEnergyTrackerDelete
[2/16/2024 6:00:01 PM] [INFO]   EnergyTrackerObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   EnergyTrackerObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   EnergyTrackerObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   EnergyTrackerObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:01 PM] [INFO] [53] PowerRequest
[2/16/2024 6:00:01 PM] [INFO]   PowerRequestObject->OpenProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   PowerRequestObject->CloseProcedure = PopPowerRequestClose
[2/16/2024 6:00:01 PM] [INFO]   PowerRequestObject->DeleteProcedure = PopPowerRequestDelete
[2/16/2024 6:00:01 PM] [INFO]   PowerRequestObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   PowerRequestObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   PowerRequestObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   PowerRequestObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:01 PM] [INFO] [54] WmiGuid
[2/16/2024 6:00:01 PM] [INFO]   WmiGuidObject->OpenProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   WmiGuidObject->CloseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   WmiGuidObject->DeleteProcedure = WmipDeleteMethod
[2/16/2024 6:00:01 PM] [INFO]   WmiGuidObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   WmiGuidObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   WmiGuidObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   WmiGuidObject->SecurityProcedure = FFFFF800487A73D0
[2/16/2024 6:00:01 PM] [INFO] [55] EtwRegistration
[2/16/2024 6:00:01 PM] [INFO]   EtwRegistrationObject->OpenProcedure = EtwpOpenRealTimeConnectionObject
[2/16/2024 6:00:01 PM] [INFO]   EtwRegistrationObject->CloseProcedure = EtwpCloseRegistrationObject
[2/16/2024 6:00:01 PM] [INFO]   EtwRegistrationObject->DeleteProcedure = EtwpDeleteRegistrationObject
[2/16/2024 6:00:01 PM] [INFO]   EtwRegistrationObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   EtwRegistrationObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   EtwRegistrationObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   EtwRegistrationObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:01 PM] [INFO] [56] EtwSessionDemuxEntry
[2/16/2024 6:00:01 PM] [INFO]   EtwSessionDemuxEntryObject->OpenProcedure = EtwpOpenRealTimeConnectionObject
[2/16/2024 6:00:01 PM] [INFO]   EtwSessionDemuxEntryObject->CloseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   EtwSessionDemuxEntryObject->DeleteProcedure = EtwpDeleteSessionDemuxObject
[2/16/2024 6:00:01 PM] [INFO]   EtwSessionDemuxEntryObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   EtwSessionDemuxEntryObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   EtwSessionDemuxEntryObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   EtwSessionDemuxEntryObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:01 PM] [INFO] [57] EtwConsumer
[2/16/2024 6:00:01 PM] [INFO]   EtwConsumerObject->OpenProcedure = EtwpOpenRealTimeConnectionObject
[2/16/2024 6:00:01 PM] [INFO]   EtwConsumerObject->CloseProcedure = EtwpCloseRealTimeConnectionObject
[2/16/2024 6:00:01 PM] [INFO]   EtwConsumerObject->DeleteProcedure = EtwpDeleteRealTimeConnectionObject
[2/16/2024 6:00:01 PM] [INFO]   EtwConsumerObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:01 PM] [INFO]   EtwConsumerObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   EtwConsumerObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   EtwConsumerObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:02 PM] [INFO] [58] CoverageSampler
[2/16/2024 6:00:02 PM] [INFO]   CoverageSamplerObject->OpenProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   CoverageSamplerObject->CloseProcedure = EtwpCoverageSamplerClose
[2/16/2024 6:00:02 PM] [INFO]   CoverageSamplerObject->DeleteProcedure = EtwpCoverageSamplerDelete
[2/16/2024 6:00:02 PM] [INFO]   CoverageSamplerObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   CoverageSamplerObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   CoverageSamplerObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   CoverageSamplerObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:02 PM] [INFO] [59] PcwObject
[2/16/2024 6:00:02 PM] [INFO]   PcwObjectObject->OpenProcedure = PcwpOpenObject
[2/16/2024 6:00:02 PM] [INFO]   PcwObjectObject->CloseProcedure = PcwpCloseObjectHandle
[2/16/2024 6:00:02 PM] [INFO]   PcwObjectObject->DeleteProcedure = PcwpDeleteObject
[2/16/2024 6:00:02 PM] [INFO]   PcwObjectObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   PcwObjectObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   PcwObjectObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   PcwObjectObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:02 PM] [INFO] [60] FilterConnectionPort
[2/16/2024 6:00:02 PM] [INFO]   FilterConnectionPortObject->OpenProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   FilterConnectionPortObject->CloseProcedure = FltpServerPortClose
[2/16/2024 6:00:02 PM] [INFO]   FilterConnectionPortObject->DeleteProcedure = FltpServerPortDelete
[2/16/2024 6:00:02 PM] [INFO]   FilterConnectionPortObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   FilterConnectionPortObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   FilterConnectionPortObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   FilterConnectionPortObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:02 PM] [INFO] [61] FilterCommunicationPort
[2/16/2024 6:00:02 PM] [INFO]   FilterCommunicationPortObject->OpenProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   FilterCommunicationPortObject->CloseProcedure = FltpClientPortClose
[2/16/2024 6:00:02 PM] [INFO]   FilterCommunicationPortObject->DeleteProcedure = FltpClientPortDelete
[2/16/2024 6:00:02 PM] [INFO]   FilterCommunicationPortObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   FilterCommunicationPortObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   FilterCommunicationPortObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   FilterCommunicationPortObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:02 PM] [INFO] [62] NdisCmState
[2/16/2024 6:00:02 PM] [INFO]   NdisCmStateObject->OpenProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   NdisCmStateObject->CloseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   NdisCmStateObject->DeleteProcedure = ndisCmDeleteStateObject
[2/16/2024 6:00:02 PM] [INFO]   NdisCmStateObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   NdisCmStateObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   NdisCmStateObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   NdisCmStateObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:02 PM] [INFO] [63] DxgkSharedResource
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedResourceObject->OpenProcedure = DxgkObOpenProcedureStub
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedResourceObject->CloseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedResourceObject->DeleteProcedure = DxgkSharedAllocationObDeleteProcedure
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedResourceObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedResourceObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedResourceObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedResourceObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:02 PM] [INFO] [64] DxgkSharedKeyedMutexObject
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedKeyedMutexObjectObject->OpenProcedure = DxgkObOpenProcedureStub
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedKeyedMutexObjectObject->CloseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedKeyedMutexObjectObject->DeleteProcedure = DxgkSharedKeyedMutexObjectObDeleteProcedure
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedKeyedMutexObjectObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedKeyedMutexObjectObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedKeyedMutexObjectObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedKeyedMutexObjectObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:02 PM] [INFO] [65] DxgkSharedSyncObject
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedSyncObjectObject->OpenProcedure = DxgkObOpenProcedureStub
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedSyncObjectObject->CloseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedSyncObjectObject->DeleteProcedure = DxgkSharedSyncObjectObDeleteProcedure
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedSyncObjectObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedSyncObjectObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedSyncObjectObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedSyncObjectObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:02 PM] [INFO] [66] DxgkSharedSwapChainObject ;)
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedSwapChainObjectObject->OpenProcedure = DxgkObOpenProcedureStub
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedSwapChainObjectObject->CloseProcedure = SwapChainObCloseProcedure
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedSwapChainObjectObject->DeleteProcedure = SwapChainObDeleteProcedure
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedSwapChainObjectObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedSwapChainObjectObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedSwapChainObjectObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedSwapChainObjectObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:02 PM] [INFO] [67] DxgkDisplayManagerObject
[2/16/2024 6:00:02 PM] [INFO]   DxgkDisplayManagerObjectObject->OpenProcedure = DxgkObOpenProcedureStub
[2/16/2024 6:00:02 PM] [INFO]   DxgkDisplayManagerObjectObject->CloseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   DxgkDisplayManagerObjectObject->DeleteProcedure = DxgkDisplayManagerDeleteProcedure
[2/16/2024 6:00:02 PM] [INFO]   DxgkDisplayManagerObjectObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   DxgkDisplayManagerObjectObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   DxgkDisplayManagerObjectObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   DxgkDisplayManagerObjectObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:02 PM] [INFO] [68] DxgkSharedProtectedSessionObject
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedProtectedSessionObjectObject->OpenProcedure = DxgkObOpenProcedureStub
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedProtectedSessionObjectObject->CloseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedProtectedSessionObjectObject->DeleteProcedure = DxgkSharedProtectedSessionObDeleteProcedure
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedProtectedSessionObjectObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedProtectedSessionObjectObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedProtectedSessionObjectObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedProtectedSessionObjectObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:02 PM] [INFO] [69] DxgkSharedBundleObject
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedBundleObjectObject->OpenProcedure = DxgkObOpenProcedureStub
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedBundleObjectObject->CloseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedBundleObjectObject->DeleteProcedure = DxgkSharedBundleObjectObDeleteProcedure
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedBundleObjectObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedBundleObjectObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedBundleObjectObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   DxgkSharedBundleObjectObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:02 PM] [INFO] [70] DxgkCompositionObject
[2/16/2024 6:00:02 PM] [INFO]   DxgkCompositionObjectObject->OpenProcedure = DxgkCompositionObject::Open
[2/16/2024 6:00:02 PM] [INFO]   DxgkCompositionObjectObject->CloseProcedure = DxgkCompositionObject::Close
[2/16/2024 6:00:02 PM] [INFO]   DxgkCompositionObjectObject->DeleteProcedure = DxgkCompositionObject::Delete
[2/16/2024 6:00:02 PM] [INFO]   DxgkCompositionObjectObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   DxgkCompositionObjectObject->OkayToCloseProcedure = DxgkCompositionObject::OkToClose
[2/16/2024 6:00:02 PM] [INFO]   DxgkCompositionObjectObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   DxgkCompositionObjectObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:02 PM] [INFO] [71] VRegConfigurationContext
[2/16/2024 6:00:02 PM] [INFO]   VRegConfigurationContextObject->OpenProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   VRegConfigurationContextObject->CloseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   VRegConfigurationContextObject->DeleteProcedure = VrpJobContextDelete
[2/16/2024 6:00:02 PM] [INFO]   VRegConfigurationContextObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   VRegConfigurationContextObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   VRegConfigurationContextObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   VRegConfigurationContextObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:02 PM] [INFO] [72] CrossVmEvent
[2/16/2024 6:00:02 PM] [INFO]   CrossVmEventObject->OpenProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   CrossVmEventObject->CloseProcedure = ExpObCloseCrossVmEvent
[2/16/2024 6:00:02 PM] [INFO]   CrossVmEventObject->DeleteProcedure = ExpObDeleteCrossVmEvent
[2/16/2024 6:00:02 PM] [INFO]   CrossVmEventObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   CrossVmEventObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   CrossVmEventObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   CrossVmEventObject->SecurityProcedure = SeDefaultObjectMethod
[2/16/2024 6:00:02 PM] [INFO] [73] CrossVmMutant
[2/16/2024 6:00:02 PM] [INFO]   CrossVmMutantObject->OpenProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   CrossVmMutantObject->CloseProcedure = ExpObCloseCrossVmMutant
[2/16/2024 6:00:02 PM] [INFO]   CrossVmMutantObject->DeleteProcedure = ExpObDeleteCrossVmMutant
[2/16/2024 6:00:02 PM] [INFO]   CrossVmMutantObject->DumpProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   CrossVmMutantObject->OkayToCloseProcedure = 0000000000000000
[2/16/2024 6:00:02 PM] [INFO]   CrossVmMutantObject->ParseProcedure = 0000000000000000
[2/16/2024 6:00:03 PM] [INFO]   CrossVmMutantObject->SecurityProcedure = SeDefaultObjectMethod

 

Author

Leave a Reply