A forum for reverse engineering, OS internals and malware analysis 

ObRegisterCallbacks return 0xC0000022 error

Forum for discussion about kernel-mode development.

ObRegisterCallbacks return 0xC0000022 error

 #31286  by Cuidightheach
 Thu Feb 22, 2018 8:28 am
I want to register callbacks
Code: Select all
   OB_OPERATION_REGISTRATION operationRegistrstions = {0};
   OB_CALLBACK_REGISTRATION regObject = { 0 };

   operationRegistrstions.ObjectType = PsProcessType;
   operationRegistrstions.Operations |= OB_OPERATION_HANDLE_CREATE;
   operationRegistrstions.Operations |= OB_OPERATION_HANDLE_DUPLICATE;
   operationRegistrstions.PreOperation = PobPreOperationCallback;
   operationRegistrstions.PostOperation = PobPostOperationCallback;

  

   regObject.Version = OB_FLT_REGISTRATION_VERSION; // 0x100
   regObject.OperationRegistrationCount = 1;
   RtlInitUnicodeString(&regObject.Altitude, L"1000");
   regObject.RegistrationContext = NULL;
   regObject.OperationRegistration = &operationRegistrstions;
   
   

   NTSTATUS status = ObRegisterCallbacks(&regObject, &regHandle);

   if (!NT_SUCCESS(status)) {
      KdPrint(("ObCallback failed - 0x%p\n", status));
   }
Where I'm making mistake?

Re: ObRegisterCallbacks return 0xC0000022 error

 #31287  by Vrtule
 Thu Feb 22, 2018 2:46 pm
Did you sign your driver? Some interfaces (including this API) do not like unsigned drivers using htem. And the Disable Driver Signature Enforcement option does not help in this case. Test signing should, howerver, work fine.

An alternative is to set a magic flag your DriverObject's DriverSection
Code: Select all
typedef struct _KLDR_DATA_TABLE_ENTRY {
    LIST_ENTRY InLoadOrderLinks;
    PVOID ExceptionTable;
    ULONG ExceptionTableSize;
    // ULONG padding on IA64
    PVOID GpValue;
    PNON_PAGED_DEBUG_INFO NonPagedDebugInfo;
    PVOID DllBase;
    PVOID EntryPoint;
    ULONG SizeOfImage;
    UNICODE_STRING FullDllName;
    UNICODE_STRING BaseDllName;
    ULONG Flags;
    USHORT LoadCount;
    USHORT __Unused5;
    PVOID SectionPointer;
    ULONG CheckSum;
    // ULONG padding on IA64
    PVOID LoadedImports;
    PVOID PatchInformation;
} KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY;

. . .
PKLDR_DATA_TABLE_ENTRY ldr = (PKLDR_DATA_TABLE_ENTRY)DriverObject->DriverSection;

ldr->Flags |= 0x20;

Re: ObRegisterCallbacks return 0xC0000022 error

 #31289  by Brock
 Thu Feb 22, 2018 10:27 pm
Vrtule's way should work fine for you. If you want a link-time option though you can simply just use the /INTEGRITYCHECK flag
 Return to “Kernel-Mode Development”