ObRegisterCallbacks: Enable callbacks of specific object type

Hi all,
How can we enable callbacks for objects other than PsProcessType/PsThreadType???
Example Code is appreciated.
If not code, atleast some pointers?

Note: Please donot suggest googling. I am already googling the topic.

http://code.msdn.microsoft.com/windowshardware/ObCallback-Sample-67a47841

2014-09-06 7:09 GMT+02:00 :

> Hi all,
> How can we enable callbacks for objects other than
> PsProcessType/PsThreadType???
> Example Code is appreciated.
> If not code, atleast some pointers?
>
> Note: Please donot suggest googling. I am already googling the topic.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

other than PsProcessType/PsThreadType -> sorry.

2014-09-06 12:00 GMT+02:00 Julián de Navascués :

> http://code.msdn.microsoft.com/windowshardware/ObCallback-Sample-67a47841
>
>
> 2014-09-06 7:09 GMT+02:00 :
>
> Hi all,
>> How can we enable callbacks for objects other than
>> PsProcessType/PsThreadType???
>> Example Code is appreciated.
>> If not code, atleast some pointers?
>>
>> Note: Please donot suggest googling. I am already googling the topic.
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>>
>> OSR is HIRING!! See http://www.osr.com/careers
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>

Hi Julian,

Exploring ahead, I have found that callbacks for any object type can be enabled to have callbacks
registered for it by setting the SupportsObjectCallbacks bit in the OBJECT_TYPE structure
for that object to one. The OM callbacks allow the restriction of the access rights a
process receives over an object, but does not allow the object access to be directly blocked
(it can be indirectly blocked by removing all access rights).

There is no supported way to do this. Groveling into undocumented structures and settings bits that your driver doesn’t own is, in general, a great way to bugcheck your customer’s machine.

Don’t do that.

What object type are you trying to enable callbacks for, and why?

  • S (Msft)

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Saturday, September 06, 2014 7:27 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] ObRegisterCallbacks: Enable callbacks of specific object type

Hi Julian,

Exploring ahead, I have found that callbacks for any object type can be enabled to have callbacks registered for it by setting the SupportsObjectCallbacks bit in the OBJECT_TYPE structure for that object to one. The OM callbacks allow the restriction of the access rights a process receives over an object, but does not allow the object access to be directly blocked (it can be indirectly blocked by removing all access rights).


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Hi Ken,

I am trying to enable callbacks for section object.
I trying to do so because I want to trace section operations . e.g: MapViewofSection

xxxxx@gmail.com wrote:

I am trying to enable callbacks for section object.

What led you to think that was possible? The documentation says that
callbacks can be enabled only for process or thread objects.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Hi Tim,

Please google for moms sandbox.

On Mon, Sep 8, 2014 at 10:31 PM, Tim Roberts wrote:

> xxxxx@gmail.com wrote:
> > I am trying to enable callbacks for section object.
>
> What led you to think that was possible? The documentation says that
> callbacks can be enabled only for process or thread objects.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

> Please google for moms sandbox.

I actually tried :slight_smile: but what came up hardly makes sense, be nice and share
links.

I think, what you might want to do is hook createsection?

Have a look here, it might make sense:
http://msdn.microsoft.com/en-us/library/windows/hardware/ff547172(v=vs.85).aspx

You need stronger Google-fu, then.

It’s not anything that’s too earth shaking… some guy’s thesis that includes a Proof of Concept:

http://www.dtic.mil/docs/citations/ADA557377

Peter
OSR
@OSRDrivers

Rohan,

Why do you want to know about sections? Actually, you have PsSetLoadImageNotifyRoutine callback (http://msdn.microsoft.com/en-us/library/windows/hardware/ff559957(v=vs.85).aspx) that may help you to track images (if you need to).

sandbox enable object callbacks moms -> click feeling lucky 2.4 mb pdf

On 9/9/14, xxxxx@osr.com wrote:
>


>
> You need stronger Google-fu, then.
>
> It’s not anything that’s too earth shaking… some guy’s thesis that
> includes a Proof of Concept:
>
> http://www.dtic.mil/docs/citations/ADA557377
>
> Peter
> OSR
> @OSRDrivers
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

It is easy to enable for all object types but will bug check on windows 8
64 bit and above with critical structure corruption, so not usable.
Use the PreAcquireForSectionSynchronization callback instead
On Sep 6, 2014 7:09 AM, wrote:

> Hi all,
> How can we enable callbacks for objects other than
> PsProcessType/PsThreadType???
> Example Code is appreciated.
> If not code, atleast some pointers?
>
> Note: Please donot suggest googling. I am already googling the topic.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Except you can’t with with named section objects that way at all. Using
the acquirefor callbacks in this manner is really just benefiting from a
side effect of what was intended to be a lock-hierarchy callback. The Ob
callback is altogether a much better way to have designed the whole mess -
most filters being written aren’t actually doing much interesting with
the file system, they just want to monitor and sometimes restrict activity.
Some other OSes I’ve been doing some reading about with capital letters in
their names appear to have understood that and pretty much just shunt
everything through something that looks like the Ob callbacks.

Microsoft - if you want to do something about filter driver
quality/performance/complexity etc. - make it so we don’t have to write
filter drivers at all for those applications and just finish the job with
the ob callbacks please.

t.

On Tue, Sep 9, 2014 at 2:37 PM, Gabriel Bercea wrote:

> It is easy to enable for all object types but will bug check on windows 8
> 64 bit and above with critical structure corruption, so not usable.
> Use the PreAcquireForSectionSynchronization callback instead
> On Sep 6, 2014 7:09 AM, wrote:
>
>> Hi all,
>> How can we enable callbacks for objects other than
>> PsProcessType/PsThreadType???
>> Example Code is appreciated.
>> If not code, atleast some pointers?
>>
>> Note: Please donot suggest googling. I am already googling the topic.
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>>
>> OSR is HIRING!! See http://www.osr.com/careers
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
> — NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Hi Gabriel,
I have not yet implemented this stuff on win8 and above. Does this really
break?? Could you please elaborate

On Wed, Sep 10, 2014 at 3:33 AM, Tracy Camp wrote:

> Except you can’t with with named section objects that way at all. Using
> the acquirefor callbacks in this manner is really just benefiting from a
> side effect of what was intended to be a lock-hierarchy callback. The Ob
> callback is altogether a much better way to have designed the whole mess -
> most filters being written aren’t actually doing much interesting with
> the file system, they just want to monitor and sometimes restrict activity.
> Some other OSes I’ve been doing some reading about with capital letters in
> their names appear to have understood that and pretty much just shunt
> everything through something that looks like the Ob callbacks.
>
> Microsoft - if you want to do something about filter driver
> quality/performance/complexity etc. - make it so we don’t have to write
> filter drivers at all for those applications and just finish the job with
> the ob callbacks please.
>
> t.
>
> On Tue, Sep 9, 2014 at 2:37 PM, Gabriel Bercea wrote:
>
>> It is easy to enable for all object types but will bug check on windows 8
>> 64 bit and above with critical structure corruption, so not usable.
>> Use the PreAcquireForSectionSynchronization callback instead
>> On Sep 6, 2014 7:09 AM, wrote:
>>
>>> Hi all,
>>> How can we enable callbacks for objects other than
>>> PsProcessType/PsThreadType???
>>> Example Code is appreciated.
>>> If not code, atleast some pointers?
>>>
>>> Note: Please donot suggest googling. I am already googling the topic.
>>>
>>> —
>>> NTDEV is sponsored by OSR
>>>
>>> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>>>
>>> OSR is HIRING!! See http://www.osr.com/careers
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>> — NTDEV is sponsored by OSR Visit the list at:
>> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
>> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
>> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>> the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> — NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Hi all,

With respect to PreAcquireForSectionSynchronization, I have following
observations:

  1. only files on disk whose section we are creating either via
    CreateFileMapping/ZwCreateSection is getting intercepted.
  2. FILE_OBJECT structure which is common in all callbacks has following
    interesting member: FsContext.
    This FsContext is of type “FSRTL_ADVANCED_FCB_HEADER”.
    On breaking FSRTL_ADVANCED_FCB_HEADER there is a DUMMYSTRUCT of type
    “FSRTL_COMMON_FCB_HEADER”,
    which has this member called “Flags” which can have the
    “FSRTL_FLAG_USER_MAPPED_FILE”
    meaning The Cache Manager sets this flag to indicate that a view is mapped
    to a file.

My questions are:

  1. Will it be possible to identify CreateSection of a process and its
    mapping?
  2. How can I proceed to build a proof of concept to demonstrate point #2
    above?

On Wed, Sep 10, 2014 at 7:29 AM, rohan kumbhar
wrote:

> Hi Gabriel,
> I have not yet implemented this stuff on win8 and above. Does this really
> break?? Could you please elaborate
>


>
>
>
>
>
> On Wed, Sep 10, 2014 at 3:33 AM, Tracy Camp wrote:
>
>> Except you can’t with with named section objects that way at all. Using
>> the acquirefor callbacks in this manner is really just benefiting from a
>> side effect of what was intended to be a lock-hierarchy callback. The Ob
>> callback is altogether a much better way to have designed the whole mess -
>> most filters being written aren’t actually doing much interesting with
>> the file system, they just want to monitor and sometimes restrict activity.
>> Some other OSes I’ve been doing some reading about with capital letters in
>> their names appear to have understood that and pretty much just shunt
>> everything through something that looks like the Ob callbacks.
>>
>> Microsoft - if you want to do something about filter driver
>> quality/performance/complexity etc. - make it so we don’t have to write
>> filter drivers at all for those applications and just finish the job with
>> the ob callbacks please.
>>
>> t.
>>
>> On Tue, Sep 9, 2014 at 2:37 PM, Gabriel Bercea
>> wrote:
>>
>>> It is easy to enable for all object types but will bug check on windows
>>> 8 64 bit and above with critical structure corruption, so not usable.
>>> Use the PreAcquireForSectionSynchronization callback instead
>>> On Sep 6, 2014 7:09 AM, wrote:
>>>
>>>> Hi all,
>>>> How can we enable callbacks for objects other than
>>>> PsProcessType/PsThreadType???
>>>> Example Code is appreciated.
>>>> If not code, atleast some pointers?
>>>>
>>>> Note: Please donot suggest googling. I am already googling the topic.
>>>>
>>>> —
>>>> NTDEV is sponsored by OSR
>>>>
>>>> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>>>>
>>>> OSR is HIRING!! See http://www.osr.com/careers
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>> — NTDEV is sponsored by OSR Visit the list at:
>>> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
>>> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
>>> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>>> the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>> — NTDEV is sponsored by OSR Visit the list at:
>> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
>> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
>> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>> the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>

Its the patchguard bugcheck code.

T.

Sent from my Windows Phone

From: rohan kumbhar
Sent: ‎9/‎9/‎2014 7:00 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] ObRegisterCallbacks: Enable callbacks of specific
object type

Hi Gabriel,
I have not yet implemented this stuff on win8 and above. Does this really
break?? Could you please elaborate



On Wed, Sep 10, 2014 at 3:33 AM, Tracy Camp wrote:

> Except you can’t with with named section objects that way at all. Using
> the acquirefor callbacks in this manner is really just benefiting from a
> side effect of what was intended to be a lock-hierarchy callback. The Ob
> callback is altogether a much better way to have designed the whole mess -
> most filters being written aren’t actually doing much interesting with
> the file system, they just want to monitor and sometimes restrict activity.
> Some other OSes I’ve been doing some reading about with capital letters in
> their names appear to have understood that and pretty much just shunt
> everything through something that looks like the Ob callbacks.
>
> Microsoft - if you want to do something about filter driver
> quality/performance/complexity etc. - make it so we don’t have to write
> filter drivers at all for those applications and just finish the job with
> the ob callbacks please.
>
> t.
>
> On Tue, Sep 9, 2014 at 2:37 PM, Gabriel Bercea wrote:
>
>> It is easy to enable for all object types but will bug check on windows 8
>> 64 bit and above with critical structure corruption, so not usable.
>> Use the PreAcquireForSectionSynchronization callback instead
>> On Sep 6, 2014 7:09 AM, wrote:
>>
>>> Hi all,
>>> How can we enable callbacks for objects other than
>>> PsProcessType/PsThreadType???
>>> Example Code is appreciated.
>>> If not code, atleast some pointers?
>>>
>>> Note: Please donot suggest googling. I am already googling the topic.
>>>
>>> —
>>> NTDEV is sponsored by OSR
>>>
>>> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>>>
>>> OSR is HIRING!! See http://www.osr.com/careers
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>> — NTDEV is sponsored by OSR Visit the list at:
>> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
>> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
>> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>> the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> — NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

— NTDEV is sponsored by OSR Visit the list at:
http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

One comment here, simply restricting handle access through the use of
the Ob callback (if it were available for all handles types) won’t work
for sandboxing processes in general on Windows. You end up with a slew
of cases where restricting access rights will end up breaking how the
process operates and thus you must revert to a copy-on-write file system
layer to achieve sandboxing, not to mention registry, named pipe,
sockets, etc. You can restrict cross-process handle inheritance
correctly through these callbacks which is a requirement for sandboxing
a process group though.

Pete

On 9/9/2014 4:03 PM, Tracy Camp wrote:

Except you can’t with with named section objects that way at all.
Using the acquirefor callbacks in this manner is really just
benefiting from a side effect of what was intended to be a
lock-hierarchy callback. The Ob callback is altogether a much better
way to have designed the whole mess - most filters being written
aren’t actually doing much interesting with the file system, they just
want to monitor and sometimes restrict activity. Some other OSes I’ve
been doing some reading about with capital letters in their names
appear to have understood that and pretty much just shunt everything
through something that looks like the Ob callbacks.

Microsoft - if you want to do something about filter driver
quality/performance/complexity etc. - make it so we don’t have to
write filter drivers at all for those applications and just finish the
job with the ob callbacks please.

t.

On Tue, Sep 9, 2014 at 2:37 PM, Gabriel Bercea > mailto:xxxxx> wrote:
>
> It is easy to enable for all object types but will bug check on
> windows 8 64 bit and above with critical structure corruption, so
> not usable.
> Use the PreAcquireForSectionSynchronization callback instead
>
> On Sep 6, 2014 7:09 AM, > mailto:xxxxx> wrote:
>
> Hi all,
> How can we enable callbacks for objects other than
> PsProcessType/PsThreadType???
> Example Code is appreciated.
> If not code, atleast some pointers?
>
> Note: Please donot suggest googling. I am already googling the
> topic.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> — NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!!
> See http://www.osr.com/careers For our schedule of WDF, WDM,
> debugging and other seminars visit: http://www.osr.com/seminars To
> unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> — NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe,
> visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295</mailto:xxxxx></mailto:xxxxx>

There are lots of issues with actual sandboxing beyond access rights since
a true sandboxing driver with “good” application compatibility is a form of
virtualization driver. I’m more thinking about a large subset of drivers
that exist to simply monitor and restrict access that tend to show up in AV
products. There are also a host of object types that don’t appear in the
file system stack that are still of interest, job objects, (named)
sections, semaphores etc. which is probably what the original Op was really
after in the first place. Solutions exist for these problems, but they
tend to be in the ‘creative design space’ which is generally a bad thing to
have to do.

I’ve said it before, but I’ll repeat it again - just because the OS doesn’t
provide a clean and supportable means to do something, in NO WAY stops
those things from being done. My personal feelings and desires about
implementing good design have almost no bearing when balanced against my
desire to continue to pay my mortgage, feed my kids etc. (don’t kid
yourself, we are all mercenaries) As such to quote an pop-culture-axiom
of biology “Nature finds a way”.

t.

On Wed, Sep 10, 2014 at 8:39 AM, Peter Scott
wrote:

>
> One comment here, simply restricting handle access through the use of the
> Ob callback (if it were available for all handles types) won’t work for
> sandboxing processes in general on Windows. You end up with a slew of cases
> where restricting access rights will end up breaking how the process
> operates and thus you must revert to a copy-on-write file system layer to
> achieve sandboxing, not to mention registry, named pipe, sockets, etc. You
> can restrict cross-process handle inheritance correctly through these
> callbacks which is a requirement for sandboxing a process group though.
>
> Pete
>
>
> On 9/9/2014 4:03 PM, Tracy Camp wrote:
>
> Except you can’t with with named section objects that way at all. Using
> the acquirefor callbacks in this manner is really just benefiting from a
> side effect of what was intended to be a lock-hierarchy callback. The Ob
> callback is altogether a much better way to have designed the whole mess -
> most filters being written aren’t actually doing much interesting with
> the file system, they just want to monitor and sometimes restrict activity.
> Some other OSes I’ve been doing some reading about with capital letters in
> their names appear to have understood that and pretty much just shunt
> everything through something that looks like the Ob callbacks.
>
> Microsoft - if you want to do something about filter driver
> quality/performance/complexity etc. - make it so we don’t have to write
> filter drivers at all for those applications and just finish the job with
> the ob callbacks please.
>
> t.
>
> On Tue, Sep 9, 2014 at 2:37 PM, Gabriel Bercea wrote:
>
>> It is easy to enable for all object types but will bug check on windows 8
>> 64 bit and above with critical structure corruption, so not usable.
>> Use the PreAcquireForSectionSynchronization callback instead
>> On Sep 6, 2014 7:09 AM, wrote:
>>
>>> Hi all,
>>> How can we enable callbacks for objects other than
>>> PsProcessType/PsThreadType???
>>> Example Code is appreciated.
>>> If not code, atleast some pointers?
>>>
>>> Note: Please donot suggest googling. I am already googling the topic.
>>>
>>> —
>>> NTDEV is sponsored by OSR
>>>
>>> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>>>
>>> OSR is HIRING!! See http://www.osr.com/careers
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>> — NTDEV is sponsored by OSR Visit the list at:
>> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
>> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
>> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>> the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> — NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> –
> Kernel Drivers
> Windows File System and Device Driver Consultingwww.KernelDrivers.com
> 866.263.9295
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

In fact, in SOME ways it actually *encourages* those things to be done.

Companies have to differentiate products to survive in certain types of markets. They have to innovate. No officially supported way of doing something simply means that the barriers to entry to achieving such a differentiated and innovative solution are FAR higher. This can actually be a *very* good thing, IFF an architecturally sound way to achieve that innovation can be discovered.

Peter
OSR
@OSRDrivers