Dumping DPC Queues: Adventures in HIGH_LEVEL IRQL
17 January 2020 at 23:30
This post is part of the Practical Reverse Engineering Exercises series.
To understand more about the basics of DPCs, read Reversing KeInsertQueueDpc
(Source code below.)
Exercise: Write a driver to enumerate all DPCs on the entire system. Make sure you support multi-processor systems! Explain the difficulties and how you solved them.
Sounds fun! let’s start. I thought about dividing this post to 2 posts, but nah
Using Undocumented APIs in Windows First of all, we need to understand that accessing the DPC queue from a real product is an extremely bad idea because it’s a pretty undocumented data structure.