Hey, Im trying to enumerate registered p&p callbacks for a particular device interface class. based on reverse engineering IoRegisterPlugPlayNotification I figured ntos uses a hash table where the class guid is hashed and indexed into a hash bucket list each entry is a structure , one of its members is a GUID since a hash bucket may contain callbacks for different interface classes the function responsible for calling our callbacks compares that GUID to some other GUID it receives as an argument I tried to rewrite this functionality but weirdly (or not) the guid youd pass when registeribg a callback using IoRegisterPlugPlayNotification( say DEVINTERFACE_USB_DRVICE) is not the same as the guid stored in the entry structure Is anyone familiar with what that GUID could be? I assume the GUID passed to the nt function responsible is not the one you register either… since im doing cmp exact same and it will never match, what GUID could that be?
Never mined i think i had KGUARDED_MUTEX instead of PKGURDED_MUTEX in my reversed struct definition 
Be aware that undocumented structures very often change between releases. What you’re doing is quite dangerous, and I hope you’re not including that in a commercial product.
2 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.