The interesting write-up you're referring to likely covers the , a relatively obscure publisher/subscriber mechanism within the Windows kernel that has become a "holy grail" for exploit developers.
NTSTATUS NtQueryWnfStateData( HANDLE StateHandle, // WNF state handle VOID* ChangeStamp, // Optional change stamp VOID* Buffer, // Output data buffer ULONG BufferSize, // Buffer size ULONG* DataSize, // Actual data size ULONG* ChangeStampResult // Resulting change stamp ); ntquerywnfstatedata ntdlldll better
NtQueryWnfStateData is an undocumented (or "semi-documented") system call in the Windows kernel. It is the low-level engine used to retrieve data from a . The primary purpose of NtQueryWnfStateData is to allow
The primary purpose of NtQueryWnfStateData is to allow components to retrieve the current state data associated with a specific WNF state. This function enables subscribers to access the data published by publishers, facilitating coordination and synchronization among system components. // WNF state handle VOID* ChangeStamp