Getting handle from object pointer in ObjectPreCallback routine

NTFSD
1

Hi all,

I’m using the ObRegisterCallback API to register a callback routine for process handle creation.

In the callback routine, it receives a OB_PRE_OPERATION_INFORMATION structure. One of the members in the structure is a PVOID Object, which according to the documents is a pointer to the process or thread object that is the target of the handle operation.

http://msdn.microsoft.com/en-us/library/bb648419.aspx

I try to obtain a handle to the target process with ObOpenObjectByPointer like this:

ObOpenObjectByPointer(OperationInformation.Object, OBJ_KERNEL_HANDLE, 0, 0, NULL, KernelMode, &Handle);

This seems pretty straightforward to me, however my driver always bugchecks at this point.

Is there something that I’m missing? Or did I understand it wrongly?

Thanks

2

This needs more information, what error code are you getting and what is result of crash.

Till than try specifying IoFileObjectType as ObjectType. I agree that as per docs it is optional but i think somewhere I met with a BSOD just because I was missing this in my call to some similar ob routine. I am not sure but as it will not take more than minute; I can suggest this to you.

Thanks
Aditya

3

I tried specifying *IoFileObjectType but I got an error status C0000024 (STATUS_OBJECT_TYPE_MISMATCH).

I guess that’s because the pointer is a pointer to a process or thread object. So I specify *PsProcessType instead and I get the bugcheck.

7F, {8, 8014C000, 0, 0}

Maybe I’ll just show you what my code for the object looks like:

OB_PREOP_CALLBACK_STATUS ObjectPreProcessCallback(
IN PVOID RegistrationContext,
IN POB_PRE_OPERATION_INFORMATION OperationInformation
){

NTSTATUS status;
HANDLE handle;
PUNICODE_STRING puszTargetImageName;
ULONG ulReturnedLength;

HANDLE hPID = PsGetCurrentProcessId();

KdPrint((“In ObjectPreProcessCallback()…\n”));

if(OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
{
// Try and identify the target process of the handle open
// CRASH AND BURN RIGHT HERE…
if(!NT_SUCCESS(status = ObOpenObjectByPointer(OperationInformation->Object, OBJ_KERNEL_HANDLE, NULL, 0, *PsProcessType, KernelMode, &handle)))
{
KdPrint((“ObOpenObjectByPointer failed. status: %08x\n”, status));
goto SkipTargetProcessLookup;
}

// step one - get the size of the string we need
status = ZwQueryInformationProcess(handle, ProcessImageFileName, NULL, 0, &ulReturnedLength);
if(status != STATUS_INFO_LENGTH_MISMATCH)
{
KdPrint((“Status status info length mismatch\n”));
goto SkipTargetProcessLookup;
}
KdPrint((“Buffer length required: %d\n”, ulReturnedLength));
if(!(puszTargetImageName = (PUNICODE_STRING)ExAllocatePoolWithTag(
NonPagedPool,
ulReturnedLength,
‘PROC’)))
{
KdPrint((“Failed to allocate memory for UNICODE_STRING\n”));
goto SkipTargetProcessLookup;
}
puszTargetImageName->Length =0;
puszTargetImageName->MaximumLength = (USHORT)ulReturnedLength - sizeof(UNICODE_STRING);

// step two - get the image path name
status = ZwQueryInformationProcess(handle ,ProcessImageFileName, (PVOID)puszTargetImageName, ulReturnedLength, &ulReturnedLength);
if(!NT_SUCCESS(status))
{
KdPrint((“Failed to obtain process name. Status=%08x\n”, status));
ExFreePool(puszTargetImageName);
goto SkipTargetProcessLookup;
}
// Print the process name - for testing…
KdPrint((“Obtained the full process name: %wZ\n”, puszTargetImageName));

SkipTargetProcessLookup:
// close the handle
if(handle) ZwClose(handle);

4

7f with 8 : this bugcheck is for kernel_stack_overflow.

you should post the output of !analyze in case you are not getting above error code otherwise, i.e. without specifying any object type.

In case you want to dig it further debugging ObOpenObjectByPointer assembly may lead to some clue.