ObRegisterCallbacks‘s available since Vista SP1, permits to “register a list of callback routines for thread and process handle operations”.
For example you are registering PsSetCreateProcessNotifyRoutine callback. You can unset it using software like PC Hunter
becouse of x86 windows do not have kernel level patch guard. And driver did not know that it is no longer called for this callback.
The questions:
- How driver can check that it callback registered with ObRegisterCallbacks is still valid?
- Is
STATUS_FLT_INSTANCE_ALTITUDE_COLLISION
error during second call of ObRegisterCallbacks is a right way to check callback status? - Is any way to get list of all registered callbacks with ObRegisterCallbacks?
From the documentation, if you try to register callback again with same parameters you will get
STATUS_FLT_INSTANCE_ALTITUDE_COLLISION
. Similarly forPsSetCreateProcessNotifyRoutine
you will getSTATUS_INVALID_PARAMETER
. This you can use to test if your callback is still registered with system.Note: For
PsSetCreateProcessNotifyRoutine
, the error invalid parameter also means maximum limit of callbacks is reached.There isn't any direct API for this.