ci.dll — added ETW telemetry field to three Code Integrity events
KB5073455
1. Overview
- Unpatched Binary:
ci_unpatched.dll - Patched Binary:
ci_patched.dll - Similarity Score: 99.19%
- Diff Statistics: 2212 matched functions, 3 functionally changed functions, 2209 identical functions, and 0 unmatched functions in either direction. (Nine further functions differ only by a relocated local-return jump target caused by the code that shifted below the three changed functions; they are byte-for-byte equivalent otherwise.)
- Verdict: This patch introduces no security fixes or vulnerability mitigations; it expands Event Tracing for Windows (ETW) TraceLogging by adding a single field, whose value is a compile-time constant
1, to three Code Integrity tracing functions.
2. Vulnerability Summary
No security vulnerabilities were identified in this patch.
All three modified functions (CiAuditDriverAllow @ 0x1C0060920, CiInstrumentDriverSignatureRetry @ 0x1C00621BC, and CiInstrumentDriverBlock @ 0x1C00625A4, unpatched addresses) emit ETW TraceLogging events within the Code Integrity module via tlgWriteTransfer_EtwWriteTransfer. The patch uniformly adds a new 32-bit integer field (assigned a hardcoded value of 1) to the tracing payload and increments the event's field count. There are no changes to the actual signature verification logic, memory allocations, buffer handling, or access control checks. The added field value is a constant, not attacker-influenced. Therefore, there is no attacker-reachable entry point or exploit chain introduced or removed by this diff.
3. Pseudocode Diff
The change has the same shape in all three functions: one extra field is added to the TraceLogging descriptor list, its value is the compile-time constant 1, and the event's field count (and, for two of the three, the event-metadata pointer) is updated. Below is the real before/after of CiAuditDriverAllow at its tlgWriteTransfer_EtwWriteTransfer call:
// --- UNPATCHED (CiAuditDriverAllow) ---
tlgWriteTransfer_EtwWriteTransfer(
(__int64)&dword_1C0037188, // provider metadata
(unsigned __int8 *)dword_1C002E8FB, // event metadata
nullptr, nullptr,
0x1Au, // 26 fields
&v36);
// --- PATCHED (CiAuditDriverAllow) ---
v24 = 1; // new constant field value
tlgWriteTransfer_EtwWriteTransfer(
(__int64)&dword_1C0037188, // provider metadata (unchanged)
(unsigned __int8 *)dword_1C002E911, // event metadata pointer advanced
nullptr, nullptr,
0x1Bu, // 27 fields (one added)
&v37);
The signature-verification body and the file-cleanup tail (ExFreePoolWithTag, FsRtlReleaseFileNameInformation) are equivalent apart from renumbered stack locals.
4. Assembly Analysis
No security-relevant assembly changes were found. In CiAuditDriverAllow the only functional differences are:
- Stack-frame growth: sub rsp, 290h becomes sub rsp, 2A0h at 0x1C0060938.
- The field count passed to the writer changes from 1Ah to 1Bh: mov [rsp+2D0h+var_2B0], 1Bh ; ULONG at 0x1C0060CAF.
- The event-metadata pointer is loaded from the new descriptor: lea rdx, dword_1C002E911 ; int at 0x1C0060C2E (was dword_1C002E8FB).
The other instruction differences in the three functions are re-numbered stack offsets that follow the enlarged frame. No bounds checks were removed, and no new memory write or dereference of attacker-influenced data was introduced; the added field is a constant.
5. Trigger Conditions
Not Applicable. As there is no vulnerability, there are no trigger conditions or steps required to fire a flaw.
6. Exploit Primitive & Development Notes
Not Applicable. The patch provides no arbitrary write, out-of-bounds (OOB) access, or use-after-free (UAF) primitives. The underlying binary's exploitation profile remains completely unchanged.
7. Debugger PoC Playbook
Not Applicable. Because no vulnerability was introduced or fixed, there are no breakpoints, memory inspections, or trigger setups required. A kernel debugger attached to the unpatched binary will yield no relevant crash or memory corruption findings related to this specific diff.
8. Changed Functions — Full Triage
The three changed functions share the exact same change profile. They are all ETW TraceLogging routines that record Code Integrity signature verification results, each emitting its event through tlgWriteTransfer_EtwWriteTransfer against provider dword_1C0037188. In each, a new field with a hardcoded int32_t value of 1 is added and the event field count is incremented by one; the stack frame grew to hold the extra descriptor. All core logic, security checks, and memory management calls (ExFreePoolWithTag, FsRtlReleaseFileNameInformation, RtlFreeUnicodeString) remain functionally identical.
CiAuditDriverAllow@ 0x1C0060920 (both builds): field count0x1A→0x1B; event metadatadword_1C002E8FB→dword_1C002E911; frame0x290→0x2A0.CiInstrumentDriverSignatureRetry@ 0x1C00621BC (unpatched) / 0x1C00621D4 (patched): field count0x16→0x17; event metadatadword_1C002FC3C→dword_1C002FC68; frame0x230→0x240.CiInstrumentDriverBlock@ 0x1C00625A4 (unpatched) / 0x1C00625D8 (patched): field count0x1C→0x1D; event metadatadword_1C002E391(unchanged); frame0x2B0→0x2D0.
9. Unmatched Functions
There are no added or removed functions in this patch.
10. Confidence & Caveats
- Confidence Level: High.
- Rationale: The diff is extremely small (3 functions out of 2212), and the changes map perfectly to standard Windows ETW telemetry formatting adjustments. The structural expansion (field counts, stack frames, hardcoded descriptor values) leaves no room for hidden control-flow hijacking or logic bugs.
- Assumptions: The analysis assumes the agent accurately mapped the local variable assignments to their respective ETW descriptor initialization blocks, which is standard for these specific patterns in
ci.dll.