ObRegisterCallBacks的初始化与插入

123456868

本机环境:Windows10 X64 IDA 7.6Pro 内核文件:Windows7 X64 Sp1(ntoskrnl.exe)
特别阐明:本图调用了两次ObRegisterCallBacks
最左边的图插入了两个回调函数到PsProcessType->CallBackList和PsThreadType->CallBackList
最右边的图插入一个回调函数到PsThreadType->CallBackList
黄色块具体定义:typedef struct _CALLBACK_ENTRY_ITEM {        LIST_ENTRY EntryItemList;        OB_OPERATION Operations;        CALLBACK_ENTRY* CallbackEntry; // Points to the CALLBACK_ENTRY which we use for ObUnRegisterCallback        POBJECT_TYPE ObjectType;        POB_PRE_OPERATION_CALLBACK PreOperation;        POB_POST_OPERATION_CALLBACK PostOperation;        __int64 unk;}CALLBACK_ENTRY_ITEM, *PCALLBACK_ENTRY_ITEM;绿色或橙色块具体定义typedef struct _CALLBACK_ENTRY{         __int16 Version;         char buffer1[6];         POB_OPERATION_REGISTRATION RegistrationContext;         __int16 AltitudeLength1;         __int16 AltitudeLength2;         char buffer2[4];         WCHAR* AltitudeString;         CALLBACK_ENTRY_ITEM Items; // Is actually an array of CALLBACK_ENTRY_ITEMs that are also in a doubly linked list}CALLBACK_ENTRY, *PCALLBACK_ENTRY;最左边的注册回调函数代码:NTSTATUS ProtectProcess(){    OB_CALLBACK_REGISTRATION obReg;    OB_OPERATION_REGISTRATION opReg[2];    memset(&obReg, 0, sizeof(obReg));    obReg.Version = ObGetFilterVersion();    obReg.OperationRegistrationCount = 1;    obReg.RegistrationContext = NULL;    RtlInitUnicodeString(&obReg.Altitude, L"123321");    DbgPrint("%S\n", obReg.Altitude.Buffer);    memset(&opReg, 0, sizeof(opReg)); //初始化结构体变量    opReg[0].ObjectType = PsProcessType;    opReg[0].Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;    opReg[0].PreOperation = (POB_PRE_OPERATION_CALLBACK)(&MyCallback);  //注册回调函数指针    opReg[1].ObjectType = PsProcessType;    opReg[1].Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;    opReg[1].PreOperation = (POB_PRE_OPERATION_CALLBACK)(&MyCallback);  //注册回调函数指针    obReg.OperationRegistration = opReg;     ObRegisterCallbacks(&obReg, &obHandle);     DbgPrint("%p\n", obHandle);    return 0;}最右边的注册回调函数代码:NTSTATUS ProtectProcess(){    OB_CALLBACK_REGISTRATION obReg;    OB_OPERATION_REGISTRATION opReg[1];    memset(&obReg, 0, sizeof(obReg));    obReg.Version = ObGetFilterVersion();    obReg.OperationRegistrationCount = 1;    obReg.RegistrationContext = NULL;    RtlInitUnicodeString(&obReg.Altitude, L"123321");    DbgPrint("%S\n", obReg.Altitude.Buffer);    memset(&opReg, 0, sizeof(opReg)); //初始化结构体变量    opReg[0].ObjectType = PsProcessType;    opReg[0].Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;    opReg[0].PreOperation = (POB_PRE_OPERATION_CALLBACK)(&MyCallback);  //注册回调函数指针    obReg.OperationRegistration = opReg;     ObRegisterCallbacks(&obReg, &obHandle);     DbgPrint("%p\n", obHandle);    return 0;}资料参考:https://www.unknowncheats.me/forum/anti-cheat-bypass/148364-obregistercallbacks-countermeasures.html
注册回调函数逻辑图

来源：http://www.12558.net
免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！