Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

About ObRegisterCallbacks.

Chang_Sung,_JungChang_Sung,_Jung Member Posts: 61
I applied the ObRegisterCallbacks function to filter process related operations on the Windows Server 2008.
I called RegisterCallbackFunction() in the DriverEntry.
I met BSOD(7e, SYSTEM_THREAD_EXCEPTION_NOT_HANDLED) when the ObRegisterCallbacks function was called.
RegisterCallbackFunction is following.

NTSTATUS RegisterCallbackFunction()
{
NTSTATUS ntStatus = STATUS_SUCCESS;
UNICODE_STRING Altitude;
USHORT filterVersion = ObGetFilterVersion();
USHORT registrationCount = 2;
OB_OPERATION_REGISTRATION RegisterOperation;
OB_CALLBACK_REGISTRATION RegisterCallBack;
REG_CONTEXT RegistrationContext;

memset(&RegisterOperation, 0 , sizeof(OB_OPERATION_REGISTRATION));
memset(&RegisterCallBack, 0 , sizeof(OB_CALLBACK_REGISTRATION));
memset(&RegistrationContext, 0 , sizeof(REG_CONTEXT));
RegistrationContext.ulIndex = 1;
RegistrationContext.Version = 120;

if (filterVersion == OB_FLT_REGISTRATION_VERSION) {
DbgPrint("Filter Version is correct.\n");
RegisterOperation.ObjectType = PsProcessType;
RegisterOperation.Operations = OB_OPERATION_HANDLE_CREATE;
RegisterOperation.PreOperation = PreProcCreateRoutine;
RegisterOperation.PostOperation = PostProcCreateRoutine;
RegisterCallBack.Version = OB_FLT_REGISTRATION_VERSION;
RegisterCallBack.OperationRegistrationCount = registrationCount;
RtlInitUnicodeString(&Altitude, L"XXXXXXX");
RegisterCallBack.Altitude = Altitude;
RegisterCallBack.RegistrationContext = &RegistrationContext;
RegisterCallBack.OperationRegistration = &RegisterOperation;
DbgPrint("Register Callback Function Entry!......\n");

ntStatus = ObRegisterCallbacks(&RegisterCallBack, g_hProcCreateHandle);
if (ntStatus == STATUS_SUCCESS) {
DbgPrint("Register Callback Function Successful......\n");
} else {
if (ntStatus == STATUS_FLT_INSTANCE_ALTITUDE_COLLISION) {
DbgPrint("Status Filter Instance Altitude Collision \n");
}
if (ntStatus == STATUS_INVALID_PARAMETER) {
DbgPrint("Status Invalid Parameter \n");
}
if (ntStatus == STATUS_INSUFFICIENT_RESOURCES) {
DbgPrint("Status Allocate Memory Failed. \n");
}
DbgPrint("Register Callback Function Failed with 0x%08x \n", ntStatus);
}
} else {
DbgPrint("Filter Version is not supported.\n ");
}
return ntStatus;
}

What is the cause of this problem?
How should I solve this problem?
Ask advice!

Comments

  • OSR_Community_UserOSR_Community_User Member Posts: 110,218
    On 8/26/2010 7:26 PM, xxxxx@korea.com wrote:

    > ntStatus = ObRegisterCallbacks(&RegisterCallBack, g_hProcCreateHandle);
    > if (ntStatus == STATUS_SUCCESS) {

    Just a stab but should this be &g_hProcCreateHandle where the declaration is

    void *g_hProcCreateHandle = NULL;

    Pete

    --
    Kernel Drivers
    Windows File System and Device Driver Consulting
    www.KernelDrivers.com
    866.263.9295
  • Chang_Sung,_JungChang_Sung,_Jung Member Posts: 61
    Thanks for your advice.
    But I've already declared like this.

    void *g_hProcCreateHandle = NULL;

    Jung.
  • mmmm Member - All Emails Posts: 1,408
    You need the indirection that Pete mentioned - & g_hProcCreateHandle (not g_hProcCreateHandle).

    mm
  • Chang_Sung,_JungChang_Sung,_Jung Member Posts: 61
    Thank you.
    I applied and tested indirection &g_hProcCreateHandle but I also got BSOD.
    My source code is following.
    Need help!

    void *g_hProcCreateHandle = NULL;
    typedef struct _OB_REG_CONTEXT {
    __in USHORT Version;
    __in UNICODE_STRING Altitude;
    __in USHORT ulIndex;
    } REG_CONTEXT, *PREG_CONTEXT;
    //
    // PRE OPERATION
    //
    OB_PREOP_CALLBACK_STATUS PreProcCreateRoutine(
    IN PVOID RegistrationContext, IN POB_PRE_OPERATION_INFORMATION OperationInformation)
    {

    //OB_PRE_OPERATION_INFORMATION OpInfo;
    DbgPrint("PreProcCreateRoutine()\n");
    return OB_PREOP_SUCCESS;
    }
    //
    // POST OPERATION
    //
    VOID PostProcCreateRoutine(
    IN PVOID RegistrationContext, IN POB_POST_OPERATION_INFORMATION OperationInformation)
    {
    DbgPrint("PostProcCreateRoutine.\n");
    }
    //
    // REGISTE CALLBACK FUNCTION
    //
    NTSTATUS RegisterCallbackFunction()
    {
    NTSTATUS ntStatus = STATUS_SUCCESS;

    UNICODE_STRING Altitude;

    USHORT filterVersion = ObGetFilterVersion();
    USHORT registrationCount = 2;

    OB_OPERATION_REGISTRATION RegisterOperation;
    OB_CALLBACK_REGISTRATION RegisterCallBack;
    REG_CONTEXT RegistrationContext;

    memset(&RegisterOperation, 0, sizeof(OB_OPERATION_REGISTRATION));
    memset(&RegisterCallBack, 0, sizeof(OB_CALLBACK_REGISTRATION));
    memset(&RegistrationContext, 0, sizeof(REG_CONTEXT));

    RegistrationContext.ulIndex = 1;
    RegistrationContext.Version = 120;

    if(filterVersion == OB_FLT_REGISTRATION_VERSION) {
    DbgPrint("Filter Version is correct.\n");

    RegisterOperation.ObjectType = PsProcessType;
    RegisterOperation.Operations = OB_OPERATION_HANDLE_CREATE;
    RegisterOperation.PreOperation = PreProcCreateRoutine;
    RegisterOperation.PostOperation = PostProcCreateRoutine;

    RegisterCallBack.Version = OB_FLT_REGISTRATION_VERSION;
    RegisterCallBack.OperationRegistrationCount = registrationCount;

    RtlInitUnicodeString(&Altitude, L"XXXXXXX");
    RegisterCallBack.Altitude = Altitude;

    RegisterCallBack.RegistrationContext = &RegistrationContext;
    RegisterCallBack.OperationRegistration = &RegisterOperation;
    DbgPrint("Register Callback Function Entry!!!\n");

    ntStatus = ObRegisterCallbacks(&RegisterCallBack, &g_hProcCreateHandle);
    if(ntStatus == STATUS_SUCCESS) {
    DbgPrint("Register Callback Function Successful\n");
    } else {
    if(ntStatus == STATUS_FLT_INSTANCE_ALTITUDE_COLLISION) {
    DbgPrint("Status Filter Instance Altitude Collision\n");
    }
    if(ntStatus == STATUS_INVALID_PARAMETER) {
    DbgPrint("Status Invalid Parameter\n");
    }
    if(ntStatus == STATUS_INSUFFICIENT_RESOURCES) {
    DbgPrint("Status Allocate Memory Failed\n");
    }
    DbgPrint("Register Callback Function Failed with 0x%08x\n", ntStatus);
    }
    } else {
    DbgPrint("Filter Version is not supported.\n");
    }

    return ntStatus;
    }
    //
    // FREE PROC FILTER
    //
    NTSTATUS FreeProcFilter()
    {
    if(NULL != &g_hProcCreateHandle) {
    ObUnRegisterCallbacks(&g_hProcCreateHandle);
    }
    return STATUS_SUCCESS;
    }
  • mmmm Member - All Emails Posts: 1,408
    How about posting the !analyze -v output.


    mm

    -----Original Message-----
    From: xxxxx@lists.osr.com
    [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@korea.com
    Sent: Friday, August 27, 2010 1:43 AM
    To: Windows File Systems Devs Interest List
    Subject: RE:[ntfsd] About ObRegisterCallbacks.

    Thank you.
    I applied and tested indirection &g_hProcCreateHandle but I also got BSOD.
    My source code is following.
    Need help!

    void *g_hProcCreateHandle = NULL;
    typedef struct _OB_REG_CONTEXT {
    __in USHORT Version;
    __in UNICODE_STRING Altitude;
    __in USHORT ulIndex;
    } REG_CONTEXT, *PREG_CONTEXT;
    //
    // PRE OPERATION
    //
    OB_PREOP_CALLBACK_STATUS PreProcCreateRoutine(
    IN PVOID RegistrationContext, IN POB_PRE_OPERATION_INFORMATION
    OperationInformation) {

    //OB_PRE_OPERATION_INFORMATION OpInfo;
    DbgPrint("PreProcCreateRoutine()\n");
    return OB_PREOP_SUCCESS;
    }
    //
    // POST OPERATION
    //
    VOID PostProcCreateRoutine(
    IN PVOID RegistrationContext, IN POB_POST_OPERATION_INFORMATION
    OperationInformation) {
    DbgPrint("PostProcCreateRoutine.\n");
    }
    //
    // REGISTE CALLBACK FUNCTION
    //
    NTSTATUS RegisterCallbackFunction()
    {
    NTSTATUS ntStatus = STATUS_SUCCESS;

    UNICODE_STRING Altitude;

    USHORT filterVersion = ObGetFilterVersion();
    USHORT registrationCount = 2;

    OB_OPERATION_REGISTRATION RegisterOperation;
    OB_CALLBACK_REGISTRATION RegisterCallBack;
    REG_CONTEXT RegistrationContext;

    memset(&RegisterOperation, 0, sizeof(OB_OPERATION_REGISTRATION));
    memset(&RegisterCallBack, 0, sizeof(OB_CALLBACK_REGISTRATION));
    memset(&RegistrationContext, 0, sizeof(REG_CONTEXT));

    RegistrationContext.ulIndex = 1;
    RegistrationContext.Version = 120;

    if(filterVersion == OB_FLT_REGISTRATION_VERSION) {
    DbgPrint("Filter Version is correct.\n");

    RegisterOperation.ObjectType = PsProcessType;
    RegisterOperation.Operations = OB_OPERATION_HANDLE_CREATE;
    RegisterOperation.PreOperation = PreProcCreateRoutine;
    RegisterOperation.PostOperation = PostProcCreateRoutine;

    RegisterCallBack.Version = OB_FLT_REGISTRATION_VERSION;
    RegisterCallBack.OperationRegistrationCount =
    registrationCount;

    RtlInitUnicodeString(&Altitude, L"XXXXXXX");
    RegisterCallBack.Altitude = Altitude;

    RegisterCallBack.RegistrationContext = &RegistrationContext;
    RegisterCallBack.OperationRegistration = &RegisterOperation;
    DbgPrint("Register Callback Function Entry!!!\n");

    ntStatus = ObRegisterCallbacks(&RegisterCallBack,
    &g_hProcCreateHandle);
    if(ntStatus == STATUS_SUCCESS) {
    DbgPrint("Register Callback Function Successful\n");
    } else {
    if(ntStatus ==
    STATUS_FLT_INSTANCE_ALTITUDE_COLLISION) {
    DbgPrint("Status Filter Instance Altitude
    Collision\n");
    }
    if(ntStatus == STATUS_INVALID_PARAMETER) {
    DbgPrint("Status Invalid Parameter\n");
    }
    if(ntStatus == STATUS_INSUFFICIENT_RESOURCES) {
    DbgPrint("Status Allocate Memory Failed\n");
    }
    DbgPrint("Register Callback Function Failed with
    0x%08x\n", ntStatus);
    }
    } else {
    DbgPrint("Filter Version is not supported.\n");
    }

    return ntStatus;
    }
    //
    // FREE PROC FILTER
    //
    NTSTATUS FreeProcFilter()
    {
    if(NULL != &g_hProcCreateHandle) {
    ObUnRegisterCallbacks(&g_hProcCreateHandle);
    }
    return STATUS_SUCCESS;
    }

    ---
    NTFSD is sponsored by OSR

    For our schedule of debugging and file system seminars (including our new fs
    mini-filter seminar) visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at
    http://www.osronline.com/page.cfm?name=ListServer
  • Chang_Sung,_JungChang_Sung,_Jung Member Posts: 61
    The result of !analyze -v is following.

    *** Fatal System Error: 0x0000007e
    (0xC0000005,0x818BECB5,0x83D7995C,0x83D79658)

    Break instruction exception - code 80000003 (first chance)

    A fatal system error has occurred.
    Debugger entered on first try; Bugcheck callbacks have not been invoked.

    A fatal system error has occurred.

    Connected to Windows Server 2008 6001 x86 compatible target, ptr64 FALSE
    ................................................................................................................................
    Loading User Symbols

    Loading unloaded module list
    ....
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 7E, {c0000005, 818becb5, 83d7995c, 83d79658}

    Probably caused by : mydriver.sys ( mydriver!RegisterCallbackFunction+bc )

    Followup: MachineOwner
    ---------

    nt!DbgBreakPointWithStatus+0x4:
    816eb514 cc int 3
    0: kd> !analyze -v
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
    This is a very common bugcheck. Usually the exception address pinpoints
    the driver/function that caused the problem. Always note this address
    as well as the link date of the driver/image that contains this address.
    Arguments:
    Arg1: c0000005, The exception code that was not handled
    Arg2: 818becb5, The address that the exception occurred at
    Arg3: 83d7995c, Exception Record Address
    Arg4: 83d79658, Context Record Address

    Debugging Details:
    ------------------
    FAULTING_MODULE: 81633000 nt

    DEBUG_FLR_IMAGE_TIMESTAMP: 4c774e38

    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"

    FAULTING_IP:
    nt!ObRegisterCallbacks+c3
    818becb5 8b00 mov eax,dword ptr [eax]

    EXCEPTION_RECORD: 83d7995c -- (.exr 0xffffffff83d7995c)
    ExceptionAddress: 818becb5 (nt!ObRegisterCallbacks+0x000000c3)
    ExceptionCode: c0000005 (Access violation)
    ExceptionFlags: 00000000
    NumberParameters: 2
    Parameter[0]: 00000000
    Parameter[1]: 0010000e
    Attempt to read from address 0010000e

    CONTEXT: 83d79658 -- (.cxr 0xffffffff83d79658)
    eax=0010000e ebx=83d79a50 ecx=83d79a84 edx=83e17f70 esi=90754db8 edi=90754e0c
    eip=818becb5 esp=83d79a24 ebp=83d79a38 iopl=0 nv up ei ng nz na po nc
    cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282
    nt!ObRegisterCallbacks+0xc3:
    818becb5 8b00 mov eax,dword ptr [eax] ds:0023:0010000e=????????
    Resetting default scope

    DEFAULT_BUCKET_ID: WRONG_SYMBOLS

    BUGCHECK_STR: 0x7E

    LAST_CONTROL_TRANSFER: from 8d8accf0 to 818becb5

    STACK_TEXT:
    WARNING: Stack unwind information not available. Following frames may be wrong.
    83d79a38 8d8accf0 00000001 8d8b2414 8d8b8f04 nt!ObRegisterCallbacks+0xc3
    83d79a8c 8d8acd5f 8d8bb818 86b68918 8ed56000 mydriver!RegisterCallbackFunction+0xbc [xxx.c @ 75]
    83d79a90 8d8bb818 86b68918 8ed56000 00000000 mydriver!Install+0x5 [xxx.c @ 110]
    83d79b18 817a2376 00000000 8d8b45a0 00000000 mydriver!DriverEntry+0x6ae [main.c @ 2107]
    83d79cfc 817a2d0b 00000001 00000000 83d79d24 nt!IoRegisterFileSystem+0x1566
    83d79d44 8166b41d 841a1d00 00000000 82bffd78 nt!IoRegisterFileSystem+0x1efb
    83d79d7c 81808a1c 841a1d00 36043969 00000000 nt!KeQuerySystemTime+0x14d
    83d79dc0 81661a3e 8166b320 00000001 00000000 nt!RtlDestroyAtomTable+0x4fe
    00000000 00000000 00000000 00000000 00000000 nt!RtlSubAuthorityCountSid+0x3c4


    FOLLOWUP_IP:
    mydriver!RegisterCallbackFunction+bc [xxx.c @ 75]
    8d8accf0 8bf0 mov esi,eax

    SYMBOL_STACK_INDEX: 1

    SYMBOL_NAME: mydriver!RegisterCallbackFunction+bc

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: mydriver

    IMAGE_NAME: mydriver.sys

    STACK_COMMAND: .cxr 0xffffffff83d79658 ; kb

    BUCKET_ID: WRONG_SYMBOLS

    Followup: MachineOwner
    ---------
  • mmmm Member - All Emails Posts: 1,408
    >DEFAULT_BUCKET_ID: WRONG_SYMBOLS

    Are you sure that your symbols are correct?

    mm

    -----Original Message-----
    From: xxxxx@lists.osr.com
    [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@korea.com
    Sent: Friday, August 27, 2010 3:29 AM
    To: Windows File Systems Devs Interest List
    Subject: RE:[ntfsd] About ObRegisterCallbacks.

    The result of !analyze -v is following.

    *** Fatal System Error: 0x0000007e
    (0xC0000005,0x818BECB5,0x83D7995C,0x83D79658)

    Break instruction exception - code 80000003 (first chance)

    A fatal system error has occurred.
    Debugger entered on first try; Bugcheck callbacks have not been invoked.

    A fatal system error has occurred.

    Connected to Windows Server 2008 6001 x86 compatible target, ptr64 FALSE
    ............................................................................
    ....................................................
    Loading User Symbols

    Loading unloaded module list
    ....
    ****************************************************************************
    ***
    *
    *
    * Bugcheck Analysis
    *
    *
    *
    ****************************************************************************
    ***

    Use !analyze -v to get detailed debugging information.

    BugCheck 7E, {c0000005, 818becb5, 83d7995c, 83d79658}

    Probably caused by : mydriver.sys ( mydriver!RegisterCallbackFunction+bc )

    Followup: MachineOwner
    ---------

    nt!DbgBreakPointWithStatus+0x4:
    816eb514 cc int 3
    0: kd> !analyze -v
    ****************************************************************************
    ***
    *
    *
    * Bugcheck Analysis
    *
    *
    *
    ****************************************************************************
    ***

    SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e) This is a very common bugcheck.
    Usually the exception address pinpoints the driver/function that caused the
    problem. Always note this address as well as the link date of the
    driver/image that contains this address.
    Arguments:
    Arg1: c0000005, The exception code that was not handled
    Arg2: 818becb5, The address that the exception occurred at
    Arg3: 83d7995c, Exception Record Address
    Arg4: 83d79658, Context Record Address

    Debugging Details:
    ------------------
    FAULTING_MODULE: 81633000 nt

    DEBUG_FLR_IMAGE_TIMESTAMP: 4c774e38

    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"

    FAULTING_IP:
    nt!ObRegisterCallbacks+c3
    818becb5 8b00 mov eax,dword ptr [eax]

    EXCEPTION_RECORD: 83d7995c -- (.exr 0xffffffff83d7995c)
    ExceptionAddress: 818becb5 (nt!ObRegisterCallbacks+0x000000c3)
    ExceptionCode: c0000005 (Access violation)
    ExceptionFlags: 00000000
    NumberParameters: 2
    Parameter[0]: 00000000
    Parameter[1]: 0010000e
    Attempt to read from address 0010000e

    CONTEXT: 83d79658 -- (.cxr 0xffffffff83d79658) eax=0010000e ebx=83d79a50
    ecx=83d79a84 edx=83e17f70 esi=90754db8 edi=90754e0c
    eip=818becb5 esp=83d79a24 ebp=83d79a38 iopl=0 nv up ei ng nz na po
    nc
    cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
    efl=00010282
    nt!ObRegisterCallbacks+0xc3:
    818becb5 8b00 mov eax,dword ptr [eax]
    ds:0023:0010000e=????????
    Resetting default scope

    DEFAULT_BUCKET_ID: WRONG_SYMBOLS

    BUGCHECK_STR: 0x7E

    LAST_CONTROL_TRANSFER: from 8d8accf0 to 818becb5

    STACK_TEXT:
    WARNING: Stack unwind information not available. Following frames may be
    wrong.
    83d79a38 8d8accf0 00000001 8d8b2414 8d8b8f04 nt!ObRegisterCallbacks+0xc3
    83d79a8c 8d8acd5f 8d8bb818 86b68918 8ed56000
    mydriver!RegisterCallbackFunction+0xbc [xxx.c @ 75]
    83d79a90 8d8bb818 86b68918 8ed56000 00000000 mydriver!Install+0x5 [xxx.c @
    110]
    83d79b18 817a2376 00000000 8d8b45a0 00000000 mydriver!DriverEntry+0x6ae
    [main.c @ 2107] 83d79cfc 817a2d0b 00000001 00000000 83d79d24
    nt!IoRegisterFileSystem+0x1566
    83d79d44 8166b41d 841a1d00 00000000 82bffd78 nt!IoRegisterFileSystem+0x1efb
    83d79d7c 81808a1c 841a1d00 36043969 00000000 nt!KeQuerySystemTime+0x14d
    83d79dc0 81661a3e 8166b320 00000001 00000000 nt!RtlDestroyAtomTable+0x4fe
    00000000 00000000 00000000 00000000 00000000
    nt!RtlSubAuthorityCountSid+0x3c4


    FOLLOWUP_IP:
    mydriver!RegisterCallbackFunction+bc [xxx.c @ 75]
    8d8accf0 8bf0 mov esi,eax

    SYMBOL_STACK_INDEX: 1

    SYMBOL_NAME: mydriver!RegisterCallbackFunction+bc

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: mydriver

    IMAGE_NAME: mydriver.sys

    STACK_COMMAND: .cxr 0xffffffff83d79658 ; kb

    BUCKET_ID: WRONG_SYMBOLS

    Followup: MachineOwner
    ---------


    ---
    NTFSD is sponsored by OSR

    For our schedule of debugging and file system seminars (including our new fs
    mini-filter seminar) visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at
    http://www.osronline.com/page.cfm?name=ListServer
  • d_cgd_cg Member Posts: 51
    Can I ask some question here ??
    I need to use ObRegisterCallbacks too. But I don't know where to add "/integritycheck" .
    Where should I add it?
  • Frank_FriemelFrank_Friemel Member Posts: 308
    Hi. Modify your code like this:

    USHORT registrationCount = 1;

    Even if you have two callback-routines ... there's only *one*
    OB_CALLBACK_REGISTRATION element.

    <xxxxx@korea.com> erote news:xxxxx@ntfsd...
    > Thank you.
    > I applied and tested indirection &g_hProcCreateHandle but I also got BSOD.
    > My source code is following.
    > Need help!
    >
    > void *g_hProcCreateHandle = NULL;
    > typedef struct _OB_REG_CONTEXT {
    > __in USHORT Version;
    > __in UNICODE_STRING Altitude;
    > __in USHORT ulIndex;
    > } REG_CONTEXT, *PREG_CONTEXT;
    > //
    > // PRE OPERATION
    > //
    > OB_PREOP_CALLBACK_STATUS PreProcCreateRoutine(
    > IN PVOID RegistrationContext, IN POB_PRE_OPERATION_INFORMATION
    > OperationInformation)
    > {
    >
    > //OB_PRE_OPERATION_INFORMATION OpInfo;
    > DbgPrint("PreProcCreateRoutine()\n");
    > return OB_PREOP_SUCCESS;
    > }
    > //
    > // POST OPERATION
    > //
    > VOID PostProcCreateRoutine(
    > IN PVOID RegistrationContext, IN POB_POST_OPERATION_INFORMATION
    > OperationInformation)
    > {
    > DbgPrint("PostProcCreateRoutine.\n");
    > }
    > //
    > // REGISTE CALLBACK FUNCTION
    > //
    > NTSTATUS RegisterCallbackFunction()
    > {
    > NTSTATUS ntStatus = STATUS_SUCCESS;
    >
    > UNICODE_STRING Altitude;
    >
    > USHORT filterVersion = ObGetFilterVersion();
    > USHORT registrationCount = 2;
    >
    > OB_OPERATION_REGISTRATION RegisterOperation;
    > OB_CALLBACK_REGISTRATION RegisterCallBack;
    > REG_CONTEXT RegistrationContext;
    >
    > memset(&RegisterOperation, 0, sizeof(OB_OPERATION_REGISTRATION));
    > memset(&RegisterCallBack, 0, sizeof(OB_CALLBACK_REGISTRATION));
    > memset(&RegistrationContext, 0, sizeof(REG_CONTEXT));
    >
    > RegistrationContext.ulIndex = 1;
    > RegistrationContext.Version = 120;
    >
    > if(filterVersion == OB_FLT_REGISTRATION_VERSION) {
    > DbgPrint("Filter Version is correct.\n");
    >
    > RegisterOperation.ObjectType = PsProcessType;
    > RegisterOperation.Operations = OB_OPERATION_HANDLE_CREATE;
    > RegisterOperation.PreOperation = PreProcCreateRoutine;
    > RegisterOperation.PostOperation = PostProcCreateRoutine;
    >
    > RegisterCallBack.Version = OB_FLT_REGISTRATION_VERSION;
    > RegisterCallBack.OperationRegistrationCount = registrationCount;
    >
    > RtlInitUnicodeString(&Altitude, L"XXXXXXX");
    > RegisterCallBack.Altitude = Altitude;
    >
    > RegisterCallBack.RegistrationContext = &RegistrationContext;
    > RegisterCallBack.OperationRegistration = &RegisterOperation;
    > DbgPrint("Register Callback Function Entry!!!\n");
    >
    > ntStatus = ObRegisterCallbacks(&RegisterCallBack, &g_hProcCreateHandle);
    > if(ntStatus == STATUS_SUCCESS) {
    > DbgPrint("Register Callback Function Successful\n");
    > } else {
    > if(ntStatus == STATUS_FLT_INSTANCE_ALTITUDE_COLLISION) {
    > DbgPrint("Status Filter Instance Altitude Collision\n");
    > }
    > if(ntStatus == STATUS_INVALID_PARAMETER) {
    > DbgPrint("Status Invalid Parameter\n");
    > }
    > if(ntStatus == STATUS_INSUFFICIENT_RESOURCES) {
    > DbgPrint("Status Allocate Memory Failed\n");
    > }
    > DbgPrint("Register Callback Function Failed with 0x%08x\n", ntStatus);
    > }
    > } else {
    > DbgPrint("Filter Version is not supported.\n");
    > }
    >
    > return ntStatus;
    > }
    > //
    > // FREE PROC FILTER
    > //
    > NTSTATUS FreeProcFilter()
    > {
    > if(NULL != &g_hProcCreateHandle) {
    > ObUnRegisterCallbacks(&g_hProcCreateHandle);
    > }
    > return STATUS_SUCCESS;
    > }
    >
  • OSR_Community_UserOSR_Community_User Member Posts: 110,218
    In your soueces file. LINKER _FLAGS=/INTEGRITYCHECK
    Along with this your driver will need to be signed.

    Bill Wandel

    -----Original Message-----
    From: xxxxx@lists.osr.com
    [mailto:xxxxx@lists.osr.com] On Behalf Of dcg1981@163.com
    Sent: Friday, August 27, 2010 4:39 AM
    To: Windows File Systems Devs Interest List
    Subject: RE:[ntfsd] About ObRegisterCallbacks.

    Can I ask some question here ??
    I need to use ObRegisterCallbacks too. But I don't know where to add
    "/integritycheck" .
    Where should I add it?

    ---
    NTFSD is sponsored by OSR

    For our schedule of debugging and file system seminars (including our new fs
    mini-filter seminar) visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at
    http://www.osronline.com/page.cfm?name=ListServer
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,016
    In your SOURCES:

    LINKER_FLAGS=/integritycheck

    -scott

    --
    Scott Noone
    Consulting Associate
    OSR Open Systems Resources, Inc.
    http://www.osronline.com


    <dcg1981@163.com> wrote in message news:xxxxx@ntfsd...
    > Can I ask some question here ??
    > I need to use ObRegisterCallbacks too. But I don't know where to add
    > "/integritycheck" .
    > Where should I add it?
    >

    -scott
    OSR

  • d_cgd_cg Member Posts: 51
    Thanks. :D
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!