Skip to content

Instantly share code, notes, and snippets.

@clearbluejar

clearbluejar/IsSpoolerImpersonating.md Secret

Created January 10, 2023 13:31
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save clearbluejar/b7bd3338ff2d27c283d3413e010f8167 to your computer and use it in GitHub Desktop.
Save clearbluejar/b7bd3338ff2d27c283d3413e010f8167 to your computer and use it in GitHub Desktop.
Download ZIP
ghidra-pyhidra-callgraphs IsSpoolerImpersonating Call Graphs
Raw
IsSpoolerImpersonating.md

IsSpoolerImpersonating

Calling

Functions that call IsSpoolerImpersonating.

Flowchart

Edit on mermaid live

flowchart TD
classDef shaded fill:#339933
4["SplStartDocPrinter"]:::shaded --> 3
0["LcmStartDocPort"]:::shaded --> 1["IsSpoolerImpersonating"]
2["PrintingDirectlyToPort"] --> 1
3["InternalStartDocPrinter"] --> 2

Entrypoints

A condensed view, showing only entrypoints to the callgraph.

flowchart TD
classDef shaded fill:#339933
1["SplStartDocPrinter"]:::shaded --> root["IsSpoolerImpersonating"]
0["LcmStartDocPort"]:::shaded --> root["IsSpoolerImpersonating"]

Mindmap

Edit calling Mindmap

Called

Functions that IsSpoolerImpersonating calls

Flowchart

Edit on mermaid live

flowchart LR
classDef shaded fill:#339933
0 --> 13["API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0.DLL::GetCurrentProcess"]:::shaded
0 --> 7["SPOOLSS.DLL::DllAllocSplMem"]:::shaded
0 --> 9["WPP_SF_d"]
12 --> 22["API-MS-WIN-CORE-COM-L1-1-0.DLL::CoUninitialize"]:::shaded
16 --> 14:::shaded
33 --> 61["FUN_180055b38"]
23 --> 46["API-MS-WIN-CORE-SYNCH-L1-1-0.DLL::SetEvent"]:::shaded
0 --> 2["SPOOLSS.DLL::DllFreeSplMem"]:::shaded
36 --> 47:::shaded
12 --> 16["WPP_SF_SS"]
62 --> 38
26 --> 10:::shaded
32 --> 55["API-MS-WIN-CORE-SYNCH-L1-1-0.DLL::CreateEventW"]:::shaded
32 --> 60["API-MS-WIN-CORE-THREADPOOL-L1-2-0.DLL::CreateThreadpoolTimer"]:::shaded
35 --> 5:::shaded
43 --> 45["MSVCRT.DLL::malloc"]:::shaded
0["IsSpoolerImpersonating"] --> 1["API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0.DLL::OpenProcessToken"]:::shaded
19 --> 42["_callnewh"]
36 --> 46:::shaded
36 --> 66["API-MS-WIN-CORE-SYNCH-L1-2-0.DLL::Sleep"]:::shaded
12 --> 24["InitPreferMultithreaded"]
12 --> 33["Update"]
24 --> 51["API-MS-WIN-CORE-COM-L1-1-0.DLL::CoInitializeEx"]:::shaded
29 --> 14:::shaded
12 --> 27["API-MS-WIN-CORE-COM-L1-1-0.DLL::CoCreateInstance"]:::shaded
33 --> 19
61 --> 38
32 --> 58["SleepTimerCallback"]
12 --> 23["LeaveSplSem"]
12 --> 30["Reset"]
12 --> 19["operator_new"]
30 --> 53["`vector_destructor_iterator'"]
6 --> 14["NTDLL.DLL::EtwTraceMessage"]:::shaded
0 --> 3["API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0.DLL::OpenThreadToken"]:::shaded
36 --> 65["API-MS-WIN-CORE-SYNCH-L1-1-0.DLL::WaitForSingleObject"]:::shaded
12 --> 31["API-MS-WIN-CORE-SYNCH-L1-1-0.DLL::InitializeCriticalSectionAndSpinCount"]:::shaded
12 --> 18["_guard_xfg_dispatch_icall_nop"]
12 --> 26["GetLastErrorAsFailHR"]
23 --> 49["API-MS-WIN-CORE-ERRORHANDLING-L1-1-0.DLL::SetLastError"]:::shaded
36 --> 57:::shaded
9 --> 14:::shaded
36 --> 67["API-MS-WIN-CORE-SYNCH-L1-1-0.DLL::ResetEvent"]:::shaded
23 --> 47["API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0.DLL::TlsGetValue"]:::shaded
12 --> 29["WPP_SF_SSd"]
12 --> 15["StringCbCopyW"]:::shaded
12 --> 34["WPP_SF_Sd"]
12 --> 35["~CoalescedSleep"]
34 --> 14:::shaded
23 --> 10:::shaded
42 --> 44["MSVCRT.DLL::_callnewh"]:::shaded
32 --> 10:::shaded
32 --> 59["API-MS-WIN-CORE-THREADPOOL-L1-2-0.DLL::SetThreadpoolTimer"]:::shaded
37 --> 18
52 --> 18
32 --> 48:::shaded
32 --> 56["API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0.DLL::GetCurrentThreadId"]:::shaded
23 --> 48["API-MS-WIN-CORE-SYNCH-L1-1-0.DLL::LeaveCriticalSection"]:::shaded
12 --> 17["vFree"]
0 --> 12["PrinterNonRegGetHardwareId"]
12 --> 28["TRefPtrCOM<struct_IBidiRequest>"]:::shaded
36 --> 10:::shaded
39 --> 40["MSVCRT.DLL::free"]:::shaded
0 --> 4["API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0.DLL::GetCurrentThread"]:::shaded
17 --> 38["operator_delete"]
38 --> 39["free"]
36 --> 48:::shaded
35 --> 63["API-MS-WIN-CORE-SYNCH-L1-1-0.DLL::DeleteCriticalSection"]:::shaded
30 --> 52["~TRefPtrCOM<struct_IBidiRequest>"]
12 --> 36["EnterSplSem"]
12 --> 21["MSVCRT.DLL::_wcsicmp"]:::shaded
32 --> 57["API-MS-WIN-CORE-SYNCH-L1-1-0.DLL::EnterCriticalSection"]:::shaded
53 --> 18
12 --> 25["API-MS-WIN-CORE-COM-L1-1-0.DLL::CoTaskMemFree"]:::shaded
12 --> 20["StatusFromHResult"]:::shaded
18 --> 41["_guard_dispatch_icall"]:::shaded
0 --> 8["API-MS-WIN-SECURITY-BASE-L1-1-0.DLL::IsWellKnownSid"]:::shaded
36 --> 49:::shaded
58 --> 46:::shaded
36 --> 50:::shaded
35 --> 64["API-MS-WIN-CORE-THREADPOOL-L1-2-0.DLL::CloseThreadpoolTimer"]:::shaded
33 --> 62["FUN_18001fe54"]
12 --> 37["`vector_constructor_iterator'"]
0 --> 11["API-MS-WIN-SECURITY-BASE-L1-1-0.DLL::GetTokenInformation"]:::shaded
19 --> 43["malloc"]
12 --> 32["Wait"]
0 --> 6["WPP_SF_"]
0 --> 10["API-MS-WIN-CORE-ERRORHANDLING-L1-1-0.DLL::GetLastError"]:::shaded
61 --> 62
32 --> 54["API-MS-WIN-CORE-COM-L1-1-0.DLL::CoWaitForMultipleHandles"]:::shaded
23 --> 50["API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0.DLL::TlsSetValue"]:::shaded
30 --> 38
0 --> 5["API-MS-WIN-CORE-HANDLE-L1-1-0.DLL::CloseHandle"]:::shaded
33 --> 38

Endpoints

A condensed view, showing only endpoints of the callgraph.

flowchart LR
classDef shaded fill:#339933
root["IsSpoolerImpersonating"] --> 35["API-MS-WIN-CORE-SYNCH-L1-1-0.DLL::EnterCriticalSection"]:::shaded
root["IsSpoolerImpersonating"] --> 19["API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0.DLL::TlsGetValue"]:::shaded
root["IsSpoolerImpersonating"] --> 18["API-MS-WIN-CORE-THREADPOOL-L1-2-0.DLL::SetThreadpoolTimer"]:::shaded
root["IsSpoolerImpersonating"] --> 5["SPOOLSS.DLL::DllAllocSplMem"]:::shaded
root["IsSpoolerImpersonating"] --> 24["API-MS-WIN-CORE-ERRORHANDLING-L1-1-0.DLL::SetLastError"]:::shaded
root["IsSpoolerImpersonating"] --> 20["API-MS-WIN-CORE-SYNCH-L1-2-0.DLL::Sleep"]:::shaded
root["IsSpoolerImpersonating"] --> 29["API-MS-WIN-SECURITY-BASE-L1-1-0.DLL::GetTokenInformation"]:::shaded
root["IsSpoolerImpersonating"] --> 16["API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0.DLL::GetCurrentThread"]:::shaded
root["IsSpoolerImpersonating"] --> 14["API-MS-WIN-CORE-COM-L1-1-0.DLL::CoWaitForMultipleHandles"]:::shaded
root["IsSpoolerImpersonating"] --> 25["StatusFromHResult"]:::shaded
root["IsSpoolerImpersonating"] --> 36["API-MS-WIN-CORE-COM-L1-1-0.DLL::CoCreateInstance"]:::shaded
root["IsSpoolerImpersonating"] --> 39["StringCbCopyW"]:::shaded
root["IsSpoolerImpersonating"] --> 15["API-MS-WIN-CORE-SYNCH-L1-1-0.DLL::SetEvent"]:::shaded
root["IsSpoolerImpersonating"] --> 12["API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0.DLL::OpenThreadToken"]:::shaded
root["IsSpoolerImpersonating"] --> 34["API-MS-WIN-CORE-SYNCH-L1-1-0.DLL::CreateEventW"]:::shaded
root["IsSpoolerImpersonating"] --> 11["_guard_dispatch_icall"]:::shaded
root["IsSpoolerImpersonating"] --> 31["API-MS-WIN-CORE-SYNCH-L1-1-0.DLL::LeaveCriticalSection"]:::shaded
root["IsSpoolerImpersonating"] --> 21["API-MS-WIN-CORE-COM-L1-1-0.DLL::CoInitializeEx"]:::shaded
root["IsSpoolerImpersonating"] --> 38["API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0.DLL::GetCurrentProcess"]:::shaded
root["IsSpoolerImpersonating"] --> 33["API-MS-WIN-CORE-HANDLE-L1-1-0.DLL::CloseHandle"]:::shaded
root["IsSpoolerImpersonating"] --> 37["API-MS-WIN-CORE-SYNCH-L1-1-0.DLL::WaitForSingleObject"]:::shaded
root["IsSpoolerImpersonating"] --> 28["API-MS-WIN-CORE-SYNCH-L1-1-0.DLL::InitializeCriticalSectionAndSpinCount"]:::shaded
root["IsSpoolerImpersonating"] --> 8["API-MS-WIN-CORE-COM-L1-1-0.DLL::CoTaskMemFree"]:::shaded
root["IsSpoolerImpersonating"] --> 17["SPOOLSS.DLL::DllFreeSplMem"]:::shaded
root["IsSpoolerImpersonating"] --> 10["API-MS-WIN-CORE-SYNCH-L1-1-0.DLL::ResetEvent"]:::shaded
root["IsSpoolerImpersonating"] --> 22["API-MS-WIN-CORE-COM-L1-1-0.DLL::CoUninitialize"]:::shaded
root["IsSpoolerImpersonating"] --> 13["TRefPtrCOM<struct_IBidiRequest>"]:::shaded
root["IsSpoolerImpersonating"] --> 26["API-MS-WIN-CORE-THREADPOOL-L1-2-0.DLL::CloseThreadpoolTimer"]:::shaded
root["IsSpoolerImpersonating"] --> 32["API-MS-WIN-CORE-SYNCH-L1-1-0.DLL::DeleteCriticalSection"]:::shaded
root["IsSpoolerImpersonating"] --> 6["API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0.DLL::OpenProcessToken"]:::shaded
root["IsSpoolerImpersonating"] --> 23["MSVCRT.DLL::_wcsicmp"]:::shaded
root["IsSpoolerImpersonating"] --> 9["API-MS-WIN-CORE-ERRORHANDLING-L1-1-0.DLL::GetLastError"]:::shaded
root["IsSpoolerImpersonating"] --> 27["MSVCRT.DLL::free"]:::shaded
root["IsSpoolerImpersonating"] --> 30["MSVCRT.DLL::_callnewh"]:::shaded
root["IsSpoolerImpersonating"] --> 0["API-MS-WIN-SECURITY-BASE-L1-1-0.DLL::IsWellKnownSid"]:::shaded
root["IsSpoolerImpersonating"] --> 7["MSVCRT.DLL::malloc"]:::shaded
root["IsSpoolerImpersonating"] --> 4["API-MS-WIN-CORE-THREADPOOL-L1-2-0.DLL::CreateThreadpoolTimer"]:::shaded
root["IsSpoolerImpersonating"] --> 3["NTDLL.DLL::EtwTraceMessage"]:::shaded
root["IsSpoolerImpersonating"] --> 2["API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0.DLL::GetCurrentThreadId"]:::shaded
root["IsSpoolerImpersonating"] --> 1["API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0.DLL::TlsSetValue"]:::shaded

Mindmap

Edit called Mindmap

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment