The bulk encryption and MAC keys are derived from the master hash object (see CPCreateHash for a description of the master hash object). This is done using CPDeriveKey with either the CALG_SCHANNEL_ENC_KEY (Diffie-Hellman) or the CALG_SCHANNEL_MAC_KEY (Diffie-Hellman) algorithm identifier.
See CPDeriveKey.
If the CRYPT_SERVER flag is set in the dwFlags parameter then the key to be generated is a server write key, otherwise it's a client write key.
See the Deriving the Bulk Encryption and MAC Keys (Diffie-Hellman) section.