PLIST_ENTRY GetProcCallList() { NTSTATUS status; OB_CALLBACK_REGISTRATION obReg; OB_OPERATION_REGISTRATION opReg; PCALLBACK_NODE obHandle; memset(&obReg, 0, sizeof(obReg)); obReg.Version = ObGetFilterVersion(); obReg.OperationRegistrationCount = 1; obReg.RegistrationContext = NULL; RtlInitUnicodeString(&obReg.Altitude, L"CallBack"); memset(&opReg, 0, sizeof(opReg));//Init Struct opReg.ObjectType = PsProcessType; opReg.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE; opReg.PreOperation = (POB_PRE_OPERATION_CALLBACK)&PreCall; //opReg.PostOperation=(POB_POST_OPERATION_CALLBACK)&PostCall; obReg.OperationRegistration = &opReg; status = ObRegisterCallbacks(&obReg, &obHandle); if(NT_SUCCESS(status)){ PLIST_ENTRY self = &(obHandle->Entries[0].CallbackList); ObUnRegisterCallbacks((PVOID)obHandle); return self->Blink; } else { DbgPrint("RegisterCallback failed! errcode:%x", status); } return NULL; }
// // TdDeleteProtectNameCallback // NTSTATUS TdDeleteProtectNameCallback () { NTSTATUS Status = STATUS_SUCCESS; DbgPrintEx ( DPFLTR_IHVDRIVER_ID, DPFLTR_TRACE_LEVEL, "ObCallbackTest: TdDeleteProtectNameCallback entering\n"); KeAcquireGuardedMutex (&TdCallbacksMutex); // if the callbacks are active - remove them if (bCallbacksInstalled == TRUE) { ObUnRegisterCallbacks(pCBRegistrationHandle); pCBRegistrationHandle = NULL; bCallbacksInstalled = FALSE; } KeReleaseGuardedMutex (&TdCallbacksMutex); DbgPrintEx ( DPFLTR_IHVDRIVER_ID, DPFLTR_TRACE_LEVEL, "ObCallbackTest: TdDeleteProtectNameCallback exiting - status 0x%x\n", Status ); return Status; }
/** * 卸载过滤处理模块 */ bool unloadFilter() { if( g_registerHandle ) { ObUnRegisterCallbacks(g_registerHandle); g_registerHandle = NULL; } return true; }
/// <summary> /// Stops process and thread access rights filtering. /// </summary> VOID HsUnRegisterProtector() { ObUnRegisterCallbacks(ObCallbackInstance.RegistrationHandle); // If ObUnRegisterCallbacks waits for callbacks to finish processing // there is no need to lock here. FltAcquirePushLockExclusive(&ObCallbackInstance.ProtectedProcessLock); HsAvlDeleteAllElements(&ObCallbackInstance.ProtectedProcesses); FltReleasePushLock(&ObCallbackInstance.ProtectedProcessLock); FltDeletePushLock(&ObCallbackInstance.ProtectedProcessLock); }
NTSTATUS DriverEntry ( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) { NTSTATUS status = STATUS_UNSUCCESSFUL; OB_OPERATION_REGISTRATION ObOperations[] = { {PsProcessType, OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE, ObCallbackPreProcess, ObCallbackPostProcess}, {PsThreadType, OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE, ObCallbackPreThread, ObCallbackPostThread} }; OB_CALLBACK_REGISTRATION ObRegistration = { OB_FLT_REGISTRATION_VERSION, sizeof(ObOperations) / sizeof(OB_OPERATION_REGISTRATION), {sizeof(L"320400") - sizeof(WCHAR), sizeof(L"320400"), L"320400"}, &Globals, ObOperations }; PVOID RegistrationHandle = NULL; UNREFERENCED_PARAMETER( RegistryPath ); RtlZeroMemory( &Globals, sizeof(Globals) ); Globals.m_FilterDriverObject = DriverObject; status = ObRegisterCallbacks( &ObRegistration, &RegistrationHandle ); if (NT_SUCCESS( status )) { status = PsSetCreateProcessNotifyRoutineEx( cbCreateNotifyEx, FALSE ); if (NT_SUCCESS( status )) Globals.m_RegistrationHandle = RegistrationHandle; else { ObUnRegisterCallbacks( RegistrationHandle ); DbgBreakPoint(); } } else { DbgBreakPoint(); } return status; }
VOID UnregisterHandlesOperationsNotifier(PVOID RegistrationHandle) { ObUnRegisterCallbacks(RegistrationHandle); }