ObRegisterCallbacks return 0xC0000022 error

Forum for discussion about kernel-mode development.
Post Reply
Cuidightheach
Posts: 3
Joined: Sat Dec 10, 2016 11:13 am

ObRegisterCallbacks return 0xC0000022 error

Post by Cuidightheach » Thu Feb 22, 2018 8:28 am

I want to register callbacks

Code: Select all

   OB_OPERATION_REGISTRATION operationRegistrstions = {0};
   OB_CALLBACK_REGISTRATION regObject = { 0 };

   operationRegistrstions.ObjectType = PsProcessType;
   operationRegistrstions.Operations |= OB_OPERATION_HANDLE_CREATE;
   operationRegistrstions.Operations |= OB_OPERATION_HANDLE_DUPLICATE;
   operationRegistrstions.PreOperation = PobPreOperationCallback;
   operationRegistrstions.PostOperation = PobPostOperationCallback;

  

   regObject.Version = OB_FLT_REGISTRATION_VERSION; // 0x100
   regObject.OperationRegistrationCount = 1;
   RtlInitUnicodeString(&regObject.Altitude, L"1000");
   regObject.RegistrationContext = NULL;
   regObject.OperationRegistration = &operationRegistrstions;
   
   

   NTSTATUS status = ObRegisterCallbacks(&regObject, &regHandle);

   if (!NT_SUCCESS(status)) {
      KdPrint(("ObCallback failed - 0x%p\n", status));
   }
Where I'm making mistake?

User avatar
Vrtule
Posts: 459
Joined: Sat Mar 13, 2010 9:14 pm
Location: Czech Republic
Contact:

Re: ObRegisterCallbacks return 0xC0000022 error

Post by Vrtule » Thu Feb 22, 2018 2:46 pm

Did you sign your driver? Some interfaces (including this API) do not like unsigned drivers using htem. And the Disable Driver Signature Enforcement option does not help in this case. Test signing should, howerver, work fine.

An alternative is to set a magic flag your DriverObject's DriverSection

Code: Select all

typedef struct _KLDR_DATA_TABLE_ENTRY {
    LIST_ENTRY InLoadOrderLinks;
    PVOID ExceptionTable;
    ULONG ExceptionTableSize;
    // ULONG padding on IA64
    PVOID GpValue;
    PNON_PAGED_DEBUG_INFO NonPagedDebugInfo;
    PVOID DllBase;
    PVOID EntryPoint;
    ULONG SizeOfImage;
    UNICODE_STRING FullDllName;
    UNICODE_STRING BaseDllName;
    ULONG Flags;
    USHORT LoadCount;
    USHORT __Unused5;
    PVOID SectionPointer;
    ULONG CheckSum;
    // ULONG padding on IA64
    PVOID LoadedImports;
    PVOID PatchInformation;
} KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY;

. . .
PKLDR_DATA_TABLE_ENTRY ldr = (PKLDR_DATA_TABLE_ENTRY)DriverObject->DriverSection;

ldr->Flags |= 0x20;

User avatar
Brock
Posts: 204
Joined: Wed Apr 28, 2010 3:13 am
Location: Valparaiso, Florida USA
Contact:

Re: ObRegisterCallbacks return 0xC0000022 error

Post by Brock » Thu Feb 22, 2018 10:27 pm

Vrtule's way should work fine for you. If you want a link-time option though you can simply just use the /INTEGRITYCHECK flag
Accept nothing less than STATUS_SUCCESS

Post Reply