I tried to debug my driver,but the debuged computer always stop at here.enter image description here And after continue,debuged computer throw a blue screen directly with the error which says SYSTEM THREAD EXCEPTION NOT HANDLED.
I have searched to check the usage of this function,but all of them let the ObjectType equal PsProcessType directly with no error when running.Here is my code:
NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
{
POB_CALLBACK_REGISTRATION callBackRegistration = { 0 };
POB_OPERATION_REGISTRATION operationRegistration = { 0 };
UNICODE_STRING altitude;
RtlInitUnicodeString(&altitude, L"60000");
operationRegistration->ObjectType = PsProcessType;//<-- Here is place where I get confused
operationRegistration->Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
operationRegistration->PreOperation = (POB_PRE_OPERATION_CALLBACK) & PobPreOperationCallback;
callBackRegistration->Version = OB_FLT_REGISTRATION_VERSION;
callBackRegistration->OperationRegistrationCount = 1;
callBackRegistration->Altitude = altitude;
callBackRegistration->RegistrationContext = NULL;
callBackRegistration->OperationRegistration = operationRegistration;
KdBreakPoint();
BypassSignCheck(DriverObject);
ObRegisterCallbacks(callBackRegistration,&hRegistration);
DriverObject->DriverUnload = UnloadDriver;
return STATUS_SUCCESS;
}
Change:
to
and then every time you have a '->' with one of these objects change it to a '.', and tka ethe address using '&' when calling functions.
Right now you have pointers but you never point them at valid objects, but since the rgistration is only needed locally there is no reason to not use stack-based objects.