The bulk encryption and MAC keys are derived from the master hash object (see CPCreateHash for a description of the master hash object). This is done using the CPDeriveKey function with either the CALG_SCHANNEL_ENC_KEY or the CALG_SCHANNEL_MAC_KEY algorithm identifier.
See CPDeriveKey.
If the CRYPT_SERVER flag is set in the dwFlags parameter then the key to be generated is a server write key, otherwise it is a client write key.
See the Deriving the Bulk Encryption and MAC Keys section.