Hi all,
I got the wdk6001, and try to write a driver on 64bits windows vista sp1 with the new api : ObRegisterCallbacks( ) and ObUnregisterCallbacks ().
The driver receive IOCTL from user mode program after it is installed,then call the ObRegisterCallbacks( ), but I got the return value with 0xC0000022, are there anybody know what is the reason?
these are my codes:
SYSTEM_VERSION g_OsVer;
PVOID *g_hProcCreateHandle;
//
// PRE OPERATION
//
OB_PREOP_CALLBACK_STATUS PreProcCreateRoutine(
__in PVOID RegistrationContext,
__inout POB_PRE_OPERATION_INFORMATION OperationInformation
)
{
OB_PRE_OPERATION_INFORMATION OpInfo;
KDPRINT((“PreProcCreateRoutine()”));
return OB_PREOP_SUCCESS;
}
//
// POST OPERATION
//
VOID PostProcCreateRoutine( __in PVOID RegistrationContext,
__in POB_POST_OPERATION_INFORMATION OperationInformation)
{
KDPRINT((“PostProcCreateRoutine.”));
}
//
// REGISTE CALLBACK FUNCTION
//
NTSTATUS RegisteCallbackFunction()
{
NTSTATUS ntStatus = STATUS_SUCCESS;
UNICODE_STRING Altitude;
USHORT filterVersion = ObGetFilterVersion();
USHORT registrationCount = 2;
POB_OPERATION_REGISTRATION ProcCreateOperation;
POB_CALLBACK_REGISTRATION ProcCreateCallBack;
REG_CONTEXT *hRegistrationContext;
hRegistrationContext = MALLOC(sizeof(REG_CONTEXT));
hRegistrationContext->ulIndex = 1;
ProcCreateOperation = MALLOC(sizeof(OB_OPERATION_REGISTRATION));
ProcCreateCallBack = MALLOC(sizeof(OB_CALLBACK_REGISTRATION));
if (filterVersion == OB_FLT_REGISTRATION_VERSION)
{
KDPRINT((“Filter Version is correct.”));
ProcCreateOperation->ObjectType = PsProcessType;
ProcCreateOperation->Operations = OB_OPERATION_HANDLE_CREATE;
ProcCreateOperation->PreOperation = PreProcCreateRoutine;
ProcCreateOperation->PostOperation = PostProcCreateRoutine;
ProcCreateCallBack->Version = OB_FLT_REGISTRATION_VERSION;
ProcCreateCallBack->OperationRegistrationCount = registrationCount;
RtlInitUnicodeString(&Altitude, L"123456");
ProcCreateCallBack->Altitude = Altitude;
ProcCreateCallBack->RegistrationContext = hRegistrationContext;
ProcCreateCallBack->OperationRegistration = ProcCreateOperation;
ntStatus = ObRegisterCallbacks(ProcCreateCallBack, g_hProcCreateHandle);
if (ntStatus == STATUS_SUCCESS)
{
KDPRINT((“Register Callback Function Successful…”));
} else {
if (ntStatus == STATUS_FLT_INSTANCE_ALTITUDE_COLLISION)
{
KDPRINT((“Status Filter Instance Altitude Collision”));
}
if (ntStatus == STATUS_INVALID_PARAMETER)
{
KDPRINT((“Status Invalid Parameter”));
}
if (ntStatus == STATUS_INSUFFICIENT_RESOURCES )
{
KDPRINT((“Status Allocate Memory Failed.”));
}
KDPRINT((“Register Callback Function Failed with 0x%08x”, ntStatus));
}
} else {
KDPRINT(("Filter Version is not supported. "));
}
return ntStatus;
}
//
// FREE PROC FILTER
//
NTSTATUS FreeProcFilter()
{
ObUnRegisterCallbacks(g_hProcCreateHandle);
return STATUS_SUCCESS;
}
//
// INIT PROC FILTER
//
NTSTATUS InitProcFilter()
{
if (RegisteCallbackFunction() == STATUS_SUCCESS)
{
KDPRINT((“Register Callback Function Successfully…”));
}
return STATUS_SUCCESS;
}
//
// IOCTL
//
NTSTATUS DoDeviceIoControl(IN PDEVICE_OBJECT pDriverObject, IN PIRP pIrp)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation(pIrp);
ULONG ulIoctlCode;
ulIoctlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;
switch(ulIoctlCode)
{
case IOCTL_HOOK_SYSTEM_CALL:
InitProcFilter();
break;
case IOCTL_UNHOOK_SYSTEM_CALL:
FreeProcFilter();
break;
}
return ntStatus;
}