ObRegisterCallbacks return 0xC0000022 error

Forum for discussion about kernel-mode development.
Post Reply
Posts: 3
Joined: Sat Dec 10, 2016 11:13 am

ObRegisterCallbacks return 0xC0000022 error

Post by Cuidightheach » Thu Feb 22, 2018 8:28 am

I want to register callbacks

Code: Select all

   OB_OPERATION_REGISTRATION operationRegistrstions = {0};
   OB_CALLBACK_REGISTRATION regObject = { 0 };

   operationRegistrstions.ObjectType = PsProcessType;
   operationRegistrstions.Operations |= OB_OPERATION_HANDLE_CREATE;
   operationRegistrstions.Operations |= OB_OPERATION_HANDLE_DUPLICATE;
   operationRegistrstions.PreOperation = PobPreOperationCallback;
   operationRegistrstions.PostOperation = PobPostOperationCallback;


   regObject.Version = OB_FLT_REGISTRATION_VERSION; // 0x100
   regObject.OperationRegistrationCount = 1;
   RtlInitUnicodeString(&regObject.Altitude, L"1000");
   regObject.RegistrationContext = NULL;
   regObject.OperationRegistration = &operationRegistrstions;

   NTSTATUS status = ObRegisterCallbacks(&regObject, &regHandle);

   if (!NT_SUCCESS(status)) {
      KdPrint(("ObCallback failed - 0x%p\n", status));
Where I'm making mistake?

User avatar
Posts: 464
Joined: Sat Mar 13, 2010 9:14 pm
Location: Czech Republic

Re: ObRegisterCallbacks return 0xC0000022 error

Post by Vrtule » Thu Feb 22, 2018 2:46 pm

Did you sign your driver? Some interfaces (including this API) do not like unsigned drivers using htem. And the Disable Driver Signature Enforcement option does not help in this case. Test signing should, howerver, work fine.

An alternative is to set a magic flag your DriverObject's DriverSection

Code: Select all

typedef struct _KLDR_DATA_TABLE_ENTRY {
    LIST_ENTRY InLoadOrderLinks;
    PVOID ExceptionTable;
    ULONG ExceptionTableSize;
    // ULONG padding on IA64
    PVOID GpValue;
    PNON_PAGED_DEBUG_INFO NonPagedDebugInfo;
    PVOID DllBase;
    PVOID EntryPoint;
    ULONG SizeOfImage;
    ULONG Flags;
    USHORT LoadCount;
    USHORT __Unused5;
    PVOID SectionPointer;
    ULONG CheckSum;
    // ULONG padding on IA64
    PVOID LoadedImports;
    PVOID PatchInformation;

. . .

ldr->Flags |= 0x20;

User avatar
Posts: 212
Joined: Wed Apr 28, 2010 3:13 am
Location: Valparaiso, Florida USA

Re: ObRegisterCallbacks return 0xC0000022 error

Post by Brock » Thu Feb 22, 2018 10:27 pm

Vrtule's way should work fine for you. If you want a link-time option though you can simply just use the /INTEGRITYCHECK flag
Accept nothing less than STATUS_SUCCESS

Post Reply