有多少人验证通过了这代码呢？我是死活都过不了。

我的环境：Win7 SP1 64位、VS2013、 WDK8.1

UNICODE_STRING InstanceName;
RtlInitUnicodeString(&InstanceName, L"Circular Kernel Context Logger");

这个代码，只要调用NtTraceControl，系统就蓝屏给我看。详情可见：7efK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6W2N6X3g2J5k6r3!0^5i4K6u0r3d9h3&6X3K9h3&6A6N6s2W2t1L8$3!0C8i4K6u0r3K9i4y4K6N6h3g2K6i4K6u0r3y4H3`.`.

我按这个issues解决了蓝屏问题，也都初始化成功了。

但是系统回调，根本就不会进自己的Detour函数。

ybt 有多少人验证通过了这代码呢？我是死活都过不了。我的环境：Win7 SP1 64位、VS2013、 WDK8.1UNICODE_STRING InstanceName; RtlIni ...

Sprite雪碧 是自己写的代码还是用 GitHub 原版的？输出的有错误信息吗？

没有输出错误信息。

以524K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6W2N6X3g2J5k6r3!0^5i4K6u0r3d9h3&6X3K9h3&6A6N6s2W2t1L8$3!0C8i4@1f1@1i4@1t1^5i4@1u0m8i4@1f1#2i4K6W2r3i4@1u0m8i4@1f1%4i4@1p5I4i4K6R3H3i4@1g2r3i4@1u0o6i4K6S2o6i4@1f1%4i4@1p5^5i4K6S2p5i4@1f1#2i4@1u0q4i4@1q4q4i4@1f1$3i4K6W2o6i4K6R3&6i4@1f1%4i4K6R3J5i4@1t1&6i4@1f1@1i4@1u0r3i4@1q4q4i4@1f1$3i4K6V1@1i4@1t1&6i4@1g2r3i4@1u0o6i4K6W2m8
1、修改为VS2013+WDK8.1工程。

2、ZwTraceControl改为NtTraceControl（因为ZwTraceControl编译时链接不了）

代码在附件里。

ybt Sprite雪碧 是自己写的代码还是用 GitHub 原版的？输出的有错误信息吗？ 没有输出错误信息。以f38K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6W2N6X3g2J5k6r3!0^5i4K6u0r3d9b7`.`. ...

直接编译你的代码，在 1803 x64 上测试是有效果的（win7 x64 的虚拟机之前手贱删了还没装回来没法测试）

ybt Sprite雪碧 是自己写的代码还是用 GitHub 原版的？输出的有错误信息吗？ 没有输出错误信息。以20fK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6W2N6X3g2J5k6r3!0^5i4K6u0r3d9b7`.`. ...

Sprite雪碧 哦 想起来了，OFFSET_WMI_LOGGER_CONTEXT_CPU_CYCLE_CLOCK 这个偏移在 win7 不一样 要自己改一下

我目前WIN7 X64 SP0/SP1虚拟机都有。借调试方便，这个以后又有用，这个周末按楼主分析的思路，分析了WIN7 64位，然后对WIN7/WIN10 x64都进行了调试, 改了个WIN7/WIN10通用版，这里分享出来。

一. 与WIN10 X64相比，WIN7 x64在Identify Hook(我总爱这么叫，网上叫InfinityHook, 其实这样叫也没什么问题，毕竟各系统事件跟踪控制都用的同一个CKCLGuid)时有以下几个地方需要注意:

1.时钟填写CPU循环计数器(WIN7,WIN10通用): 推荐用楼主的填写，不用github原版中的QPC，这样可以兼容: WIN10 1703以下的系统

Property->Wnode.ClientContext = 3;  //CPU cycle counter WIN7 WIN10通用

2. WIN7 X64: nt!_WMI_LOGGER_CONTEXT数据结构变动:

指针GetCpuClock的偏移量为0x18

(1)WIN7 SP1:

0: kd> dt nt!_WMI_LOGGER_CONTEXT
   ...
   +0x018 GetCpuClock      : Ptr64     int64 
   ...

(2)WIN7 SP0

1: kd> dt nt!_WMI_LOGGER_CONTEXT
   ...
   +0x018 GetCpuClock      : Ptr64     int64 
   ...

3. WIN7 X64: nt!_KTHREAD数据结构变动: KTHREAD的SystemCallNumber偏移量为: 0x1f8 

(1)WIN7 SP1: 

0: kd> dt nt!_KTHREAD
   ...
   +0x1f8 SystemCallNumber : Uint4B
   ...

(2)WIN7 SP0:

1: kd> dt nt!_KTHREAD
...
+0x1f8 SystemCallNumber : Uint4B
...

4. EtwpDebuggerData所在节变动:

(1)对于WIN7 SP0在ntoskrnl.exe的.rdata节，与部分WIN10相同:

.rdata:00000001401AB780 EtwpDebuggerData db  18h                ; DATA XREF: .data:00000001401E93A0o
.rdata:00000001401AB781                 db    0
.rdata:00000001401AB782                 db  2Ch ; ,
.rdata:00000001401AB783                 db    8
.rdata:00000001401AB784                 db    4
.rdata:00000001401AB785                 db  38h ; 8
.rdata:00000001401AB786                 db  0Ch
.rdata:00000001401AB787                 db 0E0h ; 
.rdata:00000001401AB788                 db 0B8h ; 
.rdata:00000001401AB789                 db    0
.rdata:00000001401AB78A                 db    0
.rdata:00000001401AB78B                 db    0s
.rdata:00000001401AB78C                 db  78h ; x
.rdata:00000001401AB78D                 db  10h
.rdata:00000001401AB78E                 db    4
.rdata:00000001401AB78F                 db  60h ; `
.rdata:00000001401AB790                 dq offset WmipLoggerContext

WIN7 SP0与WIN10系统一样ntoskrnl.exe有: .data节和.rdata节

(2)对于WIN7 SP1:

在ntoskrnl.exe(6.1.7601.24384)的.text节, 与WIN10不同:

.text:00000001400057B0 EtwpDebuggerData dq 0E00C3804082C0018h, 60041078000000B8h
.text:00000001400057B0                                         ; DATA XREF: .data:00000001401E2450o
.text:00000001400057C0                 dq offset WmipLoggerContext

而WIN7SP1(6.1.7601.24384)的ntoskrnl.exe只有.data节, 没有.rdata节

在ntoskrnl.exe(6.1.7601.23677)的.rdata节，与部分WIN10相同

.rdata:00000001401AE770 EtwpDebuggerData db  18h                ; DATA XREF: .data:00000001401ED440o
.rdata:00000001401AE771                 db    0
.rdata:00000001401AE772                 db  2Ch ; ,
.rdata:00000001401AE773                 db    8
.rdata:00000001401AE774                 db    4
.rdata:00000001401AE775                 db  38h ; 8
.rdata:00000001401AE776                 db  0Ch
.rdata:00000001401AE777                 db 0E0h ; 
.rdata:00000001401AE778                 db 0B8h ; 
.rdata:00000001401AE779                 db    0
.rdata:00000001401AE77A                 db    0
.rdata:00000001401AE77B                 db    0
.rdata:00000001401AE77C                 db  78h ; x
.rdata:00000001401AE77D                 db  10h
.rdata:00000001401AE77E                 db    4
.rdata:00000001401AE77F                 db  60h ; `
.rdata:00000001401AE780                 dq offset WmipLoggerContext

而WIN7SP1(6.1.7601.23677)的.data节, .rdata节都有

5. WIN7上nt!ZwTraceControl是不导出的,nt!NtTraceControl是导出的，

启动/停止/更新事件跟踪采用nt!NtTraceControl就可以通用,

由于是在DriverEntry/DriverUnload中调用,即：System线程中调用，调用时kThread->PreviousMode已经为

KernelMode了，不用担心直接调用: nt!NtTraceControl会对UserMode缓冲区校验失败的问题。

6.在nt!NtTraceControl时，Property->ProviderName填写:

WIN7上需要保证Property->ProviderName.Buffer是可写的，不然会蓝屏。

PWSTR wProviderName = (PWSTR)ExAllocatePool(NonPagedPool, 256*sizeof(WCHAR)); //需要自己分配可写的内存,不然WIN7上会蓝

...

RtlCopyMemory(wProviderName, L"Circular Kernel Context Logger", sizeof(L"Circular Kernel Context Logger"));

RtlInitUnicodeString(&Property->ProviderName, (PCWSTR)wProviderName); //WIN7/WIN10通用

...

二. 源码(以github的libinfinityhook为基础，提供改了的文件，其余文件不变): WIN7/WIN10 X64通用，已调试通过。

1.infinityhook.cpp:

/*
*	Module Name:
*		infinityhook.cpp
*
*	Abstract:
*		The implementation details of infinity hook.
*
*	Authors:
*		Nick Peterson <everdox@gmail.com> | 2ceK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3g2$3k6i4u0V1L8%4S2Q4x3X3g2F1k6i4c8Q4x3V1j5`.
*
*	Special thanks to Nemanja (Nemi) Mulasmajic <nm@triplefault.io>
*	for his help with the POC.
*
*/

#include "stdafx.h"
#include "infinityhook.h"
#include "img.h"
#include "mm.h"

//
// Used internally for IfhpModifyTraceSettings.
//
enum CKCL_TRACE_OPERATION
{
	CKCL_TRACE_START,
	CKCL_TRACE_SYSCALL,
	CKCL_TRACE_END
};

//
// To enable/disable tracing on the circular kernel context logger.
//
typedef struct _CKCL_TRACE_PROPERIES: EVENT_TRACE_PROPERTIES
{
	ULONG64					Unknown[3];
	UNICODE_STRING			ProviderName;
} CKCL_TRACE_PROPERTIES, *PCKCL_TRACE_PROPERTIES;

static BOOLEAN IfhpResolveSymbols();

static NTSTATUS IfhpModifyTraceSettings(
	_In_ CKCL_TRACE_OPERATION Operation);

static ULONG64 IfhpInternalGetCpuClock();

//获取操作系统版本信息
static VOID GetOsVersionInformation(
	VOID
);

//
// Works from Windows 7+. You can backport this to Vista if you
// include an OS check and add the Vista appropriate signature.
//
UCHAR EtwpDebuggerDataPattern[] = 
{ 
	0x2c, 
	0x08, 
	0x04, 
	0x38, 
	0x0c 
};

//
// _WMI_LOGGER_CONTEXT.GetCpuClock.
//
#define OFFSET_WMI_LOGGER_CONTEXT_CPU_CYCLE_CLOCK 0x28 //WIN10系统
#define OFFSET_WMI_LOGGER_CONTEXT_CPU_CYCLE_CLOCK_WIN7 0x18  //WIN7SP0, WIN7SP1

//
// _KPCR.Prcb.RspBase.
//
#define OFFSET_KPCR_RSP_BASE 0x1A8

//
// _KPCR.Prcb.CurrentThread.
//
#define OFFSET_KPCR_CURRENT_THREAD 0x188

//
// _KTHREAD.SystemCallNumber.
//
#define OFFSET_KTHREAD_SYSTEM_CALL_NUMBER 0x80  //WIN10
#define OFFSET_KTHREAD_SYSTEM_CALL_NUMBER_WIN7 0x1f8  //WIN7SP0 WIN7SP1

//
// EtwpDebuggerData silos.
//
#define OFFSET_ETW_DEBUGGER_DATA_SILO 0x10

//
// The index of the circular kernel context logger.
//
#define INDEX_CKCL_LOGGER 2

//
// Magic values on the stack. We use this to filter out system call 
// exit events.
//
#define INFINITYHOOK_MAGIC_1 ((ULONG)0x501802)
#define INFINITYHOOK_MAGIC_2 ((USHORT)0xF33)

static bool IfhpInitialized = false;
static INFINITYHOOKCALLBACK IfhpCallback = NULL;

static const void* EtwpDebuggerData = NULL;
static PVOID CkclWmiLoggerContext = NULL;
static PVOID SystemCallEntryPage = NULL;

//操作系统判断宏
#define ISWIN7(_oviEx) (((_oviEx).dwMajorVersion==6)&&((_oviEx).dwMinorVersion==1))
#define ISWIN10(_oviEx) (((_oviEx).dwMajorVersion==10)&&((_oviEx).dwMinorVersion==0))
#define ISSP0(_oviEx) (((_oviEx).wServicePackMajor==0)&&((_oviEx).wServicePackMinor==0))
#define ISSP1(_oviEx) (((_oviEx).wServicePackMajor==1)&&((_oviEx).wServicePackMinor==0))

//系统版本信息
static RTL_OSVERSIONINFOEXW g_oviEx = { 0 }; 

/*
*	Initialize infinity hook: executes your user defined callback on 
*	each syscall. You can extend this functionality to do other things
*	like trap on page faults, context switches, and more... This demo
*	only does syscalls.
*/
NTSTATUS IfhInitialize(_In_ 
	INFINITYHOOKCALLBACK InfinityHookCallback)
{
	if (IfhpInitialized)
	{
		return STATUS_ACCESS_DENIED;
	}

	//获取操作系统版本信息
	GetOsVersionInformation();
	if (!ISWIN10(g_oviEx)&&!ISWIN7(g_oviEx)) {
		//不支持WIN10,WIN7系列以外的系统, WIN8系列没有调试过,这里暂时不支持
		return STATUS_NOT_SUPPORTED;
	}

	//
	// Let's assume CKCL session is already started (which is the 
	// default scenario) and try to update it for system calls only.
	//
	NTSTATUS Status = IfhpModifyTraceSettings(CKCL_TRACE_SYSCALL);
	if (!NT_SUCCESS(Status))
	{
		//
		// Failed... let's try to turn it on.
		//
		Status = IfhpModifyTraceSettings(CKCL_TRACE_START);

		//
		// Failed again... We exit here, but it's possible to setup
		// a custom logger instead and use SystemTraceProvider instead
		// of hijacking the circular kernel context logger.
		//
		if (!NT_SUCCESS(Status))
		{
			return Status;
		}

		Status = IfhpModifyTraceSettings(CKCL_TRACE_SYSCALL);
		if (!NT_SUCCESS(Status))
		{
			return Status;
		}
	}	

	//
	// We need to resolve certain unexported symbols.
	//
	if (!IfhpResolveSymbols())
	{
		return STATUS_ENTRYPOINT_NOT_FOUND;
	}

	IfhpCallback = InfinityHookCallback;

	//
	// CkclWmiLoggerContext is a WMI_LOGGER_CONTEXT structure:
	//
	/*
		0: kd> dt nt!_WMI_LOGGER_CONTEXT
			   +0x000 LoggerId         : Uint4B
			   +0x004 BufferSize       : Uint4B
			   +0x008 MaximumEventSize : Uint4B
			   +0x00c LoggerMode       : Uint4B
			   +0x010 AcceptNewEvents  : Int4B
			   +0x014 EventMarker      : [2] Uint4B
			   +0x01c ErrorMarker      : Uint4B
			   +0x020 SizeMask         : Uint4B
			   +0x028 GetCpuClock      : Ptr64     int64
			   +0x030 LoggerThread     : Ptr64 _ETHREAD
			   +0x038 LoggerStatus     : Int4B
			   +0x03c FailureReason    : Uint4B
			   +0x040 BufferQueue      : _ETW_BUFFER_QUEUE
			   +0x050 OverflowQueue    : _ETW_BUFFER_QUEUE
			   +0x060 GlobalList       : _LIST_ENTRY
			   +0x070 DebugIdTrackingList : _LIST_ENTRY
			   +0x080 DecodeControlList : Ptr64 _ETW_DECODE_CONTROL_ENTRY
			   +0x088 DecodeControlCount : Uint4B
			   +0x090 BatchedBufferList : Ptr64 _WMI_BUFFER_HEADER
			   +0x090 CurrentBuffer    : _EX_FAST_REF
			   +0x098 LoggerName       : _UNICODE_STRING
			   +0x0a8 LogFileName      : _UNICODE_STRING
			   +0x0b8 LogFilePattern   : _UNICODE_STRING
			   +0x0c8 NewLogFileName   : _UNICODE_STRING
			   +0x0d8 ClockType        : Uint4B
			   +0x0dc LastFlushedBuffer : Uint4B
			   +0x0e0 FlushTimer       : Uint4B
			   +0x0e4 FlushThreshold   : Uint4B
			   +0x0e8 ByteOffset       : _LARGE_INTEGER
			   +0x0f0 MinimumBuffers   : Uint4B
			   +0x0f4 BuffersAvailable : Int4B
			   +0x0f8 NumberOfBuffers  : Int4B
			   +0x0fc MaximumBuffers   : Uint4B
			   +0x100 EventsLost       : Uint4B
			   +0x104 PeakBuffersCount : Int4B
			   +0x108 BuffersWritten   : Uint4B
			   +0x10c LogBuffersLost   : Uint4B
			   +0x110 RealTimeBuffersDelivered : Uint4B
			   +0x114 RealTimeBuffersLost : Uint4B
			   +0x118 SequencePtr      : Ptr64 Int4B
			   +0x120 LocalSequence    : Uint4B
			   +0x124 InstanceGuid     : _GUID
			   +0x134 MaximumFileSize  : Uint4B
			   +0x138 FileCounter      : Int4B
			   +0x13c PoolType         : _POOL_TYPE
			   +0x140 ReferenceTime    : _ETW_REF_CLOCK
			   +0x150 CollectionOn     : Int4B
			   +0x154 ProviderInfoSize : Uint4B
			   +0x158 Consumers        : _LIST_ENTRY
			   +0x168 NumConsumers     : Uint4B
			   +0x170 TransitionConsumer : Ptr64 _ETW_REALTIME_CONSUMER
			   +0x178 RealtimeLogfileHandle : Ptr64 Void
			   +0x180 RealtimeLogfileName : _UNICODE_STRING
			   +0x190 RealtimeWriteOffset : _LARGE_INTEGER
			   +0x198 RealtimeReadOffset : _LARGE_INTEGER
			   +0x1a0 RealtimeLogfileSize : _LARGE_INTEGER
			   +0x1a8 RealtimeLogfileUsage : Uint8B
			   +0x1b0 RealtimeMaximumFileSize : Uint8B
			   +0x1b8 RealtimeBuffersSaved : Uint4B
			   +0x1c0 RealtimeReferenceTime : _ETW_REF_CLOCK
			   +0x1d0 NewRTEventsLost  : _ETW_RT_EVENT_LOSS
			   +0x1d8 LoggerEvent      : _KEVENT
			   +0x1f0 FlushEvent       : _KEVENT
			   +0x208 FlushTimeOutTimer : _KTIMER
			   +0x248 LoggerDpc        : _KDPC
			   +0x288 LoggerMutex      : _KMUTANT
			   +0x2c0 LoggerLock       : _EX_PUSH_LOCK
			   +0x2c8 BufferListSpinLock : Uint8B
			   +0x2c8 BufferListPushLock : _EX_PUSH_LOCK
			   +0x2d0 ClientSecurityContext : _SECURITY_CLIENT_CONTEXT
			   +0x318 TokenAccessInformation : Ptr64 _TOKEN_ACCESS_INFORMATION
			   +0x320 SecurityDescriptor : _EX_FAST_REF
			   +0x328 StartTime        : _LARGE_INTEGER
			   +0x330 LogFileHandle    : Ptr64 Void
			   +0x338 BufferSequenceNumber : Int8B
			   +0x340 Flags            : Uint4B
			   +0x340 Persistent       : Pos 0, 1 Bit
			   +0x340 AutoLogger       : Pos 1, 1 Bit
			   +0x340 FsReady          : Pos 2, 1 Bit
			   +0x340 RealTime         : Pos 3, 1 Bit
			   +0x340 Wow              : Pos 4, 1 Bit
			   +0x340 KernelTrace      : Pos 5, 1 Bit
			   +0x340 NoMoreEnable     : Pos 6, 1 Bit
			   +0x340 StackTracing     : Pos 7, 1 Bit
			   +0x340 ErrorLogged      : Pos 8, 1 Bit
			   +0x340 RealtimeLoggerContextFreed : Pos 9, 1 Bit
			   +0x340 PebsTracing      : Pos 10, 1 Bit
			   +0x340 PmcCounters      : Pos 11, 1 Bit
			   +0x340 PageAlignBuffers : Pos 12, 1 Bit
			   +0x340 StackLookasideListAllocated : Pos 13, 1 Bit
			   +0x340 SecurityTrace    : Pos 14, 1 Bit
			   +0x340 LastBranchTracing : Pos 15, 1 Bit
			   +0x340 SystemLoggerIndex : Pos 16, 8 Bits
			   +0x340 StackCaching     : Pos 24, 1 Bit
			   +0x340 ProviderTracking : Pos 25, 1 Bit
			   +0x340 ProcessorTrace   : Pos 26, 1 Bit
			   +0x340 QpcDeltaTracking : Pos 27, 1 Bit
			   +0x340 MarkerBufferSaved : Pos 28, 1 Bit
			   +0x340 SpareFlags2      : Pos 29, 3 Bits
			   +0x344 RequestFlag      : Uint4B
			   +0x344 DbgRequestNewFile : Pos 0, 1 Bit
			   +0x344 DbgRequestUpdateFile : Pos 1, 1 Bit
			   +0x344 DbgRequestFlush  : Pos 2, 1 Bit
			   +0x344 DbgRequestDisableRealtime : Pos 3, 1 Bit
			   +0x344 DbgRequestDisconnectConsumer : Pos 4, 1 Bit
			   +0x344 DbgRequestConnectConsumer : Pos 5, 1 Bit
			   +0x344 DbgRequestNotifyConsumer : Pos 6, 1 Bit
			   +0x344 DbgRequestUpdateHeader : Pos 7, 1 Bit
			   +0x344 DbgRequestDeferredFlush : Pos 8, 1 Bit
			   +0x344 DbgRequestDeferredFlushTimer : Pos 9, 1 Bit
			   +0x344 DbgRequestFlushTimer : Pos 10, 1 Bit
			   +0x344 DbgRequestUpdateDebugger : Pos 11, 1 Bit
			   +0x344 DbgSpareRequestFlags : Pos 12, 20 Bits
			   +0x350 StackTraceBlock  : _ETW_STACK_TRACE_BLOCK
			   +0x3d0 HookIdMap        : _RTL_BITMAP
			   +0x3e0 StackCache       : Ptr64 _ETW_STACK_CACHE
			   +0x3e8 PmcData          : Ptr64 _ETW_PMC_SUPPORT
			   +0x3f0 LbrData          : Ptr64 _ETW_LBR_SUPPORT
			   +0x3f8 IptData          : Ptr64 _ETW_IPT_SUPPORT
			   +0x400 BinaryTrackingList : _LIST_ENTRY
			   +0x410 ScratchArray     : Ptr64 Ptr64 _WMI_BUFFER_HEADER
			   +0x418 DisallowedGuids  : _DISALLOWED_GUIDS
			   +0x428 RelativeTimerDueTime : Int8B
			   +0x430 PeriodicCaptureStateGuids : _PERIODIC_CAPTURE_STATE_GUIDS
			   +0x440 PeriodicCaptureStateTimer : Ptr64 _EX_TIMER
			   +0x448 PeriodicCaptureStateTimerState : _ETW_PERIODIC_TIMER_STATE
			   +0x450 SoftRestartContext : Ptr64 _ETW_SOFT_RESTART_CONTEXT
			   +0x458 SiloState        : Ptr64 _ETW_SILODRIVERSTATE
			   +0x460 CompressionWorkItem : _WORK_QUEUE_ITEM
			   +0x480 CompressionWorkItemState : Int4B
			   +0x488 CompressionLock  : _EX_PUSH_LOCK
			   +0x490 CompressionTarget : Ptr64 _WMI_BUFFER_HEADER
			   +0x498 CompressionWorkspace : Ptr64 Void
			   +0x4a0 CompressionOn    : Int4B
			   +0x4a4 CompressionRatioGuess : Uint4B
			   +0x4a8 PartialBufferCompressionLevel : Uint4B
			   +0x4ac CompressionResumptionMode : ETW_COMPRESSION_RESUMPTION_MODE
			   +0x4b0 PlaceholderList  : _SINGLE_LIST_ENTRY
			   +0x4b8 CompressionDpc   : _KDPC
			   +0x4f8 LastBufferSwitchTime : _LARGE_INTEGER
			   +0x500 BufferWriteDuration : _LARGE_INTEGER
			   +0x508 BufferCompressDuration : _LARGE_INTEGER
			   +0x510 ReferenceQpcDelta : Int8B
			   +0x518 CallbackContext  : Ptr64 _ETW_EVENT_CALLBACK_CONTEXT
			   +0x520 LastDroppedTime  : Ptr64 _LARGE_INTEGER
			   +0x528 FlushingLastDroppedTime : Ptr64 _LARGE_INTEGER
			   +0x530 FlushingSequenceNumber : Int8B
	*/

	//
	// We care about overwriting the GetCpuClock (+0x28) pointer in 
	// this structure.
	//
    PVOID* AddressOfEtwpGetCycleCount;
	if (ISWIN7(g_oviEx)) {
		//WIN7系统
		AddressOfEtwpGetCycleCount = (PVOID*)((uintptr_t)CkclWmiLoggerContext + OFFSET_WMI_LOGGER_CONTEXT_CPU_CYCLE_CLOCK_WIN7); //offset: 0x18
	}else {
		//WIN10系统
		AddressOfEtwpGetCycleCount = (PVOID*)((uintptr_t)CkclWmiLoggerContext + OFFSET_WMI_LOGGER_CONTEXT_CPU_CYCLE_CLOCK); //offset: 0x28
	}
	//
	// Replace this function pointer with our own. Each time syscall
	// is logged by ETW, it will invoke our new timing function.
	//
	*AddressOfEtwpGetCycleCount = IfhpInternalGetCpuClock;

	IfhpInitialized = true;

	return STATUS_SUCCESS;
}

/*
*	Disables and then re-enables the circular kernel context logger,
*	clearing the system of the infinity hook pointer override.
*/
void IfhRelease()
{
	if (!IfhpInitialized)
	{
		return;
	}

	if (NT_SUCCESS(IfhpModifyTraceSettings(CKCL_TRACE_END)))
	{
		IfhpModifyTraceSettings(CKCL_TRACE_START);
	}

	IfhpInitialized = false;
}

/*
*	Resolves necessary unexported symbols.
*/
static BOOLEAN IfhpResolveSymbols()
{
	//
	// We need to resolve nt!EtwpDebuggerData to get the current ETW
	// sessions WMI_LOGGER_CONTEXTS, find the CKCL, and overwrite its
	// GetCpuClock function pointer.
	//
	PVOID NtBaseAddress = NULL;
	ULONG SizeOfNt = 0;
	NtBaseAddress = ImgGetBaseAddress(NULL, &SizeOfNt);
	if (!NtBaseAddress)
	{
		return FALSE;
	}

	ULONG SizeOfSection;
	PVOID SectionBase;

	//
	// Look for the EtwpDebuggerData global using the signature. This 
	// should be the same for Windows 7 And Win10
	//
	
	//相同内核版本不同内核补丁对WIN7SP1的EtwpDebuggerData所在节有影响
	//WIN10上目前还没有遇到过这个情况,不过很可能存在
	//WIN7 SP1(6.1.7601.24384)出现过只有.data节没有.rdata节，EtwpDebuggerData在.text节的情况,所以这里把对.text节的搜索加起
	//.text:00000001400057B0 EtwpDebuggerData dq 0E00C3804082C0018h, 60041078000000B8h
	//.text : 00000001400057B0; DATA XREF : .data : 00000001401E2450o
	//.text:00000001400057C0                 dq offset WmipLoggerContext
	SectionBase = ImgGetImageSection(NtBaseAddress, ".text", &SizeOfSection);
	if (!SectionBase)
	{
		return FALSE;
	}
	EtwpDebuggerData = MmSearchMemory(SectionBase, SizeOfSection, EtwpDebuggerDataPattern, RTL_NUMBER_OF(EtwpDebuggerDataPattern));
	if (!EtwpDebuggerData) {
		SectionBase = ImgGetImageSection(NtBaseAddress, ".data", &SizeOfSection);
		if (!SectionBase)
		{
			return FALSE;
		}
		EtwpDebuggerData = MmSearchMemory(SectionBase, SizeOfSection, EtwpDebuggerDataPattern, RTL_NUMBER_OF(EtwpDebuggerDataPattern));
		if (!EtwpDebuggerData)
		{
			SectionBase = ImgGetImageSection(NtBaseAddress, ".rdata", &SizeOfSection);
			if (!SectionBase)
			{
				return FALSE;
			}

			EtwpDebuggerData = MmSearchMemory(SectionBase, SizeOfSection, EtwpDebuggerDataPattern, RTL_NUMBER_OF(EtwpDebuggerDataPattern));
			if (!EtwpDebuggerData)
			{
				return FALSE;
			}
		}
	}
	
	// 
	// This is offset by 2 bytes due to where the signature starts.
	//
	EtwpDebuggerData = (PVOID)((uintptr_t)EtwpDebuggerData - 2);
	
	//
	// Get the silos of EtwpDebuggerData.
	//
	PVOID* EtwpDebuggerDataSilo = *(PVOID**)((uintptr_t)EtwpDebuggerData + OFFSET_ETW_DEBUGGER_DATA_SILO);

	//
	// Pull out the circular kernel context logger.
	//
	CkclWmiLoggerContext = EtwpDebuggerDataSilo[INDEX_CKCL_LOGGER];

	//
	// Grab the system call entry value.
	//
	SystemCallEntryPage = PAGE_ALIGN(ImgGetSyscallEntry());
	if (!SystemCallEntryPage)
	{
		return FALSE;
	}

	return TRUE;
}

/*
*	Modify the trace settings for the circular kernel context logger.
*/
static NTSTATUS IfhpModifyTraceSettings(
	_In_ CKCL_TRACE_OPERATION Operation)
{
	PCKCL_TRACE_PROPERTIES Property = (PCKCL_TRACE_PROPERTIES)ExAllocatePool(NonPagedPool, PAGE_SIZE);
	PWSTR wProviderName = (PWSTR)ExAllocatePool(NonPagedPool, 256*sizeof(WCHAR)); //需要自己分配可写的内存,不然WIN7上会蓝
	if (!Property || !wProviderName)
	{
		if (Property) ExFreePool((PVOID)Property);
		if (wProviderName) ExFreePool((PVOID)wProviderName);
		return STATUS_MEMORY_NOT_ALLOCATED;
	}

	memset(Property, 0, PAGE_SIZE);

	Property->Wnode.BufferSize = PAGE_SIZE;
	Property->Wnode.Flags = WNODE_FLAG_TRACED_GUID;
	//Property->ProviderName = RTL_CONSTANT_STRING(L"Circular Kernel Context Logger"); //仅WIN10可以，WIN7上会蓝
	RtlCopyMemory(wProviderName, L"Circular Kernel Context Logger", sizeof(L"Circular Kernel Context Logger"));
	RtlInitUnicodeString(&Property->ProviderName, (PCWSTR)wProviderName); //WIN7/WIN10通用
	Property->Wnode.Guid = CkclSessionGuid;
	Property->Wnode.ClientContext = 3;  //CPU cycle counter
	Property->BufferSize = sizeof(ULONG);
	Property->MinimumBuffers = Property->MaximumBuffers = 2;
	Property->LogFileMode = EVENT_TRACE_BUFFERING_MODE;

	NTSTATUS Status = STATUS_ACCESS_DENIED;
	ULONG ReturnLength = 0;

	//
	// Might be wise to actually hook ZwTraceControl so folks don't 
	// disable your infinity hook ;).
	//
	switch (Operation)
	{
		case CKCL_TRACE_START:
		{
			Status = NtTraceControl(EtwpStartTrace, Property, PAGE_SIZE, Property, PAGE_SIZE, &ReturnLength);
			break;
		}
		case CKCL_TRACE_END:
		{
			Status = NtTraceControl(EtwpStopTrace, Property, PAGE_SIZE, Property, PAGE_SIZE, &ReturnLength);
			break;
		}
		case CKCL_TRACE_SYSCALL:
		{
			//
			// Add more flags here to trap on more events!
			//
			Property->EnableFlags = EVENT_TRACE_FLAG_SYSTEMCALL;

			Status = NtTraceControl(EtwpUpdateTrace, Property, PAGE_SIZE, Property, PAGE_SIZE, &ReturnLength);
			break;
		}
	}

	ExFreePool((PVOID)wProviderName);
	ExFreePool(Property);

	return Status;
}

/*
*	We replaced the GetCpuClock pointer to this one here which 
*	implements stack walking logic. We use this to determine whether 
*	a syscall occurred. It also provides you a way to alter the 
*	address on the stack to redirect execution to your detoured
*	function.
*	
*/
static ULONG64 IfhpInternalGetCpuClock()
{
	if (ExGetPreviousMode() == KernelMode)
	{
		return __rdtsc();
	}

	//
	// Extract the system call index (if you so desire).
	//
	PKTHREAD CurrentThread = (PKTHREAD)__readgsqword(OFFSET_KPCR_CURRENT_THREAD);
	unsigned int SystemCallIndex;

	if (ISWIN7(g_oviEx)) {
		//WIN7系统的SystemCallNumber在nt!_KTHREAD中的偏移量为: 0x1f8
		SystemCallIndex = *(unsigned int*)((uintptr_t)CurrentThread + OFFSET_KTHREAD_SYSTEM_CALL_NUMBER_WIN7);
	}else {
		//WIN10系统的SystemCallNumber在nt!_KTHREAD中的偏移量为: 0x80
		SystemCallIndex = *(unsigned int*)((uintptr_t)CurrentThread + OFFSET_KTHREAD_SYSTEM_CALL_NUMBER);
	}
	
	PVOID* StackMax = (PVOID*)__readgsqword(OFFSET_KPCR_RSP_BASE);
	PVOID* StackFrame = (PVOID*)_AddressOfReturnAddress();

	//
	// First walk backwards on the stack to find the 2 magic values.
	//
	for (PVOID* StackCurrent = StackMax; 
		StackCurrent > StackFrame;
		--StackCurrent)
	{
		// 
		// This is intentionally being read as 4-byte magic on an 8
		// byte aligned boundary.
		//
		PULONG AsUlong = (PULONG)StackCurrent;
		if (*AsUlong != INFINITYHOOK_MAGIC_1)
		{
			continue;
		}

		// 
		// If the first magic is set, check for the second magic.
		//
		--StackCurrent;

		PUSHORT AsShort = (PUSHORT)StackCurrent;
		if (*AsShort != INFINITYHOOK_MAGIC_2)
		{
			continue;
		}

		//
		// Now we reverse the direction of the stack walk.
		//
		for (;
			StackCurrent < StackMax;
			++StackCurrent)
		{
			PULONGLONG AsUlonglong = (PULONGLONG)StackCurrent;

			if (!(PAGE_ALIGN(*AsUlonglong) >= SystemCallEntryPage && 
				PAGE_ALIGN(*AsUlonglong) < (PVOID)((uintptr_t)SystemCallEntryPage + (PAGE_SIZE * 2))))
			{
				continue;
			}

			//
			// If you want to "hook" this function, replace this stack memory 
			// with a pointer to your own function.
			//
			void** SystemCallFunction = &StackCurrent[9];

			if (IfhpCallback)
			{
				IfhpCallback(SystemCallIndex, SystemCallFunction);
			}

			break;
		}

		break;
	}

	return __rdtsc();
}

//获取操作系统版本信息
static VOID GetOsVersionInformation(
	VOID
)
{
	NTSTATUS ntStatus;

	RtlZeroMemory(&g_oviEx,
		sizeof(OSVERSIONINFOEXW));
	g_oviEx.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEXW);
	ntStatus = RtlGetVersion((PRTL_OSVERSIONINFOW)&g_oviEx);
	ASSERT(NT_SUCCESS(ntStatus));

	return;
}

2. ntint.h

/*
*	Module Name:
*		ntint.h
*
*	Abstract:
*		Header file that defines Windows-specific types and structures. An
*		extension of Windows.h.
*
*	Authors:
*		Nick Peterson <everdox@gmail.com> | 9a6K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3g2$3k6i4u0V1L8%4S2Q4x3X3g2F1k6i4c8Q4x3V1j5`.
*
*	Special thanks to Nemanja (Nemi) Mulasmajic <nm@triplefault.io>
*	for his help with the POC.
*
*/

#pragma once

#define EtwpStartTrace		1
#define EtwpStopTrace		2
#define EtwpQueryTrace		3
#define EtwpUpdateTrace		4
#define EtwpFlushTrace		5

#define WNODE_FLAG_TRACED_GUID			0x00020000  // denotes a trace
#define EVENT_TRACE_BUFFERING_MODE      0x00000400  // Buffering mode only
#define EVENT_TRACE_FLAG_SYSTEMCALL     0x00000080  // system calls

#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES	16
#define IMAGE_SIZEOF_SHORT_NAME             8

#define IA32_LSTAR_MSR 0xC0000082

#define IMAGE_FIRST_SECTION( ntheader ) ((PIMAGE_SECTION_HEADER)        \
    ((ULONG_PTR)(ntheader) +                                            \
     FIELD_OFFSET( IMAGE_NT_HEADERS64, OptionalHeader ) +                 \
     ((ntheader))->FileHeader.SizeOfOptionalHeader   \
    ))

typedef enum _SYSTEM_INFORMATION_CLASS
{
	SystemBasicInformation, // q: SYSTEM_BASIC_INFORMATION
	SystemProcessorInformation, // q: SYSTEM_PROCESSOR_INFORMATION
	SystemPerformanceInformation, // q: SYSTEM_PERFORMANCE_INFORMATION
	SystemTimeOfDayInformation, // q: SYSTEM_TIMEOFDAY_INFORMATION
	SystemPathInformation, // not implemented
	SystemProcessInformation, // q: SYSTEM_PROCESS_INFORMATION
	SystemCallCountInformation, // q: SYSTEM_CALL_COUNT_INFORMATION
	SystemDeviceInformation, // q: SYSTEM_DEVICE_INFORMATION
	SystemProcessorPerformanceInformation, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION
	SystemFlagsInformation, // q: SYSTEM_FLAGS_INFORMATION
	SystemCallTimeInformation, // not implemented // SYSTEM_CALL_TIME_INFORMATION // 10
	SystemModuleInformation, // q: RTL_PROCESS_MODULES
	SystemLocksInformation, // q: RTL_PROCESS_LOCKS
	SystemStackTraceInformation, // q: RTL_PROCESS_BACKTRACES
	SystemPagedPoolInformation, // not implemented
	SystemNonPagedPoolInformation, // not implemented
	SystemHandleInformation, // q: SYSTEM_HANDLE_INFORMATION
	SystemObjectInformation, // q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATION
	SystemPageFileInformation, // q: SYSTEM_PAGEFILE_INFORMATION
	SystemVdmInstemulInformation, // q
	SystemVdmBopInformation, // not implemented // 20
	SystemFileCacheInformation, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemCache)
	SystemPoolTagInformation, // q: SYSTEM_POOLTAG_INFORMATION
	SystemInterruptInformation, // q: SYSTEM_INTERRUPT_INFORMATION
	SystemDpcBehaviorInformation, // q: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires SeLoadDriverPrivilege)
	SystemFullMemoryInformation, // not implemented
	SystemLoadGdiDriverInformation, // s (kernel-mode only)
	SystemUnloadGdiDriverInformation, // s (kernel-mode only)
	SystemTimeAdjustmentInformation, // q: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION (requires SeSystemtimePrivilege)
	SystemSummaryMemoryInformation, // not implemented
	SystemMirrorMemoryInformation, // s (requires license value "Kernel-MemoryMirroringSupported") (requires SeShutdownPrivilege) // 30
	SystemPerformanceTraceInformation, // q; s: (type depends on EVENT_TRACE_INFORMATION_CLASS)
	SystemObsolete0, // not implemented
	SystemExceptionInformation, // q: SYSTEM_EXCEPTION_INFORMATION
	SystemCrashDumpStateInformation, // s (requires SeDebugPrivilege)
	SystemKernelDebuggerInformation, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION
	SystemContextSwitchInformation, // q: SYSTEM_CONTEXT_SWITCH_INFORMATION
	SystemRegistryQuotaInformation, // q: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege)
	SystemExtendServiceTableInformation, // s (requires SeLoadDriverPrivilege) // loads win32k only
	SystemPrioritySeperation, // s (requires SeTcbPrivilege)
	SystemVerifierAddDriverInformation, // s (requires SeDebugPrivilege) // 40
	SystemVerifierRemoveDriverInformation, // s (requires SeDebugPrivilege)
	SystemProcessorIdleInformation, // q: SYSTEM_PROCESSOR_IDLE_INFORMATION
	SystemLegacyDriverInformation, // q: SYSTEM_LEGACY_DRIVER_INFORMATION
	SystemCurrentTimeZoneInformation, // q; s: RTL_TIME_ZONE_INFORMATION
	SystemLookasideInformation, // q: SYSTEM_LOOKASIDE_INFORMATION
	SystemTimeSlipNotification, // s (requires SeSystemtimePrivilege)
	SystemSessionCreate, // not implemented
	SystemSessionDetach, // not implemented
	SystemSessionInformation, // not implemented (SYSTEM_SESSION_INFORMATION)
	SystemRangeStartInformation, // q: SYSTEM_RANGE_START_INFORMATION // 50
	SystemVerifierInformation, // q: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege)
	SystemVerifierThunkExtend, // s (kernel-mode only)
	SystemSessionProcessInformation, // q: SYSTEM_SESSION_PROCESS_INFORMATION
	SystemLoadGdiDriverInSystemSpace, // s (kernel-mode only) (same as SystemLoadGdiDriverInformation)
	SystemNumaProcessorMap, // q
	SystemPrefetcherInformation, // q: PREFETCHER_INFORMATION; s: PREFETCHER_INFORMATION // PfSnQueryPrefetcherInformation
	SystemExtendedProcessInformation, // q: SYSTEM_PROCESS_INFORMATION
	SystemRecommendedSharedDataAlignment, // q
	SystemComPlusPackage, // q; s
	SystemNumaAvailableMemory, // 60
	SystemProcessorPowerInformation, // q: SYSTEM_PROCESSOR_POWER_INFORMATION
	SystemEmulationBasicInformation,
	SystemEmulationProcessorInformation,
	SystemExtendedHandleInformation, // q: SYSTEM_HANDLE_INFORMATION_EX
	SystemLostDelayedWriteInformation, // q: ULONG
	SystemBigPoolInformation, // q: SYSTEM_BIGPOOL_INFORMATION
	SystemSessionPoolTagInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION
	SystemSessionMappedViewInformation, // q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION
	SystemHotpatchInformation, // q; s: SYSTEM_HOTPATCH_CODE_INFORMATION
	SystemObjectSecurityMode, // q: ULONG // 70
	SystemWatchdogTimerHandler, // s (kernel-mode only)
	SystemWatchdogTimerInformation, // q (kernel-mode only); s (kernel-mode only)
	SystemLogicalProcessorInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION
	SystemWow64SharedInformationObsolete, // not implemented
	SystemRegisterFirmwareTableInformationHandler, // s (kernel-mode only)
	SystemFirmwareTableInformation, // SYSTEM_FIRMWARE_TABLE_INFORMATION
	SystemModuleInformationEx, // q: RTL_PROCESS_MODULE_INFORMATION_EX
	SystemVerifierTriageInformation, // not implemented
	SystemSuperfetchInformation, // q; s: SUPERFETCH_INFORMATION // PfQuerySuperfetchInformation
	SystemMemoryListInformation, // q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires SeProfileSingleProcessPrivilege) // 80
	SystemFileCacheInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as SystemFileCacheInformation)
	SystemThreadPriorityClientIdInformation, // s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires SeIncreaseBasePriorityPrivilege)
	SystemProcessorIdleCycleTimeInformation, // q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[]
	SystemVerifierCancellationInformation, // not implemented // name:wow64:whNT32QuerySystemVerifierCancellationInformation
	SystemProcessorPowerInformationEx, // not implemented
	SystemRefTraceInformation, // q; s: SYSTEM_REF_TRACE_INFORMATION // ObQueryRefTraceInformation
	SystemSpecialPoolInformation, // q; s (requires SeDebugPrivilege) // MmSpecialPoolTag, then MmSpecialPoolCatchOverruns != 0
	SystemProcessIdInformation, // q: SYSTEM_PROCESS_ID_INFORMATION
	SystemErrorPortInformation, // s (requires SeTcbPrivilege)
	SystemBootEnvironmentInformation, // q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION // 90
	SystemHypervisorInformation, // q; s (kernel-mode only)
	SystemVerifierInformationEx, // q; s: SYSTEM_VERIFIER_INFORMATION_EX
	SystemTimeZoneInformation, // s (requires SeTimeZonePrivilege)
	SystemImageFileExecutionOptionsInformation, // s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires SeTcbPrivilege)
	SystemCoverageInformation, // q; s // name:wow64:whNT32QuerySystemCoverageInformation; ExpCovQueryInformation
	SystemPrefetchPatchInformation, // not implemented
	SystemVerifierFaultsInformation, // s (requires SeDebugPrivilege)
	SystemSystemPartitionInformation, // q: SYSTEM_SYSTEM_PARTITION_INFORMATION
	SystemSystemDiskInformation, // q: SYSTEM_SYSTEM_DISK_INFORMATION
	SystemProcessorPerformanceDistribution, // q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION // 100
	SystemNumaProximityNodeInformation,
	SystemDynamicTimeZoneInformation, // q; s (requires SeTimeZonePrivilege)
	SystemCodeIntegrityInformation, // q: SYSTEM_CODEINTEGRITY_INFORMATION // SeCodeIntegrityQueryInformation
	SystemProcessorMicrocodeUpdateInformation, // s
	SystemProcessorBrandString, // q // HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23
	SystemVirtualAddressInformation, // q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires SeIncreaseQuotaPrivilege) // MmQuerySystemVaInformation
	SystemLogicalProcessorAndGroupInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX // since WIN7 // KeQueryLogicalProcessorRelationship
	SystemProcessorCycleTimeInformation, // q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[]
	SystemStoreInformation, // q; s: SYSTEM_STORE_INFORMATION // SmQueryStoreInformation
	SystemRegistryAppendString, // s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS // 110
	SystemAitSamplingValue, // s: ULONG (requires SeProfileSingleProcessPrivilege)
	SystemVhdBootInformation, // q: SYSTEM_VHD_BOOT_INFORMATION
	SystemCpuQuotaInformation, // q; s // PsQueryCpuQuotaInformation
	SystemNativeBasicInformation, // not implemented
	SystemSpare1, // not implemented
	SystemLowPriorityIoInformation, // q: SYSTEM_LOW_PRIORITY_IO_INFORMATION
	SystemTpmBootEntropyInformation, // q: TPM_BOOT_ENTROPY_NT_RESULT // ExQueryTpmBootEntropyInformation
	SystemVerifierCountersInformation, // q: SYSTEM_VERIFIER_COUNTERS_INFORMATION
	SystemPagedPoolInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool)
	SystemSystemPtesInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes) // 120
	SystemNodeDistanceInformation,
	SystemAcpiAuditInformation, // q: SYSTEM_ACPI_AUDIT_INFORMATION // HaliQuerySystemInformation -> HalpAuditQueryResults, info class 26
	SystemBasicPerformanceInformation, // q: SYSTEM_BASIC_PERFORMANCE_INFORMATION // name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformation
	SystemQueryPerformanceCounterInformation, // q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION // since WIN7 SP1
	SystemSessionBigPoolInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION // since WIN8
	SystemBootGraphicsInformation, // q; s: SYSTEM_BOOT_GRAPHICS_INFORMATION (kernel-mode only)
	SystemScrubPhysicalMemoryInformation, // q; s: MEMORY_SCRUB_INFORMATION
	SystemBadPageInformation,
	SystemProcessorProfileControlArea, // q; s: SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA
	SystemCombinePhysicalMemoryInformation, // s: MEMORY_COMBINE_INFORMATION, MEMORY_COMBINE_INFORMATION_EX, MEMORY_COMBINE_INFORMATION_EX2 // 130
	SystemEntropyInterruptTimingCallback,
	SystemConsoleInformation, // q: SYSTEM_CONSOLE_INFORMATION
	SystemPlatformBinaryInformation, // q: SYSTEM_PLATFORM_BINARY_INFORMATION
	SystemThrottleNotificationInformation,
	SystemHypervisorProcessorCountInformation, // q: SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION
	SystemDeviceDataInformation, // q: SYSTEM_DEVICE_DATA_INFORMATION
	SystemDeviceDataEnumerationInformation,
	SystemMemoryTopologyInformation, // q: SYSTEM_MEMORY_TOPOLOGY_INFORMATION
	SystemMemoryChannelInformation, // q: SYSTEM_MEMORY_CHANNEL_INFORMATION
	SystemBootLogoInformation, // q: SYSTEM_BOOT_LOGO_INFORMATION // 140
	SystemProcessorPerformanceInformationEx, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX // since WINBLUE
	SystemSpare0,
	SystemSecureBootPolicyInformation, // q: SYSTEM_SECUREBOOT_POLICY_INFORMATION
	SystemPageFileInformationEx, // q: SYSTEM_PAGEFILE_INFORMATION_EX
	SystemSecureBootInformation, // q: SYSTEM_SECUREBOOT_INFORMATION
	SystemEntropyInterruptTimingRawInformation,
	SystemPortableWorkspaceEfiLauncherInformation, // q: SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION
	SystemFullProcessInformation, // q: SYSTEM_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin)
	SystemKernelDebuggerInformationEx, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX
	SystemBootMetadataInformation, // 150
	SystemSoftRebootInformation, // q: ULONG
	SystemElamCertificateInformation, // s: SYSTEM_ELAM_CERTIFICATE_INFORMATION
	SystemOfflineDumpConfigInformation,
	SystemProcessorFeaturesInformation, // q: SYSTEM_PROCESSOR_FEATURES_INFORMATION
	SystemRegistryReconciliationInformation,
	SystemEdidInformation,
	SystemManufacturingInformation, // q: SYSTEM_MANUFACTURING_INFORMATION // since THRESHOLD
	SystemEnergyEstimationConfigInformation, // q: SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION
	SystemHypervisorDetailInformation, // q: SYSTEM_HYPERVISOR_DETAIL_INFORMATION
	SystemProcessorCycleStatsInformation, // q: SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION // 160
	SystemVmGenerationCountInformation,
	SystemTrustedPlatformModuleInformation, // q: SYSTEM_TPM_INFORMATION
	SystemKernelDebuggerFlags, // SYSTEM_KERNEL_DEBUGGER_FLAGS
	SystemCodeIntegrityPolicyInformation, // q: SYSTEM_CODEINTEGRITYPOLICY_INFORMATION
	SystemIsolatedUserModeInformation, // q: SYSTEM_ISOLATED_USER_MODE_INFORMATION
	SystemHardwareSecurityTestInterfaceResultsInformation,
	SystemSingleModuleInformation, // q: SYSTEM_SINGLE_MODULE_INFORMATION
	SystemAllowedCpuSetsInformation,
	SystemVsmProtectionInformation, // q: SYSTEM_VSM_PROTECTION_INFORMATION (previously SystemDmaProtectionInformation)
	SystemInterruptCpuSetsInformation, // q: SYSTEM_INTERRUPT_CPU_SET_INFORMATION // 170
	SystemSecureBootPolicyFullInformation, // q: SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION
	SystemCodeIntegrityPolicyFullInformation,
	SystemAffinitizedInterruptProcessorInformation,
	SystemRootSiloInformation, // q: SYSTEM_ROOT_SILO_INFORMATION
	SystemCpuSetInformation, // q: SYSTEM_CPU_SET_INFORMATION // since THRESHOLD2
	SystemCpuSetTagInformation, // q: SYSTEM_CPU_SET_TAG_INFORMATION
	SystemWin32WerStartCallout,
	SystemSecureKernelProfileInformation, // q: SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION
	SystemCodeIntegrityPlatformManifestInformation, // q: SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION // since REDSTONE
	SystemInterruptSteeringInformation, // 180
	SystemSupportedProcessorArchitectures,
	SystemMemoryUsageInformation, // q: SYSTEM_MEMORY_USAGE_INFORMATION
	SystemCodeIntegrityCertificateInformation, // q: SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION
	SystemPhysicalMemoryInformation, // q: SYSTEM_PHYSICAL_MEMORY_INFORMATION // since REDSTONE2
	SystemControlFlowTransition,
	SystemKernelDebuggingAllowed, // s: ULONG
	SystemActivityModerationExeState, // SYSTEM_ACTIVITY_MODERATION_EXE_STATE
	SystemActivityModerationUserSettings, // SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS
	SystemCodeIntegrityPoliciesFullInformation,
	SystemCodeIntegrityUnlockInformation, // SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION // 190
	SystemIntegrityQuotaInformation,
	SystemFlushInformation, // q: SYSTEM_FLUSH_INFORMATION
	SystemProcessorIdleMaskInformation, // q: ULONG_PTR // since REDSTONE3
	SystemSecureDumpEncryptionInformation,
	SystemWriteConstraintInformation, // SYSTEM_WRITE_CONSTRAINT_INFORMATION
	SystemKernelVaShadowInformation, // SYSTEM_KERNEL_VA_SHADOW_INFORMATION
	SystemHypervisorSharedPageInformation, // SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION // since REDSTONE4
	SystemFirmwareBootPerformanceInformation,
	SystemCodeIntegrityVerificationInformation, // SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION
	SystemFirmwarePartitionInformation, // SYSTEM_FIRMWARE_PARTITION_INFORMATION // 200
	SystemSpeculationControlInformation, // SYSTEM_SPECULATION_CONTROL_INFORMATION // (CVE-2017-5715) REDSTONE3 and above.
	SystemDmaGuardPolicyInformation, // SYSTEM_DMA_GUARD_POLICY_INFORMATION
	SystemEnclaveLaunchControlInformation, // SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION
	SystemWorkloadAllowedCpuSetsInformation, // SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION // since REDSTONE5
	SystemCodeIntegrityUnlockModeInformation,
	SystemLeapSecondInformation, // SYSTEM_LEAP_SECOND_INFORMATION
	SystemFlags2Information, // q: SYSTEM_FLAGS_INFORMATION
	SystemSecurityModelInformation, // SYSTEM_SECURITY_MODEL_INFORMATION // since 19H1
	SystemCodeIntegritySyntheticCacheInformation,
	MaxSystemInfoClass
} SYSTEM_INFORMATION_CLASS;

typedef struct _RTL_PROCESS_MODULE_INFORMATION
{
	HANDLE Section;
	PVOID MappedBase;
	PVOID ImageBase;
	ULONG ImageSize;
	ULONG Flags;
	USHORT LoadOrderIndex;
	USHORT InitOrderIndex;
	USHORT LoadCount;
	USHORT OffsetToFileName;
	UCHAR FullPathName[256];
} RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION;

typedef struct _RTL_PROCESS_MODULES
{
	ULONG NumberOfModules;
	RTL_PROCESS_MODULE_INFORMATION Modules[1];
} RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES;

typedef struct _IMAGE_DATA_DIRECTORY {
	ULONG		VirtualAddress;
	ULONG		Size;
} IMAGE_DATA_DIRECTORY, * PIMAGE_DATA_DIRECTORY;

typedef struct _IMAGE_SECTION_HEADER {
	UCHAR		Name[IMAGE_SIZEOF_SHORT_NAME];
	union {
		ULONG	PhysicalAddress;
		ULONG	VirtualSize;
	} Misc;
	ULONG   VirtualAddress;
	ULONG   SizeOfRawData;
	ULONG   PointerToRawData;
	ULONG   PointerToRelocations;
	ULONG   PointerToLinenumbers;
	USHORT  NumberOfRelocations;
	USHORT  NumberOfLinenumbers;
	ULONG   Characteristics;
} IMAGE_SECTION_HEADER, * PIMAGE_SECTION_HEADER;

typedef struct _IMAGE_OPTIONAL_HEADER64 {
	USHORT      Magic;
	UCHAR       MajorLinkerVersion;
	UCHAR       MinorLinkerVersion;
	ULONG       SizeOfCode;
	ULONG       SizeOfInitializedData;
	ULONG       SizeOfUninitializedData;
	ULONG       AddressOfEntryPoint;
	ULONG       BaseOfCode;
	ULONGLONG   ImageBase;
	ULONG       SectionAlignment;
	ULONG       FileAlignment;
	USHORT      MajorOperatingSystemVersion;
	USHORT      MinorOperatingSystemVersion;
	USHORT      MajorImageVersion;
	USHORT      MinorImageVersion;
	USHORT      MajorSubsystemVersion;
	USHORT      MinorSubsystemVersion;
	ULONG       Win32VersionValue;
	ULONG       SizeOfImage;
	ULONG       SizeOfHeaders;
	ULONG       CheckSum;
	USHORT      Subsystem;
	USHORT      DllCharacteristics;
	ULONGLONG   SizeOfStackReserve;
	ULONGLONG   SizeOfStackCommit;
	ULONGLONG   SizeOfHeapReserve;
	ULONGLONG   SizeOfHeapCommit;
	ULONG       LoaderFlags;
	ULONG       NumberOfRvaAndSizes;
	IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
} IMAGE_OPTIONAL_HEADER64, * PIMAGE_OPTIONAL_HEADER64;

typedef struct _IMAGE_FILE_HEADER {
	USHORT		Machine;
	USHORT		NumberOfSections;
	ULONG		TimeDateStamp;
	ULONG		PointerToSymbolTable;
	ULONG		NumberOfSymbols;
	USHORT		SizeOfOptionalHeader;
	USHORT		Characteristics;
} IMAGE_FILE_HEADER, * PIMAGE_FILE_HEADER;

typedef struct _IMAGE_NT_HEADERS64 {
	ULONG                   Signature;
	IMAGE_FILE_HEADER       FileHeader;
	IMAGE_OPTIONAL_HEADER64 OptionalHeader;
} IMAGE_NT_HEADERS64, * PIMAGE_NT_HEADERS64;

typedef struct _WNODE_HEADER
{
	ULONG BufferSize;        // Size of entire buffer inclusive of this ULONG
	ULONG ProviderId;    // Provider Id of driver returning this buffer
	union
	{
		ULONG64 HistoricalContext;  // Logger use
		struct
		{
			ULONG Version;           // Reserved
			ULONG Linkage;           // Linkage field reserved for WMI
		} DUMMYSTRUCTNAME;
	} DUMMYUNIONNAME;

	union
	{
		ULONG CountLost;         // Reserved
		HANDLE KernelHandle;     // Kernel handle for data block
		LARGE_INTEGER TimeStamp; // Timestamp as returned in units of 100ns
								 // since 1/1/1601
	} DUMMYUNIONNAME2;
	GUID Guid;                  // Guid for data block returned with results
	ULONG ClientContext;
	ULONG Flags;             // Flags, see below
} WNODE_HEADER, *PWNODE_HEADER;

typedef struct _EVENT_TRACE_PROPERTIES {
	WNODE_HEADER	Wnode;
	ULONG			BufferSize;
	ULONG			MinimumBuffers;
	ULONG			MaximumBuffers;
	ULONG			MaximumFileSize;
	ULONG			LogFileMode;
	ULONG			FlushTimer;
	ULONG			EnableFlags;
	LONG			AgeLimit;
	ULONG			NumberOfBuffers;
	ULONG			FreeBuffers;
	ULONG			EventsLost;
	ULONG			BuffersWritten;
	ULONG			LogBuffersLost;
	ULONG			RealTimeBuffersLost;
	HANDLE			LoggerThreadId;
	ULONG			LogFileNameOffset;
	ULONG			LoggerNameOffset;
} EVENT_TRACE_PROPERTIES, *PEVENT_TRACE_PROPERTIES;

/* 54dea73a-ed1f-42a4-af713e63d056f174 */
const GUID CkclSessionGuid = { 0x54dea73a, 0xed1f, 0x42a4, { 0xaf, 0x71, 0x3e, 0x63, 0xd0, 0x56, 0xf1, 0x74 } };

//仅在WIN10上导出
/*EXTERN_C
NTSYSCALLAPI 
NTSTATUS
NTAPI
ZwTraceControl (
	_In_ ULONG FunctionCode,
	_In_reads_bytes_opt_(InBufferLen) PVOID InBuffer,
	_In_ ULONG InBufferLen,
	 _Out_writes_bytes_opt_(OutBufferLen) PVOID OutBuffer,
	_In_ ULONG OutBufferLen,
	_Out_ PULONG ReturnLength
);*/

//WIN7/WIN10上均导出
EXTERN_C
NTSYSCALLAPI
NTSTATUS
NTAPI
NtTraceControl(
	_In_ ULONG FunctionCode,
	_In_reads_bytes_opt_(InBufferLen) PVOID InBuffer,
	_In_ ULONG InBufferLen,
	_Out_writes_bytes_opt_(OutBufferLen) PVOID OutBuffer,
	_In_ ULONG OutBufferLen,
	_Out_ PULONG ReturnLength
);

EXTERN_C
NTSYSCALLAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation (
	_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
	_Out_writes_bytes_opt_(SystemInformationLength) PVOID SystemInformation,
	_In_ ULONG SystemInformationLength,
	_Out_opt_ PULONG ReturnLength
);

EXTERN_C
NTSYSAPI
PIMAGE_NT_HEADERS
NTAPI
RtlImageNtHeader (
	_In_ PVOID ModuleAddress
);

我下载了相同内核版本不同内核补丁的WIN7 x64 SP1的ntoskrnl.exe,作了比较 发现其中1个ntoskrnl.exe(6.1.7601.24384)的EtwpDebuggerData在.text节,没有.rdata节，只有.data节，另1个ntoskrnl.exe(6.1.7601.23677)的EtwpDebuggerData又在.rdata节,.data,.rdata节都有。而且和楼主的WIN7 x64 7601都有差异。应该是不同内核补丁的原因，看来不同内核补丁对EtwpDebuggerData所在节是有影响的哦！(.exe及符号表见附件)。源码要调整下了！

低调putchar 我下载了相同内核版本不同内核补丁的WIN7 x64 SP1的ntoskrnl.exe,作了比较 发现其中1个ntoskrnl.exe(6.1.7601.24384)的EtwpDebuggerData在 ...

hhkqqs 节区搜索是加快了速度，但不同系统考虑兼容性综合下来真不比整个映像搜快多少，毕竟目前系统我还没发现有第二处特征码跟EtwpDebuggerData重合的

因为打了内核补丁的WIN7 X64 SP1已经出现过.text节有EtwpDebuggerData的情况了。WIN10虽然我没有遇到过，但很有可能会出现。

就先这样！依次搜索.text=>.data=>.rdata, 多了个.text节的搜索，速度慢不了多少，而且HOOK也不频繁，兼容的范围扩大大了。

        //相同内核版本不同内核补丁对WIN7SP1的EtwpDebuggerData所在节有影响
	//WIN10上目前还没有遇到过这个情况,不过很可能存在
	//WIN7 SP1(6.1.7601.24384)出现过只有.data节没有.rdata节，EtwpDebuggerData在.text节的情况,所以这里把对.text节的搜索加起
	//.text:00000001400057B0 EtwpDebuggerData dq 0E00C3804082C0018h, 60041078000000B8h
	//.text : 00000001400057B0; DATA XREF : .data : 00000001401E2450o
	//.text:00000001400057C0                 dq offset WmipLoggerContext
	SectionBase = ImgGetImageSection(NtBaseAddress, ".text", &SizeOfSection);
	if (!SectionBase)
	{
		return FALSE;
	}
	EtwpDebuggerData = MmSearchMemory(SectionBase, SizeOfSection, EtwpDebuggerDataPattern, RTL_NUMBER_OF(EtwpDebuggerDataPattern));
	if (!EtwpDebuggerData) {
		SectionBase = ImgGetImageSection(NtBaseAddress, ".data", &SizeOfSection);
		if (!SectionBase)
		{
			return FALSE;
		}
		EtwpDebuggerData = MmSearchMemory(SectionBase, SizeOfSection, EtwpDebuggerDataPattern, RTL_NUMBER_OF(EtwpDebuggerDataPattern));
		if (!EtwpDebuggerData)
		{
			SectionBase = ImgGetImageSection(NtBaseAddress, ".rdata", &SizeOfSection);
			if (!SectionBase)
			{
				return FALSE;
			}

			EtwpDebuggerData = MmSearchMemory(SectionBase, SizeOfSection, EtwpDebuggerDataPattern, RTL_NUMBER_OF(EtwpDebuggerDataPattern));
			if (!EtwpDebuggerData)
			{
				return FALSE;
			}
		}
	}

很详细..谢谢.~

学习学习

低调putchar 我目前WIN7 X64 SP0/SP1虚拟机都有。借调试方便，这个以后又有用，这个周末按楼主分析的思路，分析了WIN7 64位，然后对WIN7/WIN10 x64都进行了调试, 改了个WIN7/WIN ...

感谢

wx_穆源 13520036597 rsp + 72h应为 rsp + 48h。是十进制的72。