Windows通知功能(WNF)深入解析与实战应用<\/h1>

1. WNF概述<\/h2>
Windows通知功能(WNF)是一个内核组件，用于在系统中分发通知。它既可以在内核模式中使用，也可以在用户空间中使用，包含一组导出但未公开文档的API函数和相关数据结构。<\/p>

1.1 WNF核心概念<\/h3>

状态名(StateName)<\/strong>: 标识特定类型的事件<\/li>
状态数据(StateData)<\/strong>: 与通知关联的数据<\/li>
订阅(Subscription)<\/strong>: 组件对特定事件的注册<\/li>

作用域(Scope)<\/strong>: 决定通知的可见范围<\/li> <\/ul>
1.2 WNF特点<\/h3>

支持内核和用户空间使用<\/li>
通知可以关联数据<\/li>
支持多种作用域级别<\/li>
部分状态数据可以持久化<\/li> <\/ul>
2. WNF核心数据结构<\/h2>
2.1 主要结构体<\/h3>
typedef<\/span> struct<\/span> _WNF_NAME_INSTANCE { <\/span><\/span> WNF_CONTEXT_HEADER Header; \/\/ 结构头(类型码0x903) <\/span><\/span><\/span><\/span> \/\/ 其他成员... <\/span><\/span><\/span><\/span>} WNF_NAME_INSTANCE, *<\/span>PWNF_NAME_INSTANCE; <\/span><\/span> <\/span><\/span>typedef<\/span> struct<\/span> _WNF_SCOPE_INSTANCE { <\/span><\/span> WNF_CONTEXT_HEADER Header; \/\/ 结构头(类型码0x902) <\/span><\/span><\/span><\/span> \/\/ 其他成员... <\/span><\/span><\/span><\/span>} WNF_SCOPE_INSTANCE, *<\/span>PWNF_SCOPE_INSTANCE; <\/span><\/span> <\/span><\/span>typedef<\/span> struct<\/span> _WNF_SUBSCRIPTION { <\/span><\/span> WNF_CONTEXT_HEADER Header; \/\/ 结构头(类型码0x905) <\/span><\/span><\/span><\/span> \/\/ 其他成员... <\/span><\/span><\/span><\/span>} WNF_SUBSCRIPTION, *<\/span>PWNF_SUBSCRIPTION; <\/span><\/span> <\/span><\/span>typedef<\/span> struct<\/span> _WNF_STATE_DATA { <\/span><\/span> WNF_CONTEXT_HEADER Header; \/\/ 结构头(类型码0x904) <\/span><\/span><\/span><\/span> \/\/ 其他成员... <\/span><\/span><\/span><\/span>} WNF_STATE_DATA, *<\/span>PWNF_STATE_DATA; <\/span><\/span><\/code><\/pre>2.2 作用域类型<\/h3> typedef<\/span> enum<\/span> _WNF_DATA_SCOPE { <\/span><\/span> WnfDataScopeSystem =<\/span> 0x0<\/span>, \/\/ 系统范围 <\/span><\/span><\/span><\/span> WnfDataScopeSession =<\/span> 0x1<\/span>, \/\/ 会话范围 <\/span><\/span><\/span><\/span> WnfDataScopeUser =<\/span> 0x2<\/span>, \/\/ 用户范围 <\/span><\/span><\/span><\/span> WnfDataScopeProcess =<\/span> 0x3<\/span>, \/\/ 进程范围 <\/span><\/span><\/span><\/span> WnfDataScopeMachine =<\/span> 0x4<\/span>, \/\/ 机器范围 <\/span><\/span><\/span><\/span>} WNF_DATA_SCOPE; <\/span><\/span><\/code><\/pre>2.3 WNF状态名解码<\/h3> WNF状态名以不透明格式存储，可通过以下方式解码：<\/p> #define WNF_XOR_KEY 0x41C64E6DA3BC0074 <\/span><\/span><\/span><\/span> <\/span><\/span>ClearStateName =<\/span> StateName ^<\/span> WNF_XOR_KEY; <\/span><\/span>Version =<\/span> ClearStateName &<\/span> 0xf<\/span>; <\/span><\/span>LifeTime =<\/span> (ClearStateName >><\/span> 4<\/span>) &<\/span> 0x3<\/span>; <\/span><\/span>DataScope =<\/span> (ClearStateName >><\/span> 6<\/span>) &<\/span> 0xf<\/span>; <\/span><\/span>IsPermanent =<\/span> (ClearStateName >><\/span> 0xa<\/span>) &<\/span> 0x1<\/span>; <\/span><\/span>Unique =<\/span> ClearStateName >><\/span> 0xb<\/span>; <\/span><\/span><\/code><\/pre>对应的结构体定义：<\/p> typedef<\/span> struct<\/span> _WNF_STATE_NAME_INTERNAL { <\/span><\/span> ULONG64 Version : 4<\/span>; \/\/ 版本号(4位) <\/span><\/span><\/span><\/span> ULONG64 Lifetime : 2<\/span>; \/\/ 生命周期(2位) <\/span><\/span><\/span><\/span> ULONG64 DataScope : 4<\/span>; \/\/ 数据作用域(4位) <\/span><\/span><\/span><\/span> ULONG64 IsPermanent : 1<\/span>; \/\/ 是否持久化(1位) <\/span><\/span><\/span><\/span> ULONG64 Unique : 53<\/span>; \/\/ 唯一标识(53位) <\/span><\/span><\/span><\/span>} WNF_STATE_NAME_INTERNAL, *<\/span>PWNF_STATE_NAME_INTERNAL; <\/span><\/span><\/code><\/pre>3. WNF核心API解析<\/h2> 3.1 ExSubscribeWnfStateChange<\/h3> NTSTATUS ExSubscribeWnfStateChange<\/span>( <\/span><\/span> _Out_ptr_ PWNF_SUBSCRIPTION*<\/span> Subscription, <\/span><\/span> _In_ PWNF_STATE_NAME StateName, <\/span><\/span> _In_ ULONG DeliveryOption, <\/span><\/span> _In_ WNF_CHANGE_STAMP CurrentChangeStamp, <\/span><\/span> _In_ PWNF_CALLBACK Callback, <\/span><\/span> _In_opt_ PVOID CallbackContext <\/span><\/span>); <\/span><\/span><\/code><\/pre>功能<\/strong>：注册一个新的WNF订阅，当指定状态名对应的事件发生时调用回调函数。<\/p> 内部流程<\/strong>：<\/p> 解码StateName<\/li> 解析或创建作用域实例(WNF_SCOPE_INSTANCE)<\/li> 查找或创建名称实例(WNF_NAME_INSTANCE)<\/li> 创建订阅对象(WNF_SUBSCRIPTION)<\/li> 将订阅添加到挂起队列并触发通知<\/li> <\/ol> 3.2 ExQueryWnfStateData<\/h3> NTSTATUS ExQueryWnfStateData<\/span>( <\/span><\/span> _In_ PWNF_SUBSCRIPTION Subscription, <\/span><\/span> _Out_ PWNF_CHANGE_STAMP ChangeStamp, <\/span><\/span> _Out_ PVOID OutputBuffer, <\/span><\/span> _Out_ PULONG OutputBufferSize <\/span><\/span>); <\/span><\/span><\/code><\/pre>功能<\/strong>：查询与订阅关联的状态数据。<\/p> 内部流程<\/strong>：<\/p> 从订阅中获取名称实例<\/li> 读取关联的状态数据<\/li> 将数据复制到输出缓冲区<\/li> <\/ol> 4. WNF实战应用<\/h2> 4.1 查找WNF状态名<\/h3> WNF状态名可以从以下位置获取：<\/p> contentDeliveryManager_Utilities.dll<\/code>中的WNF状态名表<\/li> perf_nt_c.dll<\/code>中的类似表<\/li> 博客和文档中公开的已知状态名<\/li> <\/ol> 例如，麦克风使用事件的状态名：<\/p> 名称: WNF_AUDC_CAPTURE<\/code><\/li> 值: 0x2821B2CA3BC4075<\/code><\/li> 描述: "Reports the number of, and process ids of all applications currently capturing audio"<\/li> <\/ul> 4.2 编写WNF驱动程序<\/h3> 4.2.1 订阅WNF事件<\/h4> NTSTATUS CallExSubscribeWnfStateChange<\/span>(VOID) { <\/span><\/span> PWNF_SUBSCRIPTION wnfSubscription =<\/span> NULL; <\/span><\/span> WNF_STATE_NAME stateName; <\/span><\/span> NTSTATUS status; <\/span><\/span> <\/span><\/span> stateName.Data =<\/span> 0x2821B2CA3BC4075<\/span>; \/\/ WNF_AUDC_CAPTURE <\/span><\/span><\/span><\/span> <\/span><\/span> status =<\/span> ExSubscribeWnfStateChange( <\/span><\/span> &<\/span>wnfSubscription, <\/span><\/span> &<\/span>stateName, <\/span><\/span> 0x1<\/span>, <\/span><\/span> NULL, <\/span><\/span> &<\/span>notifCallback, <\/span><\/span> NULL); <\/span><\/span> <\/span><\/span> if<\/span> (NT_SUCCESS(status)) <\/span><\/span> DbgPrint("Subscription address: %p<\/span>\n<\/span>"<\/span>, wnfSubscription); <\/span><\/span> <\/span><\/span> return<\/span> status; <\/span><\/span>} <\/span><\/span><\/code><\/pre>4.2.2 定义回调函数<\/h4> NTSTATUS notifCallback<\/span>( <\/span><\/span> _In_ PWNF_SUBSCRIPTION Subscription, <\/span><\/span> _In_ PWNF_STATE_NAME StateName, <\/span><\/span> _In_ ULONG SubscribedEventSet, <\/span><\/span> _In_ WNF_CHANGE_STAMP ChangeStamp, <\/span><\/span> _In_opt_ PWNF_TYPE_ID TypeId, <\/span><\/span> _In_opt_ PVOID CallbackContext <\/span><\/span>) { <\/span><\/span> NTSTATUS status =<\/span> STATUS_SUCCESS; <\/span><\/span> ULONG bufferSize =<\/span> 0x0<\/span>; <\/span><\/span> PVOID pStateData =<\/span> NULL; <\/span><\/span> WNF_CHANGE_STAMP changeStamp =<\/span> 0<\/span>; <\/span><\/span> <\/span><\/span> \/\/ 第一次调用获取所需缓冲区大小 <\/span><\/span><\/span><\/span> status =<\/span> ExQueryWnfStateData(Subscription, &<\/span>changeStamp, NULL, &<\/span>bufferSize); <\/span><\/span> if<\/span> (status !=<\/span> STATUS_BUFFER_TOO_SMALL) <\/span><\/span> goto<\/span> Exit; <\/span><\/span> <\/span><\/span> \/\/ 分配缓冲区 <\/span><\/span><\/span><\/span> pStateData =<\/span> ExAllocatePoolWithTag(PagedPool, bufferSize, '<\/span>LULZ'<\/span>); <\/span><\/span> if<\/span> (pStateData ==<\/span> NULL) { <\/span><\/span> status =<\/span> STATUS_UNSUCCESSFUL; <\/span><\/span> goto<\/span> Exit; <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 第二次调用获取实际数据 <\/span><\/span><\/span><\/span> status =<\/span> ExQueryWnfStateData(Subscription, &<\/span>changeStamp, pStateData, &<\/span>bufferSize); <\/span><\/span> if<\/span> (NT_SUCCESS(status)) { <\/span><\/span> \/\/ 处理数据... <\/span><\/span><\/span><\/span> DbgPrint("## Data processed: %S<\/span>\n<\/span>"<\/span>, pStateData); <\/span><\/span> } <\/span><\/span> <\/span><\/span>Exit: <\/span><\/span> if<\/span> (pStateData !=<\/span> NULL) <\/span><\/span> ExFreePoolWithTag(pStateData, '<\/span>LULZ'<\/span>); <\/span><\/span> return<\/span> status; <\/span><\/span>} <\/span><\/span><\/code><\/pre>4.2.3 卸载时清理<\/h4> PVOID ExUnsubscribeWnfStateChange<\/span>( <\/span><\/span> _In_ PWNF_SUBSCRIPTION Subscription <\/span><\/span>); <\/span><\/span> <\/span><\/span>VOID DriverUnload<\/span>( <\/span><\/span> _In_ PDRIVER_OBJECT DriverObject <\/span><\/span>) { <\/span><\/span> ExUnsubscribeWnfStateChange(g_WnfSubscription); <\/span><\/span>} <\/span><\/span><\/code><\/pre>5. WNF状态名收集工具<\/h2> 可以使用以下Python脚本收集和比较WNF状态名：<\/p> import<\/span> argparse <\/span><\/span> <\/span><\/span>def<\/span> main<\/span>(): <\/span><\/span> parser =<\/span> argparse.<\/span>ArgumentParser(description=<\/span>'Stupid little script to dump or diff wnf name table from dll'<\/span>) <\/span><\/span> parser.<\/span>add_argument('file1'<\/span>, help=<\/span>'First file'<\/span>) <\/span><\/span> parser.<\/span>add_argument('file2'<\/span>, nargs=<\/span>'?'<\/span>, help=<\/span>'Second file (only used when diffing)'<\/span>) <\/span><\/span> parser.<\/span>add_argument('-dump'<\/span>, action=<\/span>'store_true'<\/span>, help=<\/span>'Dump the table into a file'<\/span>) <\/span><\/span> parser.<\/span>add_argument('-diff'<\/span>, action=<\/span>'store_true'<\/span>, help=<\/span>'Diff two tables and dump the difference into a file'<\/span>) <\/span><\/span> parser.<\/span>add_argument('-v'<\/span>, '--verbose'<\/span>, action=<\/span>'store_true'<\/span>, help=<\/span>'Print the description of the keys'<\/span>) <\/span><\/span> parser.<\/span>add_argument('-o'<\/span>, '--output'<\/span>, default=<\/span>'output.txt'<\/span>, help=<\/span>'Output file (Default: output.txt)'<\/span>) <\/span><\/span> parser.<\/span>add_argument('-py'<\/span>, '--python'<\/span>, action=<\/span>'store_true'<\/span>, help=<\/span>"Change the output language to python (by default it's c)"<\/span>) <\/span><\/span> args =<\/span> parser.<\/span>parse_args() <\/span><\/span> <\/span><\/span> # 实现代码...<\/span> <\/span><\/span> <\/span><\/span>if<\/span> __name__ ==<\/span> '__main__'<\/span>: <\/span><\/span> main() <\/span><\/span><\/code><\/pre>输出示例(C格式)：<\/p> typedef<\/span> struct<\/span> _WNF_NAME { <\/span><\/span> PCHAR Name; <\/span><\/span> ULONG64 Value; <\/span><\/span>} WNF_NAME, *<\/span>PWNF_NAME; <\/span><\/span> <\/span><\/span>WNF_NAME g_WellKnownWnfNames[] =<\/span> { <\/span><\/span> {"WNF_A2A_APPURIHANDLER_INSTALLED"<\/span>, 0x41877c2ca3bc0875<\/span>}, <\/span><\/span> {"WNF_AAD_DEVICE_REGISTRATION_STATUS_CHANGE"<\/span>, 0x41820f2ca3bc0875<\/span>}, <\/span><\/span> {"WNF_AA_CURATED_TILE_COLLECTION_STATUS"<\/span>, 0x41c60f2ca3bc1075<\/span>}, <\/span><\/span> {"WNF_AA_LOCKDOWN_CHANGED"<\/span>, 0x41c60f2ca3bc0875<\/span>}, <\/span><\/span> \/\/ 更多条目... <\/span><\/span><\/span><\/span>}; <\/span><\/span><\/code><\/pre>6. 总结与注意事项<\/h2> WNF的强大功能<\/strong>：<\/p> 可以监控系统各种事件<\/li> 既可用于监控也可用于通信<\/li> 支持多种作用域级别<\/li> <\/ul> <\/li> 开发注意事项<\/strong>：<\/p> WNF API未公开文档，使用时需自行声明<\/li> 确保正确处理缓冲区大小<\/li> 驱动程序卸载时必须取消订阅<\/li> <\/ul> <\/li> 调试技巧<\/strong>：<\/p> 使用结构头中的NodeTypeCode识别WNF结构<\/li> 可以通过nt!ExpWnfProcessesListHead遍历进程上下文<\/li> <\/ul> <\/li> 应用场景<\/strong>：<\/p> 监控系统事件(如应用启动、麦克风使用)<\/li> 实现进程间通信<\/li> 系统状态监控工具开发<\/li> <\/ul> <\/li> <\/ol> 通过深入理解WNF的内部机制和数据结构，开发者可以构建强大的系统监控和通知功能，但需要注意WNF API的未公开特性可能在不同Windows版本中有所变化。<\/p>

Windows通知功能(WNF)深入解析与实战应用<\/h1>

1. WNF概述<\/h2> Windows通知功能(WNF)是一个内核组件，用于在系统中分发通知。它既可以在内核模式中使用，也可以在用户空间中使用，包含一组导出但未公开文档的API函数和相关数据结构。<\/p>

2. WNF核心数据结构<\/h2>

3. WNF核心API解析<\/h2>

4. WNF实战应用<\/h2>

4.2 编写WNF驱动程序<\/h3>

1. WNF概述<\/h2>
Windows通知功能(WNF)是一个内核组件，用于在系统中分发通知。它既可以在内核模式中使用，也可以在用户空间中使用，包含一组导出但未公开文档的API函数和相关数据结构。<\/p>