-
-
[求助]请教ObRegisterCallbacks为啥总是注册失败呢
-
发表于: 6天前
-
开启了测试模式 也签了测试签名,证书也导入受信任的根 和受信任的发布者了,也换了好几个系统win10 win11,也问了ai,但是ObRegisterCallbacks永远报0xC0000022。我不注册只写个空到底是啥问题呢?很简单的一个代码,搞得头晕,请教各位大佬
#include <ntifs.h>
#include <ntstrsafe.h>
PVOID Globle_Object_Handle = NULL;
// 自定义回调
OB_PREOP_CALLBACK_STATUS
MyLySharkComObjectCallBack(
_In_ PVOID RegistrationContext,
_Inout_ POB_PRE_OPERATION_INFORMATION OperationInformation
)
{
UNREFERENCED_PARAMETER(RegistrationContext);
UNREFERENCED_PARAMETER(OperationInformation);
DbgPrint("[lyshark] 执行回调函数... \n");
return OB_PREOP_SUCCESS;
}
VOID UnDriver(_In_ PDRIVER_OBJECT driver)
{
UNREFERENCED_PARAMETER(driver);
if (Globle_Object_Handle) {
ObUnRegisterCallbacks(Globle_Object_Handle);
Globle_Object_Handle = NULL;
}
DbgPrint("回调卸载完成... \n");
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath)
{
UNREFERENCED_PARAMETER(RegistryPath);
DbgPrint("hello lyshark \n");
OB_OPERATION_REGISTRATION ops[1];
RtlZeroMemory(ops, sizeof(ops));
ops[0].ObjectType = PsProcessType;
ops[0].Operations = OB_OPERATION_HANDLE_CREATE;
ops[0].PreOperation = MyLySharkComObjectCallBack;
ops[0].PostOperation = NULL;
OB_CALLBACK_REGISTRATION reg;
RtlZeroMemory(®, sizeof(reg));
reg.Version = OB_FLT_REGISTRATION_VERSION;
reg.OperationRegistration = ops;
reg.OperationRegistrationCount = ARRAYSIZE(ops);
reg.RegistrationContext = NULL;
RtlInitUnicodeString(®.Altitude, L"600000");
NTSTATUS status = ObRegisterCallbacks(®, &Globle_Object_Handle);
if (NT_SUCCESS(status)) {
DbgPrint("[lyshark message] 回调注册成功...");
}
else {
// 新增:失败日志(不改变你原有的打印)
DbgPrint("回调注册失败, NTSTATUS = 0x%08X \n", status);
return status;
}
Driver->DriverUnload = UnDriver;
return STATUS_SUCCESS;
}[培训]传播安全知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
|
|
|
|
|
3q大佬 |
|
|
|
|
|
/INTEGRITYCHECK 链接器里面加上这个就可以了 |
|
|
|
