I applied the ObRegisterCallbacks function to filter process related operations on the Windows Server 2008.
I called RegisterCallbackFunction() in the DriverEntry.
I met BSOD(7e, SYSTEM_THREAD_EXCEPTION_NOT_HANDLED) when the ObRegisterCallbacks function was called.
RegisterCallbackFunction is following.
NTSTATUS RegisterCallbackFunction()
{
NTSTATUS ntStatus = STATUS_SUCCESS;
UNICODE_STRING Altitude;
USHORT filterVersion = ObGetFilterVersion();
USHORT registrationCount = 2;
OB_OPERATION_REGISTRATION RegisterOperation;
OB_CALLBACK_REGISTRATION RegisterCallBack;
REG_CONTEXT RegistrationContext;
memset(&RegisterOperation, 0 , sizeof(OB_OPERATION_REGISTRATION));
memset(&RegisterCallBack, 0 , sizeof(OB_CALLBACK_REGISTRATION));
memset(&RegistrationContext, 0 , sizeof(REG_CONTEXT));
RegistrationContext.ulIndex = 1;
RegistrationContext.Version = 120;
if (filterVersion == OB_FLT_REGISTRATION_VERSION) {
DbgPrint(“Filter Version is correct.\n”);
RegisterOperation.ObjectType = PsProcessType;
RegisterOperation.Operations = OB_OPERATION_HANDLE_CREATE;
RegisterOperation.PreOperation = PreProcCreateRoutine;
RegisterOperation.PostOperation = PostProcCreateRoutine;
RegisterCallBack.Version = OB_FLT_REGISTRATION_VERSION;
RegisterCallBack.OperationRegistrationCount = registrationCount;
RtlInitUnicodeString(&Altitude, L"XXXXXXX");
RegisterCallBack.Altitude = Altitude;
RegisterCallBack.RegistrationContext = &RegistrationContext;
RegisterCallBack.OperationRegistration = &RegisterOperation;
DbgPrint(“Register Callback Function Entry!..\n”);
ntStatus = ObRegisterCallbacks(&RegisterCallBack, g_hProcCreateHandle);
if (ntStatus == STATUS_SUCCESS) {
DbgPrint(“Register Callback Function Successful…\n”);
} else {
if (ntStatus == STATUS_FLT_INSTANCE_ALTITUDE_COLLISION) {
DbgPrint(“Status Filter Instance Altitude Collision \n”);
}
if (ntStatus == STATUS_INVALID_PARAMETER) {
DbgPrint(“Status Invalid Parameter \n”);
}
if (ntStatus == STATUS_INSUFFICIENT_RESOURCES) {
DbgPrint(“Status Allocate Memory Failed. \n”);
}
DbgPrint(“Register Callback Function Failed with 0x%08x \n”, ntStatus);
}
} else {
DbgPrint("Filter Version is not supported.\n ");
}
return ntStatus;
}
What is the cause of this problem?
How should I solve this problem?
Ask advice!