// Define the function pointer type typedef NTSTATUS (NTAPI *pNtQueryWnfStateData)( WNF_STATE_NAME StateName, PVOID ExplicitScope, PVOID StateDataInfo, PULONG ChangeStamp, PVOID StateData, PULONG StateDataSize );
: Researchers use functions like NtUpdateWnfStateData (and query with NtQueryWnfStateData ) to spray the kernel's non-paged pool with attacker-controlled data. Because you can control the size and content of these WNF objects, they are perfect for creating precise "paddings" in memory to facilitate buffer overflows. ntquerywnfstatedata ntdlldll better
Have you used WNF in a project? Share your experience or a discovered WNF state name in the comments below (or on social media with #WNF #WindowsInternals). // Define the function pointer type typedef NTSTATUS
NtQueryWnfStateData is a native API, meaning it must be accessed via dynamic invocation ( DInvoke ) or by defining the function signature in C/C++. Function Signature Share your experience or a discovered WNF state
One interesting use of WNF is monitoring microphone access. When any application starts using the microphone, Windows publishes a WNF notification containing the process ID (PID) of the application. A kernel‑mode driver can subscribe to this state change and receive real‑time alerts about microphone usage. While this requires kernel‑mode code, NtQueryWnfStateData can be used in user mode to query the current microphone state if the appropriate state name is known.