{"id":21301795,"url":"https://github.com/daem0nc0re/sharpwnfsuite","last_synced_at":"2025-04-05T13:06:58.178Z","repository":{"id":134598473,"uuid":"434198289","full_name":"daem0nc0re/SharpWnfSuite","owner":"daem0nc0re","description":"C# Utilities for Windows Notification Facility","archived":false,"fork":false,"pushed_at":"2024-11-22T04:53:57.000Z","size":1680,"stargazers_count":131,"open_issues_count":0,"forks_count":24,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-29T12:07:03.338Z","etag":null,"topics":["windows","windows-kernel"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/daem0nc0re.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-12-02T11:44:12.000Z","updated_at":"2025-03-04T18:24:34.000Z","dependencies_parsed_at":"2024-03-19T04:29:41.038Z","dependency_job_id":"34dee524-4aa7-4c20-8bcf-44020b2e99ad","html_url":"https://github.com/daem0nc0re/SharpWnfSuite","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daem0nc0re%2FSharpWnfSuite","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daem0nc0re%2FSharpWnfSuite/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daem0nc0re%2FSharpWnfSuite/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daem0nc0re%2FSharpWnfSuite/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/daem0nc0re","download_url":"https://codeload.github.com/daem0nc0re/SharpWnfSuite/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247339155,"owners_count":20923014,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["windows","windows-kernel"],"created_at":"2024-11-21T15:51:41.043Z","updated_at":"2025-04-05T13:06:58.154Z","avatar_url":"https://github.com/daem0nc0re.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SharpWnfSuite\n\nThis is the repository for Windows Notification Facility (WNF) tools.\nCurrently, a C# port of the tools in [wnfun](https://github.com/ionescu007/wnfun) developed by Alex Ionescu ([@aionescu](https://twitter.com/aionescu)) and Gabrielle Viala ([@pwissenlit](https://twitter.com/pwissenlit)) has been uploaded.\nWhen I develop additional tools for Windows Notification Facility, they will be uploaded here.\n\n## Table Of Contents\n+ [SharpWnfSuite](#sharpwnfsuite)\n + [Usage](#usage)\n + [SharpWnfDump](#sharpwnfdump)\n + [SharpWnfNameDumper](#sharpwnfnamedumper)\n + [SharpWnfClient](#sharpwnfclient)\n + [SharpWnfServer](#sharpwnfserver)\n + [SharpWnfScan](#sharpwnfscan)\n + [SharpWnfInject](#sharpwnfinject)\n + [KernelPrimitive](#kernelprimitive)\n + [WnfCallbackPayload](#wnfcallbackpayload)\n + [Reference](#reference)\n + [Acknowledgments](#acknowledgments)\n\n## Usage\n### SharpWnfDump\n\n[Back to Top](#sharpwnfsuite)\n\n[Project](./SharpWnfSuite/SharpWnfDump)\n\nThis tool dumps or manipulate information about WNF State Names.\nEquivalent to [wnfdump.exe](https://github.com/ionescu007/wnfun/blob/master/wnftools_x64/wnfdump.exe) and [WnfDump.py](https://github.com/ionescu007/wnfun/blob/master/script_python/WnfDump.py).\nI made some updates from the original tool (Exception Handling, Well-Known State Name and new WNF_DATA_SCOPE member).\n\nTo retrieve information of all Well-Known, Permanent and Persistent WNF State Names on your host, execute with `-d` (`--dump`) flag:\n\n```\nPS C:\\Dev\u003e .\\SharpWnfDump.exe -d\n\n| WNF State Name [WellKnown Lifetime] | S | L | P | AC | N | CurSize | MaxSize | Changes |\n----------------------------------------------------------------------------------------------------------------------\n| WNF_WEBA_CTAP_DEVICE_STATE | S | W | N | RW | I | 0 | 12 | 0 |\n| WNF_WEBA_CTAP_DEVICE_CHANGE_NOTIFY | S | W | N | RW | I | 0 | 4 | 0 |\n| WNF_PNPA_DEVNODES_CHANGED | S | W | N | RO | U | 0 | 0 | 11 |\n\n--snip--\n```\n\nIf you want to retrieve Security Descripter information, set `-s` (`--sid`) flag:\n\n```\nPS C:\\Dev\u003e .\\SharpWnfDump.exe -d -s\n\n| WNF State Name [WellKnown Lifetime] | S | L | P | AC | N | CurSize | MaxSize | Changes |\n----------------------------------------------------------------------------------------------------------------------\n| WNF_WEBA_CTAP_DEVICE_STATE | S | W | N | RW | I | 0 | 12 | 0 |\n\n D:(A;;CCDC;;;SY)(A;;CCDC;;;BA)(A;;CCDC;;;S-1-5-80-242729624-280608522-2219052887-3187409060-2225943459)(A;;CC;;;AU)(A;;CC;;;AC)\n\n| WNF_WEBA_CTAP_DEVICE_CHANGE_NOTIFY | S | W | N | RW | I | 0 | 4 | 0 |\n\n D:(A;;CCDC;;;SY)(A;;CCDC;;;BA)(A;;CCDC;;;S-1-5-80-242729624-280608522-2219052887-3187409060-2225943459)(A;;CC;;;AU)(A;;CC;;;AC)\n\n| WNF_PNPA_DEVNODES_CHANGED | S | W | N | RO | U | 0 | 0 | 11 |\n\n D:(A;;CC;;;BU)(A;;CCDC;;;SY)\n\n--snip--\n```\n\nIf you want to retrieve buffer data, set `-v` (`--value`) or `-r` (`--read`) flag.\nThese flags can be used with `-s` flag:\n\n```\nPS C:\\Dev\u003e .\\SharpWnfDump.exe -d -v\n\n| WNF State Name [WellKnown Lifetime] | S | L | P | AC | N | CurSize | MaxSize | Changes |\n----------------------------------------------------------------------------------------------------------------------\n| WNF_WEBA_CTAP_DEVICE_STATE | S | W | N | RW | I | 0 | 12 | 0 |\n| WNF_WEBA_CTAP_DEVICE_CHANGE_NOTIFY | S | W | N | RW | I | 0 | 4 | 0 |\n\n--snip--\n\n| WNF_AUDC_RENDER | S | W | N | RO | U | 4096 | 4096 | 1 |\n\n 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F\n\n 00000000 | 01 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 | ........ ........\n 00000010 | 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 | ........ ........\n 00000020 | 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 | ........ ........\n\n--snip--\n```\n\nTo retrieve information of all Temporary WNF State Names on your host, execute with `-b` (`--brut`) flag:\n\n```\nPS C:\\Dev\u003e .\\SharpWnfDump.exe -b\n\n| WNF State Name [System Scope] | S | L | P | AC | N | CurSize | MaxSize | Changes |\n----------------------------------------------------------------------------------------------------------------------\n| 0x41C64E6DA3AC3845 | S | T | N | RW | A | 8 | ? | 1 |\n| 0x41C64E6DA3AC4845 | S | T | N | RW | A | 8 | ? | 1 |\n| 0x41C64E6DA3AC6845 | S | T | N | RW | A | 8 | ? | 1 |\n\n--snip--\n```\n\nThe `-b` (`--brut`) flag can be used with `-v` (`--value`) or `-r` (`--read`) flag, but cannot be used with `-s` (`--sid`) flag.\n\nThe meaning of each column in the table obtained from the results of `--dump` or `--brut` option is as follows:\n\n| Column Name | Description |\n| :--- | :--- |\n| `WNF State Name` | WNF State Names are outputted here |\n| `S` | Data scope for WNF State Name. The meanings of the alphabets displayed are as follows:\u003cbr\u003e\u003cbr\u003e+ `S` : System Scope\u003cbr\u003e+ `s` : Session Scope\u003cbr\u003e+ `U` : User Scope\u003cbr\u003e+ `P` : Process Scope\u003cbr\u003e+ `M` : Machine Scope\u003cbr\u003e+ `p` : Physical Machine Scope |\n| `L` | Lifetime for WNF State Name. The meanings of the alphabets displayed are as follows:\u003cbr\u003e\u003cbr\u003e+ `W` : Well-Known\u003cbr\u003e+ `P` : Permanent\u003cbr\u003e+ `V` : Persistent (Volatile)\u003cbr\u003e+ `T` : Temporary |\n| `P` | Displays if the WNF State Name is permanent:\u003cbr\u003e\u003cbr\u003e+ `Y` : Yes\u003cbr\u003e+ `N` : No |\n| `AC` | Access control for the WNF State Name:\u003cbr\u003e\u003cbr\u003e+ `RW` : Readable and Writable\u003cbr\u003e+ `RO` : Read-Only\u003cbr\u003e+ `WO` : Write-Only\u003cbr\u003e+ `NA` : Not Readable and Writable |\n| `N` | Displays subscriber existence:\u003cbr\u003e\u003cbr\u003e+ `A` : Subscriber exists\u003cbr\u003e+ `I` : No subscriber exists\u003cbr\u003e+ `U` : Unknown |\n| `CurSize` | The number means current buffer size used for the WNF State Name. |\n| `MaxSize` | The number means maximum buffer size can be used for the WNF State Name. |\n| `Changes` | The number means how many times updated. |\n\nIf you want to retrieve information about a specific WNF State Name, execute `SharpWnfDump.exe` with `-i` (`--info`) option as follows:\n\n```\nPS C:\\Dev\u003e .\\SharpWnfDump.exe -i WNF_SHEL_APPRESOLVER_SCAN\n\n| WNF State Name | S | L | P | AC | N | CurSize | MaxSize | Changes |\n----------------------------------------------------------------------------------------------------------------------\n| WNF_SHEL_APPRESOLVER_SCAN | S | W | N | RW | A | 4 | 4 | 1 |\n```\n\nThe `-i` (`--info`) option can be used with `-v` (`--value`), `-r` (`--read`), and `-s` (`--sid`) flag:\n\n```\nPS C:\\Dev\u003e .\\SharpWnfDump.exe -i WNF_SHEL_APPRESOLVER_SCAN -s -v\n\n| WNF State Name | S | L | P | AC | N | CurSize | MaxSize | Changes |\n----------------------------------------------------------------------------------------------------------------------\n| WNF_SHEL_APPRESOLVER_SCAN | S | W | N | RW | A | 4 | 4 | 1 |\n\n D:(A;;CC;;;WD)(A;;CCDC;;;AU)(A;;CCDC;;;AC)\n\n 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F\n\n 00000000 | 01 00 00 00 | ....\n```\n\nTo read data from a specific WNF State Name, use `-r` (`--read`) flag as follows:\n\n```\nPS C:\\Dev\u003e .\\SharpWnfDump.exe -r WNF_SHEL_APPRESOLVER_SCAN\n\nWNF_SHEL_APPRESOLVER_SCAN:\n\n 00000000 | 11 00 00 00 | ....\n\n```\n\nTo write data to a specific WNF State Name, use `-w` (`--write`) flag as follows (data for write should be provided with a file):\n\n```\nPS C:\\Dev\u003e \"hi\" | Out-File -Encoding ascii -FilePath C:\\Dev\\test.txt\nPS C:\\Dev\u003e Get-Content -Path C:\\Dev\\test.txt\nhi\nPS C:\\Dev\u003e .\\SharpWnfDump.exe -w WNF_SHEL_APPRESOLVER_SCAN C:\\Dev\\test.txt\n\n[\u003e] Trying to write data.\n [*] Target WNF Name : WNF_SHEL_APPRESOLVER_SCAN\n [*] Data Source : C:\\Dev\\test.txt\n[+] Data is written successfully.\n\nPS C:\\Dev\u003e .\\SharpWnfDump.exe -i WNF_SHEL_APPRESOLVER_SCAN -r\n\n| WNF State Name | S | L | P | AC | N | CurSize | MaxSize | Changes |\n----------------------------------------------------------------------------------------------------------------------\n| WNF_SHEL_APPRESOLVER_SCAN | S | W | N | RW | A | 4 | 4 | 2 |\n\n 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F\n\n 00000000 | 68 69 0D 0A | hi..\n```\n\n\n### SharpWnfNameDumper\n\n[Back to Top](#sharpwnfsuite)\n\n[Project](./SharpWnfSuite/SharpWnfNameDumper)\n\nThis tool dumps Well-Known State Name from DLL (typically perf_nt_c.dll).\nEquivalent to [WnfNameDumper.py](https://github.com/ionescu007/wnfun/blob/master/script_python/WnfNameDumper.py).\n\nTypically, Well-Know State Names is contained in perf_nt_c.dll (it is in the Windows Performance Analyzer).\nTo dump Well-Know State Names from DLL, execute `SharpWnfNameDumper.exe` with `-d` (`--dump`) option as follows:\n\n```\nPS C:\\Dev\u003e .\\SharpWnfNameDumper.exe -d perf_nt_c.dll\n\n[\u003e] Output results in C# style.\n\npublic enum WELL_KNOWN_WNF_NAME : ulong\n{\n WNF_9P_REDIRECTOR_STARTED = 0x41C61E54A3BC1075UL,\n WNF_9P_UNKNOWN_DISTRO_NAME = 0x41C61E54A3BC0875UL,\n\n--snip--\n```\n\nIf you want to dump description for Well-Known State Names, set `-v` flag:\n\n```\nPS C:\\Dev\u003e .\\SharpWnfNameDumper.exe -d perf_nt_c.dll -v\n\n[\u003e] Output results in C# style.\n\npublic enum WELL_KNOWN_WNF_NAME : ulong\n{\n // The Plan 9 Redirector was started and is ready to accept requests.\n WNF_9P_REDIRECTOR_STARTED = 0x41C61E54A3BC1075UL,\n // The Plan 9 Redirector got a request for an unknown WSL distribution and there is no user callback registered to query it.\n WNF_9P_UNKNOWN_DISTRO_NAME = 0x41C61E54A3BC0875UL,\n\n--snip--\n```\n\nTo specify the output format, use `-f` (`--format`) option. `SharpWnfNameDumper.exe` supports C#, C (`-f c`) and Python (`-f py`) format (default format is C#):\n\n```\nPS C:\\Dev\u003e .\\SharpWnfNameDumper.exe -d perf_nt_c.dll -f py\n\n[\u003e] Output results in Python style.\n\ng_WellKnownWnfNames = {\n \"WNF_9P_REDIRECTOR_STARTED\": 0x41C61E54A3BC1075,\n \"WNF_9P_UNKNOWN_DISTRO_NAME\": 0x41C61E54A3BC0875,\n\n--snip--\n```\n\nTo output the result to a file, use `-o` (`--output`) option to specify output file path:\n\n```\nPS C:\\Dev\u003e .\\SharpWnfNameDumper.exe -d perf_nt_c.dll -o result.txt\n\n[\u003e] Output results in C# style.\n\n\nC:\\dev\u003etype result.txt\npublic enum WELL_KNOWN_WNF_NAME : ulong\n{\n WNF_9P_REDIRECTOR_STARTED = 0x41C61E54A3BC1075UL,\n WNF_9P_UNKNOWN_DISTRO_NAME = 0x41C61E54A3BC0875UL,\n\n--snip--\n```\n\nTo take diff from 2 DLLs, use `-D` (`--diff`) option:\n\n```\nPS C:\\Dev\u003e .\\SharpWnfNameDumper.exe -D perf_nt_c_old.dll perf_nt_c_new.dll\n\n[\u003e] Output results in C# style.\n\n################################################\n# NEW KEYS #\n################################################\n\n\npublic enum WELL_KNOWN_WNF_NAME : ulong\n{\n WNF_SHEL_CHAT_ICON_BADGE = 0x0D83063EA3B8A035UL,\n WNF_SHEL_ENTERPRISE_START_PINS_POLICY_VALUE_CHANGED = 0x0D83063EA3B89475UL,\n WNF_SHEL_FILE_EXPLORER_PINNED_FOLDERS = 0x0D83063EA3B8ACF5UL,\n WNF_SHEL_MAC_AUTO_UPDATE_SUCCEEDED = 0x0D83063EA3B89875UL\n}\n```\n\n\n### SharpWnfClient\n\n[Back to Top](#sharpwnfsuite)\n\n[Project](./SharpWnfSuite/SharpWnfClient)\n\nThis is a tool for a subscribe WNF State Name.\nEquivalent to [wnfclient-rtl.exe](https://github.com/ionescu007/wnfun/blob/master/wnftools_x64/wnfclient-rtl.exe) and [WnfClientServer.py](https://github.com/ionescu007/wnfun/blob/master/script_python/WnfClientServer.py).\n\nFor example, if you want to monitor the state of `WNF_SHEL_APPLICATION_STARTED`, execute `SharpWnfClient.exe` as follows:\n\n```\nPS C:\\Dev\u003e .\\SharpWnfClient.exe WNF_SHEL_APPLICATION_STARTED\n\n[\u003e] Received data from server.\n [*] Timestamp : 4\n [*] Buffer Size : 92 byte(s)\n [*] Data :\n\n 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F\n\n 00000000 | 61 00 3A 00 6D 00 69 00-63 00 72 00 6F 00 73 00 | a.:.m.i. c.r.o.s.\n 00000010 | 6F 00 66 00 74 00 2E 00-77 00 69 00 6E 00 64 00 | o.f.t... w.i.n.d.\n 00000020 | 6F 00 77 00 73 00 74 00-65 00 72 00 6D 00 69 00 | o.w.s.t. e.r.m.i.\n 00000030 | 6E 00 61 00 6C 00 5F 00-38 00 77 00 65 00 6B 00 | n.a.l._. 8.w.e.k.\n 00000040 | 79 00 62 00 33 00 64 00-38 00 62 00 62 00 77 00 | y.b.3.d. 8.b.b.w.\n 00000050 | 65 00 21 00 61 00 70 00-70 00 00 00 | e.!.a.p. p...\n```\n\nThen, if you start notepad application, should see following result:\n\n```\n[\u003e] Received data from server.\n [*] Timestamp : 5\n [*] Buffer Size : 90 byte(s)\n [*] Data :\n\n 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F\n\n 00000000 | 61 00 3A 00 6D 00 69 00-63 00 72 00 6F 00 73 00 | a.:.m.i. c.r.o.s.\n 00000010 | 6F 00 66 00 74 00 2E 00-77 00 69 00 6E 00 64 00 | o.f.t... w.i.n.d.\n 00000020 | 6F 00 77 00 73 00 6E 00-6F 00 74 00 65 00 70 00 | o.w.s.n. o.t.e.p.\n 00000030 | 61 00 64 00 5F 00 38 00-77 00 65 00 6B 00 79 00 | a.d._.8. w.e.k.y.\n 00000040 | 62 00 33 00 64 00 38 00-62 00 62 00 77 00 65 00 | b.3.d.8. b.b.w.e.\n 00000050 | 21 00 61 00 70 00 70 00-00 00 | !.a.p.p. ..\n```\n\n\n### SharpWnfServer\n\n[Back to Top](#sharpwnfsuite)\n\n[Project](./SharpWnfSuite/SharpWnfServer)\n\nThis tool creates a temporary lifetime WNF State Name and sends some message to the subscriber.\nEquivalent to [wnfserver.exe](https://github.com/ionescu007/wnfun/blob/master/wnftools_x64/wnfserver.exe) and [WnfClientServer.py](https://github.com/ionescu007/wnfun/blob/master/script_python/WnfClientServer.py).\n\nTo start new WNF State Name server, simply execute `SharpWnfServer.exe`. We should enter an interactive shell as follows:\n\n```\nPS C:\\Dev\u003e .\\SharpWnfServer.exe\n\n[+] New WNF State Name is created successfully : 0x41C64E6DA3834945\n\nEncoded State Name: 0x41C64E6DA3834945, Decoded State Name: 0x3F4931\n Version: 1, Lifetime: Temporary, Scope: Machine, Permanent: NO, Sequence Number: 0x7E9, Owner Tag: 0x0\n\nSending input data to WNF subscriber...\n\n[INPUT]\u003e\n```\n\nAfter executing `SharpWnfServer.exe`, execute `SharpWnfClient.exe` with WNF State Name provided with `SharpWnfServer.exe` from another terminal. You should receive \"Hello, world!\" as a message from `SharpWnfServer.exe`:\n\n```\nPS C:\\Dev\u003e .\\SharpWnfClient.exe 0x41C64E6DA3834945\n\n[\u003e] Received data from server.\n [*] Timestamp : 1\n [*] Buffer Size : 13 byte(s)\n [*] Data :\n\n 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F\n\n 00000000 | 48 65 6C 6C 6F 2C 20 77-6F 72 6C 64 21 | Hello,.w orld!\n```\n\nTo publish additional message to `SharpWnfClient.exe`, enter your message to the interactive shell of `SharpWnfServer.exe`:\n\n```\n[INPUT]\u003e This is WNF test\nSending input data to WNF subscriber...\n\n[INPUT]\u003e\n```\n\nThen, you should see the message in the terminal for `SharpWnfClient.exe` as follows:\n\n```\n[\u003e] Received data from server.\n [*] Timestamp : 2\n [*] Buffer Size : 16 byte(s)\n [*] Data :\n\n 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F\n\n 00000000 | 54 68 69 73 20 69 73 20-57 4E 46 20 74 65 73 74 | This.is. WNF.test\n```\n\n\n### SharpWnfScan\n\n[Back to Top](#sharpwnfsuite)\n\n[Project](./SharpWnfSuite/SharpWnfScan)\n\nThis tool is based on [modexp](https://twitter.com/modexpblog)'s [wnfscan](https://github.com/odzhan/injection/blob/master/wnf/wnfscan.c), and dumps WNF subscription information from process.\n\n```\nPS C:\\Dev\u003e .\\SharpWnfScan.exe -h\n\nSharpWnfScan - Tool for dumping WNF information from process.\n\nUsage: SharpWnfScan.exe [Options]\n\n -h, --help : Displays this help message.\n -p, --pid : Specifies the target PID.\n -P, --processname : Specifies the target process name.\n -n, --name : Specifies a wnf state name for filtering.\n -a, --all : Flag to dump information from all process.\n -l, --list : Flag to list WNF State Name on this system.\n -d, --debug : Flag to enable SeDebugPrivilege. Administrative privilege is required.\n -v, --verbose : Flag to get verbose information.\n```\n\nTo dump a specific process, set `-p` option as follows:\n\n```\nPS C:\\Dev\u003e .\\SharpWnfScan.exe -p 5800\n\nProcess ID : 5800\nImage File Name : C:\\Windows\\explorer.exe\nArchitecture : ARM64\n\nWNF_SUBSCRIPTION_TABLE @ 0x0000000001206660\n\n WNF_NAME_SUBSCRIPTION @ 0x0000000001206B00\n StateName : 0x0280032EA3BC0875 (WNF_CMFC_FEATURE_CONFIGURATION_CHANGED)\n\n WNF_NAME_SUBSCRIPTION @ 0x000000000120AD10\n StateName : 0x418B1929A3BC3835 (WNF_DWM_DUMP_REQUEST)\n\n WNF_NAME_SUBSCRIPTION @ 0x0000000005099950\n StateName : 0x41960A2EA3BC1835 (WNF_CDP_CDPUSERSVC_READY)\n\n--snip--\n```\n\nIf you want to get WNF_USER_SUBSCRIPTION information, set `-v` flag as follows:\n\n```\nPS C:\\Dev\u003e .\\SharpWnfScan.exe -p 5800 -v\n\nProcess ID : 5800\nImage File Name : C:\\Windows\\explorer.exe\nArchitecture : ARM64\n\nWNF_SUBSCRIPTION_TABLE @ 0x0000000001206660\n\n WNF_NAME_SUBSCRIPTION @ 0x0000000001206B00\n StateName : 0x0280032EA3BC0875 (WNF_CMFC_FEATURE_CONFIGURATION_CHANGED)\n\n WNF_USER_SUBSCRIPTION @ 0x0000000001206A40\n Callback @ 0x00007FFE88478470 (ntdll!RtlNotifyFeatureUsage+0x1C0)\n Context @ 0x00007FFE886F0B20 (ntdll!NlsAnsiCodePage+0x2390)\n\n WNF_NAME_SUBSCRIPTION @ 0x000000000120AD10\n StateName : 0x418B1929A3BC3835 (WNF_DWM_DUMP_REQUEST)\n\n WNF_USER_SUBSCRIPTION @ 0x0000000001207FD0\n Callback @ 0x00007FF7073027C0 (explorer)\n Context @ 0x0000000001208CC0 (N/A)\n\n--snip--\n```\n\nYou can specifies target processes by name with `-P` option:\n\n```\nPS C:\\Dev\u003e .\\SharpWnfScan.exe -P notepad\n\nProcess ID : 8720\nImage File Name : C:\\Program Files\\WindowsApps\\Microsoft.WindowsNotepad_11.2401.26.0_arm64__8wekyb3d8bbwe\\Notepad\\Notepad.exe\nArchitecture : ARM64\n\nWNF_SUBSCRIPTION_TABLE @ 0x000001DE2B007560\n\n WNF_NAME_SUBSCRIPTION @ 0x000001DE2B02D640\n StateName : 0x41C61629A3BC2835 (WNF_DX_MONITOR_CHANGE_NOTIFICATION)\n\n WNF_NAME_SUBSCRIPTION @ 0x000001DE2B03E040\n StateName : 0x41950223A3BC1035 (WNF_NLS_USER_UILANG_CHANGED)\n\n--snip--\n```\n\nTo filter with state name, set hex or well know wnf name string to `-n` option as follows:\n\n```\nPS C:\\Dev\u003e .\\SharpWnfScan.exe -P notepad -n WNF_RPCF_FWMAN_RUNNING\n\nProcess ID : 8720\nImage File Name : C:\\Program Files\\WindowsApps\\Microsoft.WindowsNotepad_11.2401.26.0_arm64__8wekyb3d8bbwe\\Notepad\\Notepad.exe\nArchitecture : ARM64\n\nWNF_SUBSCRIPTION_TABLE @ 0x000001DE2B007560\n\n WNF_NAME_SUBSCRIPTION @ 0x000001DE2B075040\n StateName : 0x07851E3FA3BC0875 (WNF_RPCF_FWMAN_RUNNING)\n\n\nPS C:\\Dev\u003e .\\SharpWnfScan.exe -P notepad -n 0x07851E3FA3BC0875\n\nProcess ID : 8720\nImage File Name : C:\\Program Files\\WindowsApps\\Microsoft.WindowsNotepad_11.2401.26.0_arm64__8wekyb3d8bbwe\\Notepad\\Notepad.exe\nArchitecture : ARM64\n\nWNF_SUBSCRIPTION_TABLE @ 0x000001DE2B007560\n\n WNF_NAME_SUBSCRIPTION @ 0x000001DE2B075040\n StateName : 0x07851E3FA3BC0875 (WNF_RPCF_FWMAN_RUNNING)\n```\n\nTo dump all processes at a time, use `-a` option:\n\n```\nPS C:\\Dev\u003e .\\SharpWnfScan.exe -a\n\nProcess ID : 1180\nImage File Name : C:\\Windows\\System32\\svchost.exe\nArchitecture : ARM64\n\nWNF_SUBSCRIPTION_TABLE @ 0x000002101A806560\n\n WNF_NAME_SUBSCRIPTION @ 0x000002101A830120\n StateName : 0x07851E3FA3BC0875 (WNF_RPCF_FWMAN_RUNNING)\n\n WNF_NAME_SUBSCRIPTION @ 0x000002101A86C1C0\n StateName : 0x41C64E6DA3B0E045 (N/A)\n\n WNF_NAME_SUBSCRIPTION @ 0x000002101A833C50\n StateName : 0x41C64E6DA3BC6145 (N/A)\n\n WNF_NAME_SUBSCRIPTION @ 0x000002101A846A50\n StateName : 0x41C64E6DA3BD0945 (N/A)\n\n WNF_NAME_SUBSCRIPTION @ 0x000002101A86CA00\n StateName : 0x41C64E6DA3BB8045 (N/A)\n\n WNF_NAME_SUBSCRIPTION @ 0x000002101A806A00\n StateName : 0x0280032EA3BC0875 (WNF_CMFC_FEATURE_CONFIGURATION_CHANGED)\n\n WNF_NAME_SUBSCRIPTION @ 0x000002101A86C4C0\n StateName : 0x41C64E6DA3B1E045 (N/A)\n\n WNF_NAME_SUBSCRIPTION @ 0x000002101A86C700\n StateName : 0x41C64E6DA3A0F945 (N/A)\n\n WNF_NAME_SUBSCRIPTION @ 0x000002101A830EE0\n StateName : 0x4195003AA3BC0875 (WNF_WNS_CONNECTIVITY_STATUS)\n\n WNF_NAME_SUBSCRIPTION @ 0x000002101A86C880\n StateName : 0x41C6072FA3BC3875 (WNF_BI_APPLICATION_SERVICING_START_CHANNEL)\n\n WNF_NAME_SUBSCRIPTION @ 0x000002101A86CC40\n StateName : 0x41C6072FA3BC1875 (WNF_BI_USER_LOGOFF_CHANNEL)\n\n WNF_NAME_SUBSCRIPTION @ 0x000002101A835E90\n StateName : 0x41C6072FA3BC1075 (WNF_BI_USER_LOGON_CHANNEL)\n\n WNF_NAME_SUBSCRIPTION @ 0x000002101A86CD00\n StateName : 0x41C6072FA3BC2875 (WNF_BI_SESSION_DISCONNECT_CHANNEL)\n\n WNF_NAME_SUBSCRIPTION @ 0x000002101A86CAC0\n StateName : 0x41C6072FA3BC2075 (WNF_BI_SESSION_CONNECT_CHANNEL)\n\n WNF_NAME_SUBSCRIPTION @ 0x000002101A86C940\n StateName : 0x41840B3EA3BC2075 (WNF_SEB_NETWORK_STATE_CHANGES)\n\n WNF_NAME_SUBSCRIPTION @ 0x000002101A853920\n StateName : 0x41C6072FA3BC3075 (WNF_BI_APPLICATION_UNINSTALL_CHANNEL)\n\n WNF_NAME_SUBSCRIPTION @ 0x000002101A836040\n StateName : 0x41C6072FA3BC4875 (WNF_BI_LOCK_SCREEN_UPDATE_CHANNEL)\n\n WNF_NAME_SUBSCRIPTION @ 0x000002101A86C580\n StateName : 0x41C6072FA3BC4075 (WNF_BI_APPLICATION_SERVICING_STOP_CHANNEL)\n\n WNF_NAME_SUBSCRIPTION @ 0x000002101A833B80\n StateName : 0x41C6072FA3BC6075 (WNF_BI_QUIET_MODE_UPDATE_CHANNEL)\n\n WNF_NAME_SUBSCRIPTION @ 0x000002101A86C400\n StateName : 0x41C6072FA3BC5075 (WNF_BI_EVENT_DELETION)\n\nProcess ID : 2952\nImage File Name : C:\\Windows\\System32\\svchost.exe\nArchitecture : ARM64\n\nWNF_SUBSCRIPTION_TABLE @ 0x0000023DD3A065C0\n\n WNF_NAME_SUBSCRIPTION @ 0x0000023DD3AF8B80\n StateName : 0x41C64E6DA3B1E045 (N/A)\n\n WNF_NAME_SUBSCRIPTION @ 0x0000023DD3AF8C40\n StateName : 0x41C64E6DA3BC6145 (N/A)\n\n--snip--\n```\n\nTo enable `SeDebugPrivilege`, set `-d` flag as follows.\nThis option requires administrative privilege:\n\n```\nPS C:\\Dev\u003e .\\SharpWnfScan.exe -d -P winlogon\n\n[+] SeDebugPrivilege is enabled successfully.\n\nProcess ID : 680\nImage File Name : C:\\Windows\\System32\\winlogon.exe\nArchitecture : ARM64\n\nWNF_SUBSCRIPTION_TABLE @ 0x00000265F4E05F80\n\n WNF_NAME_SUBSCRIPTION @ 0x00000265F4E48AE0\n StateName : 0x41C64E6DA3BC6145 (N/A)\n\n WNF_NAME_SUBSCRIPTION @ 0x00000265F4E27AD0\n StateName : 0x41C61629A3BC1035 (WNF_DX_MODE_CHANGE_NOTIFICATION)\n\n--snip--\n```\n\nTo list WNF State Names used in the target system, set `-l` flag as follows:\n\n```\nPS C:\\Dev\u003e .\\SharpWnfScan.exe -l\n\n[\u003e] Trying to list WNF State Names used in this system. Wait a moment.\n\n[1304 WNF State Names]\n\n[*] 0x07851E3FA3BC0875 (WNF_RPCF_FWMAN_RUNNING)\n[*] 0x41C64E6DA3B0E045 (N/A)\n[*] 0x41C64E6DA3BC6145 (N/A)\n[*] 0x41C64E6DA3BD0945 (N/A)\n[*] 0x41C64E6DA3BB8045 (N/A)\n[*] 0x0280032EA3BC0875 (WNF_CMFC_FEATURE_CONFIGURATION_CHANGED)\n[*] 0x41C64E6DA3B1E045 (N/A)\n\n--snip--\n\n[16 Access Denied Processes]\n\n[*] svchost (PID : 2352)\n[*] svchost (PID : 4952)\n[*] MsMpEng (PID : 3132)\n \n--snip--\n\n[*] Done.\n```\n\n\n### SharpWnfInject\n\n[Back to Top](#sharpwnfsuite)\n\n[Project](./SharpWnfSuite/SharpWnfInject)\n\nThis tool is to investigate how attackers can abuse WNF for code injection technique:\n\n```\nPS C:\\Dev\u003e .\\SharpWnfInject.exe -h\n\nSharpWnfInject - Tool to investigate WNF code injection technique.\n\nUsage: SharpWnfInject.exe [Options]\n\n -h, --help : Displays this help message.\n -n, --name : Specifies WNF State Name to inject. Hex format or Well-known name format is accepted.\n -p, --pid : Specifies PID to inject.\n -i, --input : Specifies the file path to shellcode.\n -d, --debug : Flag to enable SeDebugPrivilege. Requires administrative privilege.\n\n[!] -n option is required.\n```\n\nThis tool overwrite callback function pointer in `WNF_USER_SUBSCRIPTION` for a specific WNF State Name.\nThe code injection technique does not work for all WNF State Name.\nFor example, this technique is known to be available for `WNF_SHEL_WINDOWSTIP_CONTENT_PUBLISHED` used by `explorer.exe` in Windows 11 23H2.\nTo test this technique, execute this tool as follows:\n\n```\nPS C:\\Dev\u003e .\\SharpWnfInject.exe -p 5800 -n WNF_SHEL_WINDOWSTIP_CONTENT_PUBLISHED -i .\\notepad_arm64.bin\n\n[*] Target WNF State Name is 0x0D83063EA3BE10F5 (WNF_SHEL_WINDOWSTIP_CONTENT_PUBLISHED).\n[+] Got a handle from the target Process\n [*] Process Name : explorer.exe\n [*] Process ID : 5800\n [*] Image File Name : C:\\Windows\\explorer.exe\n [*] Architecture : ARM64\n[+] Pointer for WNF_SUBSCRIPTION_TABLE is at 0x00007FFE886F4E20.\n[+] WNF_SUBSCRIPTION_TABLE is at 0x0000000001206660.\n[*] WNF_NAME_SUBSCRIPTION is at 0x0000000001273540.\n[+] Got 1 WNF_USER_SUBSCRIPTION.\n[*] Target callback pointer is at 0x00000000051C2250.\n[*] Callback function is at 0x00007FFE54FD4D20 (twinui!DllGetClassObject+0x11AFF0).\n[+] Shellcode buffer is at 0x0000000003270000.\n[+] 344 bytes shellcode is written successfully.\n[+] Callback pointer is overwritten successfully.\n[\u003e] Triggering shellcode.\n[+] WNF State Data is updated successfully. Shellcode might be executed.\n[+] Callback pointer is reverted successfully.\n[*] Done.\n```\n\n![](./figures/SharpWnfInject.png)\n\nIf you want to enable `SeDebugPrivilege`, set `-d` flag and execute with administrative privilege.\nSample shellcodes to execute notepad are located at [Shellcode directory](./SharpWnfSuite/Shellcode).\n\n\n## KernelPrimitive\n\n[Back to Top](#sharpwnfsuite)\n\nProjects in this directory are to demonstrate WNF primitive for kernel exploitation.\nYou can read the detailed information in [Alex Plaskett](https://twitter.com/alexjplaskett)'s talk and blogs ([Part 1](https://research.nccgroup.com/2021/07/15/cve-2021-31956-exploiting-the-windows-kernel-ntfs-with-wnf-part-1/), [Part 2](https://research.nccgroup.com/2021/08/17/cve-2021-31956-exploiting-the-windows-kernel-ntfs-with-wnf-part-2/), [Slide](https://research.nccgroup.com/2021/11/15/poc2021-pwning-the-windows-10-kernel-with-nfts-and-wnf-slides/)).\n\nReliability of the PoC is not 100%.\nI defined kernel offset for all versions of Windows 10 x64, but only tested in Windows 10 Version 1903 x64.\n\n| Project | Description |\n| :--- | :--- |\n| [PoolVulnDrv](./KernelPrimitive/PoolVulnDrv/) | This is a vulnerable kernel driver to test WNF kernel primitive. |\n| [WnfPoolOverflow](./KernelPrimitive/WnfPoolOverflow/) | This is a PoC to exploit PoolVulnDrv. |\n\n![WnfPrimitive.png](./figures/WnfPrimitive.png)\n\n\n## WnfCallbackPayload\n\nThis directory contains documents and sample codes to build your own WNF callback shellcode.\nSee [README.md](./WnfCallbackPayload/README.md).\n\n\n## Reference\n\n[Back to Top](#sharpwnfsuite)\n\n+ [Windows Notification Facility: Peeling the Onion of the Most Undocumented Kernel Attack Surface Yet](https://www.youtube.com/watch?v=MybmgE95weo)\n+ [Playing with the Windows Notification Facility (WNF)](https://blog.quarkslab.com/playing-with-the-windows-notification-facility-wnf.html)\n+ [wnfun](https://github.com/ionescu007/wnfun)\n+ [Windows Process Injection : Windows Notification Facility](https://modexp.wordpress.com/2019/06/15/4083/)\n+ [New WNF User Subscription Structures in Windows 11](https://mishap.dev/posts/new-wnf-user-subscription-structures-in-w11/)\n+ [CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) – Part 1](https://research.nccgroup.com/2021/07/15/cve-2021-31956-exploiting-the-windows-kernel-ntfs-with-wnf-part-1/)\n+ [CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) – Part 2](https://research.nccgroup.com/2021/08/17/cve-2021-31956-exploiting-the-windows-kernel-ntfs-with-wnf-part-2/)\n+ [POC2021 – Pwning the Windows 10 Kernel with NTFS and WNF Slides](https://research.nccgroup.com/2021/11/15/poc2021-pwning-the-windows-10-kernel-with-nfts-and-wnf-slides/)\n\n## Acknowledgments\n\n[Back to Top](#sharpwnfsuite)\n\nThanks for your research:\n\n+ Alex Ionescu ([@aionescu](https://twitter.com/aionescu))\n+ Gabrielle Viala ([@pwissenlit](https://twitter.com/pwissenlit))\n+ odzhan ([@modexpblog](https://twitter.com/modexpblog))\n+ Alex Plaskett ([@alexjplaskett](https://twitter.com/alexjplaskett))\n\nThanks for your help:\n\n+ mishap ([@oopsmishap](https://twitter.com/oopsmishap))\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdaem0nc0re%2Fsharpwnfsuite","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdaem0nc0re%2Fsharpwnfsuite","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdaem0nc0re%2Fsharpwnfsuite/lists"}