DRAFT: Take more than your usual care.
SERVER_SILO_MONITOR
The SERVER_SILO_MONITOR (formally _SERVER_SILO_MONITOR) represents a registered monitor of server silos in the first two releases of Windows 10. A driver or other kernel-mode software calls the PsRegisterMonitorServerSilo function to express its interest in what’s done with server silos. This creates a SERVER_SILO_MONITOR whose address can then be used when calling several other functions.
The substantial reworking of the silo implementation for Version 1607 discontinued the PsRegisterMonitorServerSilo function in favour of a new PsRegisterSiloMonitor which, among other differences, creates a SILO_MONITOR instead.
Documentation Status
Microsoft is not known ever to have documented the SERVER_SILO_MONITOR or to have published a C-language definition or even to have let a definition slip out as type information in symbol files.
Microsoft’s name for the structure is known from the NTOSP.H headers which Microsoft published, possibly by oversight, in the Windows Driver Kit (WDK) for the original and 1511 releases of WIndows 10. It is there defined only as an opaque type. Public symbol files for the kernel in these versions also name the structure in type information, but only from its declaration, not as a definition.
Variability
The SERVER_SILO_MONITOR likely would have been highly susceptible to changing between builds had it persisted. Even during its short live, it changed size when one member was removed:
| Version | Size (x86) | Size (x64) |
|---|---|---|
| 10.0 | 0x48 | 0x80 |
| 1511 | 0x40 | 0x70 |
Layout
Microsoft’s names and types of the structure’s members are not known. Type information in the public symbol files for the kernel shows only the structure’s name as a declaration, not its members from a definition.
| Offset (x86) | Offset (x64) | Definition | Versions |
|---|---|---|---|
| 0x00 | 0x00 | unknown LIST_ENTRY | 10.0 to 1511 |
| 0x08 (10.0) | 0x10 (10.0) | unknown LIST_ENTRY | 10.0 only |
| 0x10 (10.0); 0x08 |
0x20 (10.0); 0x10 |
unknown 32-bit tag | 10.0 to 1511 |
| 0x14 (10.0); 0x0C |
0x24 (10.0); 0x14 |
unknown 32-bit flags | 10.0 to 1511 |
| 0x18 (10.0); 0x10 |
0x28 (10.0); 0x18 |
unknown 32-bit reference count | 10.0 to 1511 |
| 0x1C (10.0); 0x14 |
0x30 (10.0); 0x20 |
unknown EX_RUNDOWN_REF | 10.0 to 1511 |
| 0x20 (10.0); 0x18 |
0x38 (10.0); 0x28 |
NTSTATUS
(*CreateCallback) (
PESILO);
|
10.0 to 1511 |
| 0x24 (10.0); 0x1C |
0x40 (10.0); 0x30 |
VOID
(*TerminateCallback) (
PESILO,
PVOID);
|
10.0 to 1511 |
| 0x28 (10.0); 0x20 |
0x48 (10.0); 0x38 |
VOID
(*DriverLoadCallback) (
PESILO,
PVOID);
|
10.0 to 1511 |
| 0x2C (10.0); 0x24 |
0x50 (10.0); 0x40 |
VOID
(*DriverUnloadCallback) (
PESILO,
PVOID);
|
10.0 to 1511 |
| 0x30 (10.0); 0x28 |
0x58 (10.0); 0x48 |
VOID
(*ContextCleanupCallback) (
PVOID);
|
10.0 to 1511 |
| 0x34 (10.0); 0x2C |
0x60 (10.0); 0x50 |
unknown UNICODE_STRING | 10.0 to 1511 |
| 0x3C (10.0); 0x34 |
0x70 0x60 | unknown pointer to DRIVER_OBJECT | 10.0 to 1511 |
| 0x40 (10.0); 0x38 |
0x78 (10.0); 0x68 |
unknown 32-bit index | 10.0 to 1511 |
| 0x44 (10.0); 0x3C |
0x7C (10.0); 0x6C |
unknown BOOLEAN | 10.0 to 1511 |
| 0x45 (10.0); 0x3D (1511) |
0x7D (10.0); 0x6D |
BOOLEAN UsePagedPoolForContexts; |
10.0 to 1511 |
For a few members, names and types are proposed above by inferring a correspondence with members of another structure for which Microsoft’s names and types are known with certainty. The NTOSP.H that Microsoft disclosed, possibly by oversight, in the Windows Driver Kit (WDK) for both the original and 1511 releases of Windows 10 has a C-language definition of the SERVER_SILO_MONITOR_REGISTRATION structure. This is among the inputs to PsRegisterMonitorServerSilo. That Microsoft’s programmers keep the names when transferring into the lasting SERVER_SILO_MONITOR is at least plausible.
These NTOSP.H headers have type definitions for the several callbacks:
- PSERVER_SILO_MONITOR_CREATE_CALLBACK
- PSERVER_SILO_MONITOR_TERMINATE_CALLBACK
- PSERVER_SILO_MONITOR_DRIVER_LOAD_CALLBACK
- PSERVER_SILO_MONITOR_DRIVER_UNLOAD_CALLBACK
- PSERVER_SILO_MONITOR_CONTEXT_CLEANUP_CALLBACK
They also both define the PESILO type, which is an argument to most of the callbacks, as a pointer to an otherwise undefined structure named _ESILO. To some extent it doesn’t matter, but this type definition of PESILO is correct only for the original Windows 10. By the 1511 release the ESILO exists no more and the PESILO actually points to an EJOB.