ObRegisterCallbacks 返回 STATUS_INVALID_PARAMETER
这是网上的一段代码,最开始一直返回C0000022,后来按照网上说明操作之后一直返回STATUS_INVALID_PARAMETER,不知道怎么回事,大牛们帮帮忙下面是网上处理C0000022的:
1.根据DriverObject,得到_LDR_DATE_TABLE_ENTRY结构,_LDR_DATE_TABLE_ENTRY结构位于DriverObject的DriverSection项
2.将_LDR_DATE_TABLE_ENTRY结构中+0x68的flag的值或0x20即可。
以下是代码:
//
// PRE OPERATION
//
OB_PREOP_CALLBACK_STATUS PreProcCreateRoutine(
IN PVOID RegistrationContext,
IN POB_PRE_OPERATION_INFORMATION OperationInformation
)
{
//OB_PRE_OPERATION_INFORMATION OpInfo;
DbgPrint("PreProcCreateRoutine() \n");
return OB_PREOP_SUCCESS;
}
//
// POST OPERATION
//
VOID PostProcCreateRoutine(
IN PVOID RegistrationContext,
IN POB_POST_OPERATION_INFORMATION OperationInformation)
{
DbgPrint("PostProcCreateRoutine.\n");
}
//
// REGISTE CALLBACK FUNCTION
//
NTSTATUS RegisteCallbackFunction()
{
NTSTATUS ntStatus = STATUS_SUCCESS;
UNICODE_STRING Altitude;
USHORT filterVersion = ObGetFilterVersion();
USHORT registrationCount = 2;
OB_OPERATION_REGISTRATION RegisterOperation;
OB_CALLBACK_REGISTRATION RegisterCallBack;
REG_CONTEXT RegistrationContext;
UNICODE_STRING Altitude1;
RtlInitUnicodeString(&Altitude1, L"XXXXXXX");
memset(&RegisterOperation, 0 , sizeof(OB_OPERATION_REGISTRATION));
memset(&RegisterCallBack, 0 , sizeof(OB_CALLBACK_REGISTRATION));
memset(&RegistrationContext, 0 , sizeof(REG_CONTEXT));
RegistrationContext.ulIndex = 1;
RegistrationContext.Version = 120;
if (filterVersion == OB_FLT_REGISTRATION_VERSION)
{
DbgPrint("Filter Version is correct.\n");
RegisterOperation.ObjectType = PsProcessType;
RegisterOperation.Operations = OB_OPERATION_HANDLE_CREATE;
RegisterOperation.PreOperation = PreProcCreateRoutine;
RegisterOperation.PostOperation = PostProcCreateRoutine;
RegisterCallBack.Version = OB_FLT_REGISTRATION_VERSION;
RegisterCallBack.OperationRegistrationCount = registrationCount;
RtlInitUnicodeString(&Altitude, L"XXXXXX");
RegisterCallBack.Altitude = Altitude;
RegisterCallBack.RegistrationContext = &RegistrationContext;
RegisterCallBack.OperationRegistration = &RegisterOperation;
ntStatus = ObRegisterCallbacks(&RegisterCallBack, g_hProcCreateHandle);
if (ntStatus == STATUS_SUCCESS)
{
DbgPrint("Register Callback Function Successful......\n");
}
else
{
if (ntStatus == STATUS_FLT_INSTANCE_ALTITUDE_COLLISION)
{
DbgPrint("Status Filter Instance Altitude Collision \n");
}
if (ntStatus == STATUS_INVALID_PARAMETER)
{
DbgPrint("Status Invalid Parameter\n");
}
if (ntStatus == STATUS_INSUFFICIENT_RESOURCES )
{
DbgPrint("Status Allocate Memory Failed. \n");
}
DbgPrint("Register Callback Function Failed with 0x%08x \n", ntStatus);
}
} else {
DbgPrint("Filter Version is not supported.\n ");
}
return ntStatus;
} 没记错的是第二个人问了。。。
网上的垃圾源码就别COPY了,没用的。。。
我已经成功使用此函数来保护进程,不过似乎没有放BIN上来,暂时保留。。。
如果你是软件公司的开发人员,急需此代码,可以PM我。 直接修改sources文件才是王道 silence_liu 发表于 2014-3-20 14:34
直接修改sources文件才是王道
直接添加数字签名才是王道。。。
页:
[1]