DRAFT: Take more than your usual care.
The SILO_MONITOR (formally _SILO_MONITOR) represents a registered monitor of server silos in modern releases of Windows 10. A driver or other kernel-mode software calls the PsRegisterSiloMonitor function to express its interest in what’s done with server silos. This creates a SILO_MONITOR whose address can then be used when calling several other functions.
Microsoft is not known ever to have documented the SILO_MONITOR except in the declarations of the relevent kernel exports. It is there, and in NTDDK.H, an opaque structure that is referred to in text as “the monitor”. No C-language definition is known from Microsoft. The structure’s name doesn’t even show in symbol files.
For a structure that is exposed through kernel exports but only as opaque, the SILO_MONITOR has been strikingly stable. It is 0x20 or 0x38 bytes in 32-bit and 64-bit Windows, respectively, up to and including at least the 2004 release.
Microsoft’s names and types of the structure’s members are not known. Type information in the public symbol files for the kernel shows only the structure’s name as a declaration, not its members from a definition.
|Offset (x86)||Offset (x64)||Definition|
NTSTATUS (*CreateCallback) ( PESILO);
VOID (*TerminateCallback) ( PESILO);
For a few members, names and types are proposed above by inferring a correspondence with members of another structure for which Microsoft’s names and types are known with certainty. NTDDK.H has a C-language definition of the ILO_MONITOR_REGISTRATION structure. This is among the inputs to PsRegisterSiloMonitor. That Microsoft’s programmers keep the names when transferring into the lasting SILO_MONITOR is at least plausible.
NTDDK.H has type definitions for the callbacks:
Remember that for all applicable versions, the PESILO type which is an argument to both callbacks is a pointer to an EJOB.