Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

About ObRegisterCallbacks.

Chang_Sung,_JungChang_Sung,_Jung Member Posts: 61
I applied the ObRegisterCallbacks function to filter process related operations on the Windows Server 2008.
I called RegisterCallbackFunction() in the DriverEntry.
I met BSOD(7e, SYSTEM_THREAD_EXCEPTION_NOT_HANDLED) when the ObRegisterCallbacks function was called.
RegisterCallbackFunction is following.

NTSTATUS RegisterCallbackFunction()
{
NTSTATUS ntStatus = STATUS_SUCCESS;
UNICODE_STRING Altitude;
USHORT filterVersion = ObGetFilterVersion();
USHORT registrationCount = 2;
OB_OPERATION_REGISTRATION RegisterOperation;
OB_CALLBACK_REGISTRATION RegisterCallBack;
REG_CONTEXT RegistrationContext;

memset(&RegisterOperation, 0 , sizeof(OB_OPERATION_REGISTRATION));
memset(&RegisterCallBack, 0 , sizeof(OB_CALLBACK_REGISTRATION));
memset(&RegistrationContext, 0 , sizeof(REG_CONTEXT));
RegistrationContext.ulIndex = 1;
RegistrationContext.Version = 120;

if (filterVersion == OB_FLT_REGISTRATION_VERSION) {
DbgPrint("Filter Version is correct.\n");
RegisterOperation.ObjectType = PsProcessType;
RegisterOperation.Operations = OB_OPERATION_HANDLE_CREATE;
RegisterOperation.PreOperation = PreProcCreateRoutine;
RegisterOperation.PostOperation = PostProcCreateRoutine;
RegisterCallBack.Version = OB_FLT_REGISTRATION_VERSION;
RegisterCallBack.OperationRegistrationCount = registrationCount;
RtlInitUnicodeString(&Altitude, L"XXXXXXX");
RegisterCallBack.Altitude = Altitude;
RegisterCallBack.RegistrationContext = &RegistrationContext;
RegisterCallBack.OperationRegistration = &RegisterOperation;
DbgPrint("Register Callback Function Entry!......\n");

ntStatus = ObRegisterCallbacks(&RegisterCallBack, g_hProcCreateHandle);
if (ntStatus == STATUS_SUCCESS) {
DbgPrint("Register Callback Function Successful......\n");
} else {
if (ntStatus == STATUS_FLT_INSTANCE_ALTITUDE_COLLISION) {
DbgPrint("Status Filter Instance Altitude Collision \n");
}
if (ntStatus == STATUS_INVALID_PARAMETER) {
DbgPrint("Status Invalid Parameter \n");
}
if (ntStatus == STATUS_INSUFFICIENT_RESOURCES) {
DbgPrint("Status Allocate Memory Failed. \n");
}
DbgPrint("Register Callback Function Failed with 0x%08x \n", ntStatus);
}
} else {
DbgPrint("Filter Version is not supported.\n ");
}
return ntStatus;
}

What is the cause of this problem?
How should I solve this problem?
Ask advice!

Comments

  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    On 8/26/2010 7:26 PM, xxxxx@korea.com wrote:

    > ntStatus = ObRegisterCallbacks(&RegisterCallBack, g_hProcCreateHandle);
    > if (ntStatus == STATUS_SUCCESS) {

    Just a stab but should this be &g_hProcCreateHandle where the declaration is

    void *g_hProcCreateHandle = NULL;

    Pete

    --
    Kernel Drivers
    Windows File System and Device Driver Consulting
    www.KernelDrivers.com
    866.263.9295
  • Chang_Sung,_JungChang_Sung,_Jung Member Posts: 61
    Thanks for your advice.
    But I've already declared like this.

    void *g_hProcCreateHandle = NULL;

    Jung.
  • mmmm Member - All Emails Posts: 1,409
    You need the indirection that Pete mentioned - & g_hProcCreateHandle (not g_hProcCreateHandle).

    mm
  • Chang_Sung,_JungChang_Sung,_Jung Member Posts: 61
    Thank you.
    I applied and tested indirection &g_hProcCreateHandle but I also got BSOD.
    My source code is following.
    Need help!

    void *g_hProcCreateHandle = NULL;
    typedef struct _OB_REG_CONTEXT {
    __in USHORT Version;
    __in UNICODE_STRING Altitude;
    __in USHORT ulIndex;
    } REG_CONTEXT, *PREG_CONTEXT;
    //
    // PRE OPERATION
    //
    OB_PREOP_CALLBACK_STATUS PreProcCreateRoutine(
    IN PVOID RegistrationContext, IN POB_PRE_OPERATION_INFORMATION OperationInformation)
    {

    //OB_PRE_OPERATION_INFORMATION OpInfo;
    DbgPrint("PreProcCreateRoutine()\n");
    return OB_PREOP_SUCCESS;
    }
    //
    // POST OPERATION
    //
    VOID PostProcCreateRoutine(
    IN PVOID RegistrationContext, IN POB_POST_OPERATION_INFORMATION OperationInformation)
    {
    DbgPrint("PostProcCreateRoutine.\n");
    }
    //
    // REGISTE CALLBACK FUNCTION
    //
    NTSTATUS RegisterCallbackFunction()
    {
    NTSTATUS ntStatus = STATUS_SUCCESS;

    UNICODE_STRING Altitude;

    USHORT filterVersion = ObGetFilterVersion();
    USHORT registrationCount = 2;

    OB_OPERATION_REGISTRATION RegisterOperation;
    OB_CALLBACK_REGISTRATION RegisterCallBack;
    REG_CONTEXT RegistrationContext;

    memset(&RegisterOperation, 0, sizeof(OB_OPERATION_REGISTRATION));
    memset(&RegisterCallBack, 0, sizeof(OB_CALLBACK_REGISTRATION));
    memset(&RegistrationContext, 0, sizeof(REG_CONTEXT));

    RegistrationContext.ulIndex = 1;
    RegistrationContext.Version = 120;

    if(filterVersion == OB_FLT_REGISTRATION_VERSION) {
    DbgPrint("Filter Version is correct.\n");

    RegisterOperation.ObjectType = PsProcessType;
    RegisterOperation.Operations = OB_OPERATION_HANDLE_CREATE;
    RegisterOperation.PreOperation = PreProcCreateRoutine;
    RegisterOperation.PostOperation = PostProcCreateRoutine;

    RegisterCallBack.Version = OB_FLT_REGISTRATION_VERSION;
    RegisterCallBack.OperationRegistrationCount = registrationCount;

    RtlInitUnicodeString(&Altitude, L"XXXXXXX");
    RegisterCallBack.Altitude = Altitude;

    RegisterCallBack.RegistrationContext = &RegistrationContext;
    RegisterCallBack.OperationRegistration = &RegisterOperation;
    DbgPrint("Register Callback Function Entry!!!\n");

    ntStatus = ObRegisterCallbacks(&RegisterCallBack, &g_hProcCreateHandle);
    if(ntStatus == STATUS_SUCCESS) {
    DbgPrint("Register Callback Function Successful\n");
    } else {
    if(ntStatus == STATUS_FLT_INSTANCE_ALTITUDE_COLLISION) {
    DbgPrint("Status Filter Instance Altitude Collision\n");
    }
    if(ntStatus == STATUS_INVALID_PARAMETER) {
    DbgPrint("Status Invalid Parameter\n");
    }
    if(ntStatus == STATUS_INSUFFICIENT_RESOURCES) {
    DbgPrint("Status Allocate Memory Failed\n");
    }
    DbgPrint("Register Callback Function Failed with 0x%08x\n", ntStatus);
    }
    } else {
    DbgPrint("Filter Version is not supported.\n");
    }

    return ntStatus;
    }
    //
    // FREE PROC FILTER
    //
    NTSTATUS FreeProcFilter()
    {
    if(NULL != &g_hProcCreateHandle) {
    ObUnRegisterCallbacks(&g_hProcCreateHandle);
    }
    return STATUS_SUCCESS;
    }
  • mmmm Member - All Emails Posts: 1,409
    How about posting the !analyze -v output.


    mm

    -----Original Message-----
    From: xxxxx@lists.osr.com
    [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@korea.com
    Sent: Friday, August 27, 2010 1:43 AM
    To: Windows File Systems Devs Interest List
    Subject: RE:[ntfsd] About ObRegisterCallbacks.

    Thank you.
    I applied and tested indirection &g_hProcCreateHandle but I also got BSOD.
    My source code is following.
    Need help!

    void *g_hProcCreateHandle = NULL;
    typedef struct _OB_REG_CONTEXT {
    __in USHORT Version;
    __in UNICODE_STRING Altitude;
    __in USHORT ulIndex;
    } REG_CONTEXT, *PREG_CONTEXT;
    //
    // PRE OPERATION
    //
    OB_PREOP_CALLBACK_STATUS PreProcCreateRoutine(
    IN PVOID RegistrationContext, IN POB_PRE_OPERATION_INFORMATION
    OperationInformation) {

    //OB_PRE_OPERATION_INFORMATION OpInfo;
    DbgPrint("PreProcCreateRoutine()\n");
    return OB_PREOP_SUCCESS;
    }
    //
    // POST OPERATION
    //
    VOID PostProcCreateRoutine(
    IN PVOID RegistrationContext, IN POB_POST_OPERATION_INFORMATION
    OperationInformation) {
    DbgPrint("PostProcCreateRoutine.\n");
    }
    //
    // REGISTE CALLBACK FUNCTION
    //
    NTSTATUS RegisterCallbackFunction()
    {
    NTSTATUS ntStatus = STATUS_SUCCESS;

    UNICODE_STRING Altitude;

    USHORT filterVersion = ObGetFilterVersion();
    USHORT registrationCount = 2;

    OB_OPERATION_REGISTRATION RegisterOperation;
    OB_CALLBACK_REGISTRATION RegisterCallBack;
    REG_CONTEXT RegistrationContext;

    memset(&RegisterOperation, 0, sizeof(OB_OPERATION_REGISTRATION));
    memset(&RegisterCallBack, 0, sizeof(OB_CALLBACK_REGISTRATION));
    memset(&RegistrationContext, 0, sizeof(REG_CONTEXT));

    RegistrationContext.ulIndex = 1;
    RegistrationContext.Version = 120;

    if(filterVersion == OB_FLT_REGISTRATION_VERSION) {
    DbgPrint("Filter Version is correct.\n");

    RegisterOperation.ObjectType = PsProcessType;
    RegisterOperation.Operations = OB_OPERATION_HANDLE_CREATE;
    RegisterOperation.PreOperation = PreProcCreateRoutine;
    RegisterOperation.PostOperation = PostProcCreateRoutine;

    RegisterCallBack.Version = OB_FLT_REGISTRATION_VERSION;
    RegisterCallBack.OperationRegistrationCount =
    registrationCount;

    RtlInitUnicodeString(&Altitude, L"XXXXXXX");
    RegisterCallBack.Altitude = Altitude;

    RegisterCallBack.RegistrationContext = &RegistrationContext;
    RegisterCallBack.OperationRegistration = &RegisterOperation;
    DbgPrint("Register Callback Function Entry!!!\n");

    ntStatus = ObRegisterCallbacks(&RegisterCallBack,
    &g_hProcCreateHandle);
    if(ntStatus == STATUS_SUCCESS) {
    DbgPrint("Register Callback Function Successful\n");
    } else {
    if(ntStatus ==
    STATUS_FLT_INSTANCE_ALTITUDE_COLLISION) {
    DbgPrint("Status Filter Instance Altitude
    Collision\n");
    }
    if(ntStatus == STATUS_INVALID_PARAMETER) {
    DbgPrint("Status Invalid Parameter\n");
    }
    if(ntStatus == STATUS_INSUFFICIENT_RESOURCES) {
    DbgPrint("Status Allocate Memory Failed\n");
    }
    DbgPrint("Register Callback Function Failed with
    0x%08x\n", ntStatus);
    }
    } else {
    DbgPrint("Filter Version is not supported.\n");
    }

    return ntStatus;
    }
    //
    // FREE PROC FILTER
    //
    NTSTATUS FreeProcFilter()
    {
    if(NULL != &g_hProcCreateHandle) {
    ObUnRegisterCallbacks(&g_hProcCreateHandle);
    }
    return STATUS_SUCCESS;
    }

    ---
    NTFSD is sponsored by OSR

    For our schedule of debugging and file system seminars (including our new fs
    mini-filter seminar) visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at
    http://www.osronline.com/page.cfm?name=ListServer
  • Chang_Sung,_JungChang_Sung,_Jung Member Posts: 61
    The result of !analyze -v is following.

    *** Fatal System Error: 0x0000007e
    (0xC0000005,0x818BECB5,0x83D7995C,0x83D79658)

    Break instruction exception - code 80000003 (first chance)

    A fatal system error has occurred.
    Debugger entered on first try; Bugcheck callbacks have not been invoked.

    A fatal system error has occurred.

    Connected to Windows Server 2008 6001 x86 compatible target, ptr64 FALSE
    ................................................................................................................................
    Loading User Symbols

    Loading unloaded module list
    ....
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 7E, {c0000005, 818becb5, 83d7995c, 83d79658}

    Probably caused by : mydriver.sys ( mydriver!RegisterCallbackFunction+bc )

    Followup: MachineOwner
    ---------

    nt!DbgBreakPointWithStatus+0x4:
    816eb514 cc int 3
    0: kd> !analyze -v
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
    This is a very common bugcheck. Usually the exception address pinpoints
    the driver/function that caused the problem. Always note this address
    as well as the link date of the driver/image that contains this address.
    Arguments:
    Arg1: c0000005, The exception code that was not handled
    Arg2: 818becb5, The address that the exception occurred at
    Arg3: 83d7995c, Exception Record Address
    Arg4: 83d79658, Context Record Address

    Debugging Details:
    ------------------
    FAULTING_MODULE: 81633000 nt

    DEBUG_FLR_IMAGE_TIMESTAMP: 4c774e38

    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"

    FAULTING_IP:
    nt!ObRegisterCallbacks+c3
    818becb5 8b00 mov eax,dword ptr [eax]

    EXCEPTION_RECORD: 83d7995c -- (.exr 0xffffffff83d7995c)
    ExceptionAddress: 818becb5 (nt!ObRegisterCallbacks+0x000000c3)
    ExceptionCode: c0000005 (Access violation)
    ExceptionFlags: 00000000
    NumberParameters: 2
    Parameter[0]: 00000000
    Parameter[1]: 0010000e
    Attempt to read from address 0010000e

    CONTEXT: 83d79658 -- (.cxr 0xffffffff83d79658)
    eax=0010000e ebx=83d79a50 ecx=83d79a84 edx=83e17f70 esi=90754db8 edi=90754e0c
    eip=818becb5 esp=83d79a24 ebp=83d79a38 iopl=0 nv up ei ng nz na po nc
    cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282
    nt!ObRegisterCallbacks+0xc3:
    818becb5 8b00 mov eax,dword ptr [eax] ds:0023:0010000e=????????
    Resetting default scope

    DEFAULT_BUCKET_ID: WRONG_SYMBOLS

    BUGCHECK_STR: 0x7E

    LAST_CONTROL_TRANSFER: from 8d8accf0 to 818becb5

    STACK_TEXT:
    WARNING: Stack unwind information not available. Following frames may be wrong.
    83d79a38 8d8accf0 00000001 8d8b2414 8d8b8f04 nt!ObRegisterCallbacks+0xc3
    83d79a8c 8d8acd5f 8d8bb818 86b68918 8ed56000 mydriver!RegisterCallbackFunction+0xbc [xxx.c @ 75]
    83d79a90 8d8bb818 86b68918 8ed56000 00000000 mydriver!Install+0x5 [xxx.c @ 110]
    83d79b18 817a2376 00000000 8d8b45a0 00000000 mydriver!DriverEntry+0x6ae [main.c @ 2107]
    83d79cfc 817a2d0b 00000001 00000000 83d79d24 nt!IoRegisterFileSystem+0x1566
    83d79d44 8166b41d 841a1d00 00000000 82bffd78 nt!IoRegisterFileSystem+0x1efb
    83d79d7c 81808a1c 841a1d00 36043969 00000000 nt!KeQuerySystemTime+0x14d
    83d79dc0 81661a3e 8166b320 00000001 00000000 nt!RtlDestroyAtomTable+0x4fe
    00000000 00000000 00000000 00000000 00000000 nt!RtlSubAuthorityCountSid+0x3c4


    FOLLOWUP_IP:
    mydriver!RegisterCallbackFunction+bc [xxx.c @ 75]
    8d8accf0 8bf0 mov esi,eax

    SYMBOL_STACK_INDEX: 1

    SYMBOL_NAME: mydriver!RegisterCallbackFunction+bc

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: mydriver

    IMAGE_NAME: mydriver.sys

    STACK_COMMAND: .cxr 0xffffffff83d79658 ; kb

    BUCKET_ID: WRONG_SYMBOLS

    Followup: MachineOwner
    ---------
  • mmmm Member - All Emails Posts: 1,409
    >DEFAULT_BUCKET_ID: WRONG_SYMBOLS

    Are you sure that your symbols are correct?

    mm

    -----Original Message-----
    From: xxxxx@lists.osr.com
    [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@korea.com
    Sent: Friday, August 27, 2010 3:29 AM
    To: Windows File Systems Devs Interest List
    Subject: RE:[ntfsd] About ObRegisterCallbacks.

    The result of !analyze -v is following.

    *** Fatal System Error: 0x0000007e
    (0xC0000005,0x818BECB5,0x83D7995C,0x83D79658)

    Break instruction exception - code 80000003 (first chance)

    A fatal system error has occurred.
    Debugger entered on first try; Bugcheck callbacks have not been invoked.

    A fatal system error has occurred.

    Connected to Windows Server 2008 6001 x86 compatible target, ptr64 FALSE
    ............................................................................
    ....................................................
    Loading User Symbols

    Loading unloaded module list
    ....
    ****************************************************************************
    ***
    *
    *
    * Bugcheck Analysis
    *
    *
    *
    ****************************************************************************
    ***

    Use !analyze -v to get detailed debugging information.

    BugCheck 7E, {c0000005, 818becb5, 83d7995c, 83d79658}

    Probably caused by : mydriver.sys ( mydriver!RegisterCallbackFunction+bc )

    Followup: MachineOwner
    ---------

    nt!DbgBreakPointWithStatus+0x4:
    816eb514 cc int 3
    0: kd> !analyze -v
    ****************************************************************************
    ***
    *
    *
    * Bugcheck Analysis
    *
    *
    *
    ****************************************************************************
    ***

    SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e) This is a very common bugcheck.
    Usually the exception address pinpoints the driver/function that caused the
    problem. Always note this address as well as the link date of the
    driver/image that contains this address.
    Arguments:
    Arg1: c0000005, The exception code that was not handled
    Arg2: 818becb5, The address that the exception occurred at
    Arg3: 83d7995c, Exception Record Address
    Arg4: 83d79658, Context Record Address

    Debugging Details:
    ------------------
    FAULTING_MODULE: 81633000 nt

    DEBUG_FLR_IMAGE_TIMESTAMP: 4c774e38

    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"

    FAULTING_IP:
    nt!ObRegisterCallbacks+c3
    818becb5 8b00 mov eax,dword ptr [eax]

    EXCEPTION_RECORD: 83d7995c -- (.exr 0xffffffff83d7995c)
    ExceptionAddress: 818becb5 (nt!ObRegisterCallbacks+0x000000c3)
    ExceptionCode: c0000005 (Access violation)
    ExceptionFlags: 00000000
    NumberParameters: 2
    Parameter[0]: 00000000
    Parameter[1]: 0010000e
    Attempt to read from address 0010000e

    CONTEXT: 83d79658 -- (.cxr 0xffffffff83d79658) eax=0010000e ebx=83d79a50
    ecx=83d79a84 edx=83e17f70 esi=90754db8 edi=90754e0c
    eip=818becb5 esp=83d79a24 ebp=83d79a38 iopl=0 nv up ei ng nz na po
    nc
    cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
    efl=00010282
    nt!ObRegisterCallbacks+0xc3:
    818becb5 8b00 mov eax,dword ptr [eax]
    ds:0023:0010000e=????????
    Resetting default scope

    DEFAULT_BUCKET_ID: WRONG_SYMBOLS

    BUGCHECK_STR: 0x7E

    LAST_CONTROL_TRANSFER: from 8d8accf0 to 818becb5

    STACK_TEXT:
    WARNING: Stack unwind information not available. Following frames may be
    wrong.
    83d79a38 8d8accf0 00000001 8d8b2414 8d8b8f04 nt!ObRegisterCallbacks+0xc3
    83d79a8c 8d8acd5f 8d8bb818 86b68918 8ed56000
    mydriver!RegisterCallbackFunction+0xbc [xxx.c @ 75]
    83d79a90 8d8bb818 86b68918 8ed56000 00000000 mydriver!Install+0x5 [xxx.c @
    110]
    83d79b18 817a2376 00000000 8d8b45a0 00000000 mydriver!DriverEntry+0x6ae
    [main.c @ 2107] 83d79cfc 817a2d0b 00000001 00000000 83d79d24
    nt!IoRegisterFileSystem+0x1566
    83d79d44 8166b41d 841a1d00 00000000 82bffd78 nt!IoRegisterFileSystem+0x1efb
    83d79d7c 81808a1c 841a1d00 36043969 00000000 nt!KeQuerySystemTime+0x14d
    83d79dc0 81661a3e 8166b320 00000001 00000000 nt!RtlDestroyAtomTable+0x4fe
    00000000 00000000 00000000 00000000 00000000
    nt!RtlSubAuthorityCountSid+0x3c4


    FOLLOWUP_IP:
    mydriver!RegisterCallbackFunction+bc [xxx.c @ 75]
    8d8accf0 8bf0 mov esi,eax

    SYMBOL_STACK_INDEX: 1

    SYMBOL_NAME: mydriver!RegisterCallbackFunction+bc

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: mydriver

    IMAGE_NAME: mydriver.sys

    STACK_COMMAND: .cxr 0xffffffff83d79658 ; kb

    BUCKET_ID: WRONG_SYMBOLS

    Followup: MachineOwner
    ---------


    ---
    NTFSD is sponsored by OSR

    For our schedule of debugging and file system seminars (including our new fs
    mini-filter seminar) visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at
    http://www.osronline.com/page.cfm?name=ListServer
  • d_cgd_cg Member Posts: 51
    Can I ask some question here ??
    I need to use ObRegisterCallbacks too. But I don't know where to add "/integritycheck" .
    Where should I add it?
  • Frank_FriemelFrank_Friemel Member Posts: 308
    Hi. Modify your code like this:

    USHORT registrationCount = 1;

    Even if you have two callback-routines ... there's only *one*
    OB_CALLBACK_REGISTRATION element.

    <xxxxx@korea.com> erote news:xxxxx@ntfsd...
    > Thank you.
    > I applied and tested indirection &g_hProcCreateHandle but I also got BSOD.
    > My source code is following.
    > Need help!
    >
    > void *g_hProcCreateHandle = NULL;
    > typedef struct _OB_REG_CONTEXT {
    > __in USHORT Version;
    > __in UNICODE_STRING Altitude;
    > __in USHORT ulIndex;
    > } REG_CONTEXT, *PREG_CONTEXT;
    > //
    > // PRE OPERATION
    > //
    > OB_PREOP_CALLBACK_STATUS PreProcCreateRoutine(
    > IN PVOID RegistrationContext, IN POB_PRE_OPERATION_INFORMATION
    > OperationInformation)
    > {
    >
    > //OB_PRE_OPERATION_INFORMATION OpInfo;
    > DbgPrint("PreProcCreateRoutine()\n");
    > return OB_PREOP_SUCCESS;
    > }
    > //
    > // POST OPERATION
    > //
    > VOID PostProcCreateRoutine(
    > IN PVOID RegistrationContext, IN POB_POST_OPERATION_INFORMATION
    > OperationInformation)
    > {
    > DbgPrint("PostProcCreateRoutine.\n");
    > }
    > //
    > // REGISTE CALLBACK FUNCTION
    > //
    > NTSTATUS RegisterCallbackFunction()
    > {
    > NTSTATUS ntStatus = STATUS_SUCCESS;
    >
    > UNICODE_STRING Altitude;
    >
    > USHORT filterVersion = ObGetFilterVersion();
    > USHORT registrationCount = 2;
    >
    > OB_OPERATION_REGISTRATION RegisterOperation;
    > OB_CALLBACK_REGISTRATION RegisterCallBack;
    > REG_CONTEXT RegistrationContext;
    >
    > memset(&RegisterOperation, 0, sizeof(OB_OPERATION_REGISTRATION));
    > memset(&RegisterCallBack, 0, sizeof(OB_CALLBACK_REGISTRATION));
    > memset(&RegistrationContext, 0, sizeof(REG_CONTEXT));
    >
    > RegistrationContext.ulIndex = 1;
    > RegistrationContext.Version = 120;
    >
    > if(filterVersion == OB_FLT_REGISTRATION_VERSION) {
    > DbgPrint("Filter Version is correct.\n");
    >
    > RegisterOperation.ObjectType = PsProcessType;
    > RegisterOperation.Operations = OB_OPERATION_HANDLE_CREATE;
    > RegisterOperation.PreOperation = PreProcCreateRoutine;
    > RegisterOperation.PostOperation = PostProcCreateRoutine;
    >
    > RegisterCallBack.Version = OB_FLT_REGISTRATION_VERSION;
    > RegisterCallBack.OperationRegistrationCount = registrationCount;
    >
    > RtlInitUnicodeString(&Altitude, L"XXXXXXX");
    > RegisterCallBack.Altitude = Altitude;
    >
    > RegisterCallBack.RegistrationContext = &RegistrationContext;
    > RegisterCallBack.OperationRegistration = &RegisterOperation;
    > DbgPrint("Register Callback Function Entry!!!\n");
    >
    > ntStatus = ObRegisterCallbacks(&RegisterCallBack, &g_hProcCreateHandle);
    > if(ntStatus == STATUS_SUCCESS) {
    > DbgPrint("Register Callback Function Successful\n");
    > } else {
    > if(ntStatus == STATUS_FLT_INSTANCE_ALTITUDE_COLLISION) {
    > DbgPrint("Status Filter Instance Altitude Collision\n");
    > }
    > if(ntStatus == STATUS_INVALID_PARAMETER) {
    > DbgPrint("Status Invalid Parameter\n");
    > }
    > if(ntStatus == STATUS_INSUFFICIENT_RESOURCES) {
    > DbgPrint("Status Allocate Memory Failed\n");
    > }
    > DbgPrint("Register Callback Function Failed with 0x%08x\n", ntStatus);
    > }
    > } else {
    > DbgPrint("Filter Version is not supported.\n");
    > }
    >
    > return ntStatus;
    > }
    > //
    > // FREE PROC FILTER
    > //
    > NTSTATUS FreeProcFilter()
    > {
    > if(NULL != &g_hProcCreateHandle) {
    > ObUnRegisterCallbacks(&g_hProcCreateHandle);
    > }
    > return STATUS_SUCCESS;
    > }
    >
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    In your soueces file. LINKER _FLAGS=/INTEGRITYCHECK
    Along with this your driver will need to be signed.

    Bill Wandel

    -----Original Message-----
    From: xxxxx@lists.osr.com
    [mailto:xxxxx@lists.osr.com] On Behalf Of dcg1981@163.com
    Sent: Friday, August 27, 2010 4:39 AM
    To: Windows File Systems Devs Interest List
    Subject: RE:[ntfsd] About ObRegisterCallbacks.

    Can I ask some question here ??
    I need to use ObRegisterCallbacks too. But I don't know where to add
    "/integritycheck" .
    Where should I add it?

    ---
    NTFSD is sponsored by OSR

    For our schedule of debugging and file system seminars (including our new fs
    mini-filter seminar) visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at
    http://www.osronline.com/page.cfm?name=ListServer
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,096
    In your SOURCES:

    LINKER_FLAGS=/integritycheck

    -scott

    --
    Scott Noone
    Consulting Associate
    OSR Open Systems Resources, Inc.
    http://www.osronline.com


    <dcg1981@163.com> wrote in message news:xxxxx@ntfsd...
    > Can I ask some question here ??
    > I need to use ObRegisterCallbacks too. But I don't know where to add
    > "/integritycheck" .
    > Where should I add it?
    >

    -scott
    OSR

  • d_cgd_cg Member Posts: 51
    Thanks. :D
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 25 Feb 2019 OSR Seminar Space
Developing Minifilters 8 April 2019 OSR Seminar Space