[takep]

The same status is returned when I use every Altitude ID.

The code:

Code: Select all

bool InstallHooksViaCallbacks()
{
    PAGED_CODE();

    OB_CALLBACK_REGISTRATION ocr = {0};

    RtlInitUnicodeString(&ocr.Altitude, L"323410");
    ocr.Version = OB_FLT_REGISTRATION_VERSION;
    ocr.RegistrationContext = NULL;

    OB_OPERATION_REGISTRATION operations[4] = {0};

    operations[0].ObjectType = PsProcessType;
    operations[0].Operations = OB_OPERATION_HANDLE_CREATE;
    operations[0].PreOperation = ProcessPreCallback;

    operations[1].ObjectType = PsProcessType;
    operations[1].Operations = OB_OPERATION_HANDLE_DUPLICATE;
    operations[1].PreOperation = ProcessPreCallback;

    operations[2].ObjectType = PsThreadType;
    operations[2].Operations = OB_OPERATION_HANDLE_CREATE;
    operations[2].PreOperation = ProcessPreCallback;

    operations[3].ObjectType = PsThreadType;
    operations[3].Operations = OB_OPERATION_HANDLE_DUPLICATE;
    operations[3].PreOperation = ProcessPreCallback;

    ocr.OperationRegistration = operations;
    ocr.OperationRegistrationCount = ARRAYSIZE(operations);

    PVOID cookie = NULL;

    NTSTATUS st = ObRegisterCallbacks(&ocr, &cookie);

    return true;
}

[EP_X0FF]

Operations can be mixed, so you don't need 4 op items. Have you tried example from MSDN, Windows 8 Driver Sample -> ObCallback Callback Registration Driver, is it fails for you too?

[takep]

Thanks for the reply, I did the same. It failed because of 2 callbacks with same type and I mixed operations :D