PLIST_ENTRY
GetProcCallList()
{
NTSTATUS status;
OB_CALLBACK_REGISTRATION obReg;
OB_OPERATION_REGISTRATION opReg;
PCALLBACK_NODE obHandle;
memset(&obReg, 0, sizeof(obReg));
obReg.Version = ObGetFilterVersion();
obReg.OperationRegistrationCount = 1;
obReg.RegistrationContext = NULL;
RtlInitUnicodeString(&obReg.Altitude, L"CallBack");
memset(&opReg, 0, sizeof(opReg));//Init Struct
opReg.ObjectType = PsProcessType;
opReg.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
opReg.PreOperation = (POB_PRE_OPERATION_CALLBACK)&PreCall;
//opReg.PostOperation=(POB_POST_OPERATION_CALLBACK)&PostCall;
obReg.OperationRegistration = &opReg;
status = ObRegisterCallbacks(&obReg, &obHandle);
if(NT_SUCCESS(status)){
PLIST_ENTRY self = &(obHandle->Entries[0].CallbackList);
ObUnRegisterCallbacks((PVOID)obHandle);
return self->Blink;
}
else {
DbgPrint("RegisterCallback failed! errcode:%x", status);
}
return NULL;
}
//
// TdDeleteProtectNameCallback
//
NTSTATUS TdDeleteProtectNameCallback ()
{
NTSTATUS Status = STATUS_SUCCESS;
DbgPrintEx (
DPFLTR_IHVDRIVER_ID, DPFLTR_TRACE_LEVEL,
"ObCallbackTest: TdDeleteProtectNameCallback entering\n");
KeAcquireGuardedMutex (&TdCallbacksMutex);
// if the callbacks are active - remove them
if (bCallbacksInstalled == TRUE) {
ObUnRegisterCallbacks(pCBRegistrationHandle);
pCBRegistrationHandle = NULL;
bCallbacksInstalled = FALSE;
}
KeReleaseGuardedMutex (&TdCallbacksMutex);
DbgPrintEx (
DPFLTR_IHVDRIVER_ID, DPFLTR_TRACE_LEVEL,
"ObCallbackTest: TdDeleteProtectNameCallback exiting - status 0x%x\n", Status
);
return Status;
}
/**
* 卸载过滤处理模块
*/
bool unloadFilter()
{
if( g_registerHandle )
{
ObUnRegisterCallbacks(g_registerHandle);
g_registerHandle = NULL;
}
return true;
}
/// <summary>
/// Stops process and thread access rights filtering.
/// </summary>
VOID HsUnRegisterProtector()
{
ObUnRegisterCallbacks(ObCallbackInstance.RegistrationHandle);
// If ObUnRegisterCallbacks waits for callbacks to finish processing
// there is no need to lock here.
FltAcquirePushLockExclusive(&ObCallbackInstance.ProtectedProcessLock);
HsAvlDeleteAllElements(&ObCallbackInstance.ProtectedProcesses);
FltReleasePushLock(&ObCallbackInstance.ProtectedProcessLock);
FltDeletePushLock(&ObCallbackInstance.ProtectedProcessLock);
}
NTSTATUS
DriverEntry (
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
OB_OPERATION_REGISTRATION ObOperations[] = {
{PsProcessType, OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE, ObCallbackPreProcess, ObCallbackPostProcess},
{PsThreadType, OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE, ObCallbackPreThread, ObCallbackPostThread}
};
OB_CALLBACK_REGISTRATION ObRegistration = {
OB_FLT_REGISTRATION_VERSION,
sizeof(ObOperations) / sizeof(OB_OPERATION_REGISTRATION),
{sizeof(L"320400") - sizeof(WCHAR), sizeof(L"320400"), L"320400"},
&Globals,
ObOperations
};
PVOID RegistrationHandle = NULL;
UNREFERENCED_PARAMETER( RegistryPath );
RtlZeroMemory( &Globals, sizeof(Globals) );
Globals.m_FilterDriverObject = DriverObject;
status = ObRegisterCallbacks( &ObRegistration, &RegistrationHandle );
if (NT_SUCCESS( status ))
{
status = PsSetCreateProcessNotifyRoutineEx( cbCreateNotifyEx, FALSE );
if (NT_SUCCESS( status ))
Globals.m_RegistrationHandle = RegistrationHandle;
else
{
ObUnRegisterCallbacks( RegistrationHandle );
DbgBreakPoint();
}
}
else
{
DbgBreakPoint();
}
return status;
}
VOID UnregisterHandlesOperationsNotifier(PVOID RegistrationHandle) {
ObUnRegisterCallbacks(RegistrationHandle);
}
