Is any way to check if callbacks registered with ObRegisterCallbacks are still valid?
https://stackoverflow.com//questions/21015094
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
ObRegisterCallbacks‘s available since Vista SP1, permits to “register a list of callback routines for thread and process handle operations”.
For example you are registering PsSetCreateProcessNotifyRoutine callback. You can unset it using software like PC Hunter becouse of x86 windows do not have kernel level patch guard. And driver did not know that it is no longer called for this callback.
The questions:
- How driver can check that it callback registered with ObRegisterCallbacks is still valid?
- Is
STATUS_FLT_INSTANCE_ALTITUDE_COLLISIONerror during second call of ObRegisterCallbacks is a right way to check callback status? - Is any way to get list of all registered callbacks with ObRegisterCallbacks?
Solution
How driver can check that it callback registered with ObRegisterCallbacks is still valid? Is STATUS_FLT_INSTANCE_ALTITUDE_COLLISION error during second call of ObRegisterCallbacks is a right way to check callback status?
From the documentation, if you try to register callback again with same parameters you will get STATUS_FLT_INSTANCE_ALTITUDE_COLLISION. Similarly for PsSetCreateProcessNotifyRoutine you will get STATUS_INVALID_PARAMETER. This you can use to test if your callback is still registered with system.
Note: For PsSetCreateProcessNotifyRoutine, the error invalid parameter also means maximum limit of callbacks is reached.
Is any way to get list of all registered callbacks with ObRegisterCallbacks?
There isn't any direct API for this.
