[Naz]

Hello,

A program I'm trying to break in uses ObREgistercallBacks in the kernel with paras so I can't open it or debug it. What I'm trying to do is Hook ObReg.... and pass the second parameter to ObUnregister.... In order to get the HANDLE I've to hook it first: I tried this:

Code: Select all

#include "Hooks.h"

#include <ntddk.h>

typedef NTSTATUS (*_ObRegisterCallbacks)(
	__in   POB_CALLBACK_REGISTRATION CallBackRegistration,
	__out  PVOID *RegistrationHandle
	);

_ObRegisterCallbacks OldObRegisterCallBacks;

NTSTATUS NewObRegisterCallbacks(
	__in   POB_CALLBACK_REGISTRATION CallBackRegistration,
	__out  PVOID *RegistrationHandle
	)
{
	ObUnRegisterCallbacks(RegistrationHandle);
	return OldObRegisterCallBacks(CallBackRegistration,RegistrationHandle);
}

void InstallHooks()
{
	
}

void UninstallHooks()
{

}

The problem is how to install the hook, it seems the Table does not work on 64 bit win 7? O_o Is there a easier/better way of doing this anyways?

[Vrtule]

Hello,

What exactly do you want to achieve? The ability to block callback registration attempts? Or just an ability to know which callbacks are registered?

Hooking of ntoskrnl.exe won't work on x64 versions of Wndows due to PatchGuard. Additionally, ObRegisterCallbacks routine is not present in neither System Service Dispatch Table, nor Shadow one. This is logical because usermode applications are not allowed to register callbacks on object tpyes.

Additionally, I think your hooking function code is wrong. The RegistrationHandle is filled by the original code of ObRegisterCallbacks, so you need to pass it to your routine AFTER the call to ObRegisterCallbacks, not BEFORE it.

I think it is better to use something different than hooking.

In case you want to determine which callbacks are registered at which object types and to which drivers these callbacks point to, look here: http://www.inreverse.net/?p=1740