A forum for reverse engineering, OS internals and malware analysis 

ObRegisterCallbacks & STATUS_FLT_INSTANCE_ALTITUDE_COLLISION

Forum for discussion about kernel-mode development.

ObRegisterCallbacks & STATUS_FLT_INSTANCE_ALTITUDE_COLLISION

 #17630  by takep
 Sun Jan 06, 2013 10:58 am
The same status is returned when I use every Altitude ID.

The code:
Code: Select all
bool InstallHooksViaCallbacks()
{
    PAGED_CODE();

    OB_CALLBACK_REGISTRATION ocr = {0};

    RtlInitUnicodeString(&ocr.Altitude, L"323410");
    ocr.Version = OB_FLT_REGISTRATION_VERSION;
    ocr.RegistrationContext = NULL;

    OB_OPERATION_REGISTRATION operations[4] = {0};

    operations[0].ObjectType = PsProcessType;
    operations[0].Operations = OB_OPERATION_HANDLE_CREATE;
    operations[0].PreOperation = ProcessPreCallback;

    operations[1].ObjectType = PsProcessType;
    operations[1].Operations = OB_OPERATION_HANDLE_DUPLICATE;
    operations[1].PreOperation = ProcessPreCallback;

    operations[2].ObjectType = PsThreadType;
    operations[2].Operations = OB_OPERATION_HANDLE_CREATE;
    operations[2].PreOperation = ProcessPreCallback;

    operations[3].ObjectType = PsThreadType;
    operations[3].Operations = OB_OPERATION_HANDLE_DUPLICATE;
    operations[3].PreOperation = ProcessPreCallback;

    ocr.OperationRegistration = operations;
    ocr.OperationRegistrationCount = ARRAYSIZE(operations);

    PVOID cookie = NULL;

    NTSTATUS st = ObRegisterCallbacks(&ocr, &cookie);

    return true;
}

Re: ObRegisterCallbacks & STATUS_FLT_INSTANCE_ALTITUDE_COLLI

 #17637  by EP_X0FF
 Mon Jan 07, 2013 4:19 am
Operations can be mixed, so you don't need 4 op items. Have you tried example from MSDN, Windows 8 Driver Sample -> ObCallback Callback Registration Driver, is it fails for you too?
 Return to “Kernel-Mode Development”