Windows内核回调机制详解<\/h1>

内核回调概述<\/h2>
Windows内核回调机制为驱动程序提供了一种在满足特定条件时请求和提供通知的常规方法。MSDN中提供了多种内核回调函数，主要包括：<\/p>
进程创建\/销毁通知<\/li>
线程创建\/销毁通知<\/li>
模块加载通知<\/li>
对象操作回调<\/li> <\/ul>
进程回调<\/h2>

PsSetCreateProcessNotifyRoutine<\/h3>
NTSTATUS PsSetCreateProcessNotifyRoutine<\/span>(
<\/span><\/span>    _In_ PCREATE_PROCESS_NOTIFY_ROUTINE NotifyRoutine,
<\/span><\/span>    _In_ BOOLEAN Remove
<\/span><\/span>);
<\/span><\/span><\/code><\/pre>参数说明：<\/p>

NotifyRoutine<\/code>: 回调函数指针<\/li>
Remove<\/code>: TRUE表示移除回调，FALSE表示注册回调<\/li>
<\/ul>
回调函数原型：<\/p>
VOID TestRoutine<\/span>(
<\/span><\/span>    _In_ HANDLE ParentId,
<\/span><\/span>    _In_ HANDLE ProcessId,
<\/span><\/span>    _In_ BOOLEAN Create
<\/span><\/span>);
<\/span><\/span><\/code><\/pre>示例代码：<\/p>
VOID TestRoutine<\/span>(
<\/span><\/span>    _In_ HANDLE ParentId,
<\/span><\/span>    _In_ HANDLE ProcessId,
<\/span><\/span>    _In_ BOOLEAN Create
<\/span><\/span>) {
<\/span><\/span>    if<\/span> (Create) {
<\/span><\/span>        DbgPrint("PID: %d, ID: %d, Create"<\/span>, ParentId, ProcessId);
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        DbgPrint("PID: %d, ID: %d, Remove"<\/span>, ParentId, ProcessId);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>NTSTATUS UnloadDriver<\/span>(PDRIVER_OBJECT DriverObject) {
<\/span><\/span>    PsSetCreateProcessNotifyRoutine((PCREATE_PROCESS_NOTIFY_ROUTINE)TestRoutine, TRUE);
<\/span><\/span>    DbgPrint("Unload!"<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>NTSTATUS DriverEntry<\/span>(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) {
<\/span><\/span>    PsSetCreateProcessNotifyRoutine((PCREATE_PROCESS_NOTIFY_ROUTINE)TestRoutine, FALSE);
<\/span><\/span>    DriverObject-><\/span>DriverUnload =<\/span> UnloadDriver;
<\/span><\/span>    return<\/span> STATUS_SUCCESS;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>PsSetCreateProcessNotifyRoutineEx<\/h3>
增强版进程回调函数，提供更多信息：<\/p>
VOID TestRoutine<\/span>(
<\/span><\/span>    _Inout_ PEPROCESS Process,
<\/span><\/span>    _In_ HANDLE ProcessId,
<\/span><\/span>    _Inout_opt_ PPS_CREATE_NOTIFY_INFO CreateInfo
<\/span><\/span>) {
<\/span><\/span>    if<\/span> (CreateInfo) {
<\/span><\/span>        DbgPrint("ID: %d, Create"<\/span>, ProcessId);
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        DbgPrint("ID: %d, Remove"<\/span>, ProcessId);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>注意<\/strong>：要使PsSetCreateProcessNotifyRoutineEx正常工作，需要修改驱动模块的Flags：<\/p>
PLDR_DATA_TABLE_ENTRY ldr =<\/span> (PLDR_DATA_TABLE_ENTRY)((ULONG_PTR)DriverObject-><\/span>DriverSection);
<\/span><\/span>ldr-><\/span>Flags |=<\/span> 0x20<\/span>;  \/\/ LDRP_IMAGE_INTEGRITY_FORCED
<\/span><\/span><\/span><\/code><\/pre>线程回调<\/h2>
PsSetCreateThreadNotifyRoutine<\/h3>
NTSTATUS PsSetCreateThreadNotifyRoutine<\/span>(
<\/span><\/span>    _In_ PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine
<\/span><\/span>);
<\/span><\/span>
<\/span><\/span>NTSTATUS PsRemoveCreateThreadNotifyRoutine<\/span>(
<\/span><\/span>    _In_ PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine
<\/span><\/span>);
<\/span><\/span><\/code><\/pre>模块回调<\/h2>
PsSetLoadImageNotifyRoutine<\/h3>
NTSTATUS PsSetLoadImageNotifyRoutine<\/span>(
<\/span><\/span>    _In_ PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine
<\/span><\/span>);
<\/span><\/span>
<\/span><\/span>NTSTATUS PsRemoveLoadImageNotifyRoutine<\/span>(
<\/span><\/span>    _In_ PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine
<\/span><\/span>);
<\/span><\/span><\/code><\/pre>回调函数原型：<\/p>
VOID TestRoutine<\/span>(
<\/span><\/span>    _In_opt_ PUNICODE_STRING FullImageName,
<\/span><\/span>    _In_ HANDLE ProcessId,  \/\/ pid into which image is being mapped
<\/span><\/span><\/span><\/span>    _In_ PIMAGE_INFO ImageInfo
<\/span><\/span>);
<\/span><\/span><\/code><\/pre>阻止驱动加载示例<\/h3>
通过修改模块入口点代码实现阻止驱动加载：<\/p>
VOID TestRoutine<\/span>(
<\/span><\/span>    _In_opt_ PUNICODE_STRING FullImageName,
<\/span><\/span>    _In_ HANDLE ProcessId,
<\/span><\/span>    _In_ PIMAGE_INFO ImageInfo
<\/span><\/span>) {
<\/span><\/span>    if<\/span> (ImageInfo-><\/span>SystemModeImage) {
<\/span><\/span>        PIMAGE_NT_HEADERS pNtHeader =<\/span> NULL;
<\/span><\/span>        PIMAGE_DOS_HEADER pDosHeader =<\/span> NULL;
<\/span><\/span>        PULONG Entry =<\/span> NULL;
<\/span><\/span>        KIRQL kirql =<\/span> DisableCR0WriteProtection();
<\/span><\/span>        
<\/span><\/span>        pDosHeader =<\/span> (PIMAGE_DOS_HEADER)(ULONG_PTR)ImageInfo-><\/span>ImageBase;
<\/span><\/span>        pNtHeader =<\/span> (PIMAGE_NT_HEADERS)((ULONG_PTR)ImageInfo-><\/span>ImageBase +<\/span> pDosHeader-><\/span>e_lfanew);
<\/span><\/span>        Entry =<\/span> (ULONG_PTR)ImageInfo-><\/span>ImageBase +<\/span> pNtHeader-><\/span>OptionalHeader.AddressOfEntryPoint;
<\/span><\/span>        
<\/span><\/span>        DbgPrint("%x<\/span>\n<\/span>"<\/span>, Entry);
<\/span><\/span>        memcpy(Entry, DieEntry, 32<\/span>);
<\/span><\/span>        
<\/span><\/span>        EnableCR0WriteProtection(kirql);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 关闭写保护函数
<\/span><\/span><\/span><\/span>KIRQL DisableCR0WriteProtection<\/span>() {
<\/span><\/span>    KIRQL irql =<\/span> KeRaiseIrqlToDpcLevel();
<\/span><\/span>    UINT64 cr0 =<\/span> __readcr0();
<\/span><\/span>    cr0 &=<\/span> 0xfffffffffffeffff<\/span>;
<\/span><\/span>    __writecr0(cr0);
<\/span><\/span>    _disable();
<\/span><\/span>    return<\/span> irql;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 恢复写保护函数
<\/span><\/span><\/span><\/span>void<\/span> EnableCR0WriteProtection<\/span>(KIRQL irql) {
<\/span><\/span>    UINT64 cr0 =<\/span> __readcr0();
<\/span><\/span>    cr0 |=<\/span> 0x10000<\/span>;
<\/span><\/span>    _enable();
<\/span><\/span>    __writecr0(cr0);
<\/span><\/span>    KeLowerIrql(irql);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 用于替换的入口点函数
<\/span><\/span><\/span><\/span>NTSTATUS DieEntry<\/span>(IN PDRIVER_OBJECT MyDriver, IN PUNICODE_STRING RegistryPath) {
<\/span><\/span>    return<\/span> STATUS_UNSUCCESSFUL;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>对象回调<\/h2>
对象类型结构<\/h3>
struct<\/span> _OBJECT_TYPE {
<\/span><\/span>    struct<\/span> _LIST_ENTRY TypeList;               \/\/0x0
<\/span><\/span><\/span><\/span>    struct<\/span> _UNICODE_STRING Name;               \/\/0x8
<\/span><\/span><\/span><\/span>    VOID*<\/span> DefaultObject;                       \/\/0x10
<\/span><\/span><\/span><\/span>    UCHAR Index;                               \/\/0x14
<\/span><\/span><\/span><\/span>    ULONG TotalNumberOfObjects;                \/\/0x18
<\/span><\/span><\/span><\/span>    ULONG TotalNumberOfHandles;                \/\/0x1c
<\/span><\/span><\/span><\/span>    ULONG HighWaterNumberOfObjects;            \/\/0x20
<\/span><\/span><\/span><\/span>    ULONG HighWaterNumberOfHandles;            \/\/0x24
<\/span><\/span><\/span><\/span>    struct<\/span> _OBJECT_TYPE_INITIALIZER TypeInfo;  \/\/0x28
<\/span><\/span><\/span><\/span>    struct<\/span> _EX_PUSH_LOCK TypeLock;             \/\/0x78
<\/span><\/span><\/span><\/span>    ULONG Key;                                 \/\/0x7c
<\/span><\/span><\/span><\/span>    struct<\/span> _LIST_ENTRY CallbackList;           \/\/0x80
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>关键成员：<\/p>

TypeInfo<\/code>: 对象类型初始化信息<\/li>
CallbackList<\/code>: 回调函数列表<\/li>
<\/ul>
对象类型初始化器<\/h3>
struct<\/span> _OBJECT_TYPE_INITIALIZER {
<\/span><\/span>    USHORT Length;                             \/\/0x0
<\/span><\/span><\/span><\/span>    union<\/span> {
<\/span><\/span>        UCHAR ObjectTypeFlags;                 \/\/0x2
<\/span><\/span><\/span><\/span>        struct<\/span> {
<\/span><\/span>            UCHAR CaseInsensitive : 1<\/span>;        \/\/0x2
<\/span><\/span><\/span><\/span>            UCHAR UnnamedObjectsOnly : 1<\/span>;     \/\/0x2
<\/span><\/span><\/span><\/span>            UCHAR UseDefaultObject : 1<\/span>;       \/\/0x2
<\/span><\/span><\/span><\/span>            UCHAR SecurityRequired : 1<\/span>;       \/\/0x2
<\/span><\/span><\/span><\/span>            UCHAR MaintainHandleCount : 1<\/span>;    \/\/0x2
<\/span><\/span><\/span><\/span>            UCHAR MaintainTypeList : 1<\/span>;       \/\/0x2
<\/span><\/span><\/span><\/span>            UCHAR SupportsObjectCallbacks : 1<\/span>; \/\/0x2
<\/span><\/span><\/span><\/span>        };
<\/span><\/span>    };
<\/span><\/span>    \/\/ ... 其他成员
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>SupportsObjectCallbacks<\/code>位决定了CallbackList<\/code>是否启用。如果为0，则不启用回调列表。<\/p>
ObRegisterCallbacks<\/h3>
NTSTATUS ObRegisterCallbacks<\/span>(
<\/span><\/span>    _In_ POB_CALLBACK_REGISTRATION CallbackRegistration,
<\/span><\/span>    _Outptr_ PVOID*<\/span> RegistrationHandle
<\/span><\/span>);
<\/span><\/span><\/code><\/pre>相关结构体：<\/p>
typedef<\/span> struct<\/span> _OB_OPERATION_REGISTRATION {
<\/span><\/span>    _In_ POBJECT_TYPE*<\/span> ObjectType;
<\/span><\/span>    _In_ OB_OPERATION Operations;
<\/span><\/span>    _In_ POB_PRE_OPERATION_CALLBACK PreOperation;
<\/span><\/span>    _In_ POB_POST_OPERATION_CALLBACK PostOperation;
<\/span><\/span>} OB_OPERATION_REGISTRATION, *<\/span>POB_OPERATION_REGISTRATION;
<\/span><\/span>
<\/span><\/span>typedef<\/span> struct<\/span> _OB_CALLBACK_REGISTRATION {
<\/span><\/span>    _In_ USHORT Version;
<\/span><\/span>    _In_ USHORT OperationRegistrationCount;
<\/span><\/span>    _In_ UNICODE_STRING Altitude;
<\/span><\/span>    _In_ PVOID RegistrationContext;
<\/span><\/span>    _In_ OB_OPERATION_REGISTRATION*<\/span> OperationRegistration;
<\/span><\/span>} OB_CALLBACK_REGISTRATION, *<\/span>POB_CALLBACK_REGISTRATION;
<\/span><\/span><\/code><\/pre>对象回调示例<\/h3>
PVOID RegistrationHandle =<\/span> NULL;
<\/span><\/span>
<\/span><\/span>NTSTATUS UnloadDriver<\/span>(PDRIVER_OBJECT DriverObject) {
<\/span><\/span>    if<\/span> (RegistrationHandle) {
<\/span><\/span>        ObUnRegisterCallbacks(RegistrationHandle);
<\/span><\/span>    }
<\/span><\/span>    DbgPrint("Unload!"<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>OB_PREOP_CALLBACK_STATUS TestRoutine<\/span>(
<\/span><\/span>    _In_ PVOID RegistrationContext,
<\/span><\/span>    _Inout_ POB_PRE_OPERATION_INFORMATION OperationInformation
<\/span><\/span>) {
<\/span><\/span>    DbgPrint("111<\/span>\n<\/span>"<\/span>);
<\/span><\/span>    return<\/span> OB_PREOP_SUCCESS;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>NTSTATUS DriverEntry<\/span>(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) {
<\/span><\/span>    \/\/ 修改Flags使回调生效
<\/span><\/span><\/span><\/span>    PLDR_DATA_TABLE_ENTRY ldr =<\/span> (PLDR_DATA_TABLE_ENTRY)DriverObject-><\/span>DriverSection;
<\/span><\/span>    ldr-><\/span>Flags |=<\/span> 0x20<\/span>;
<\/span><\/span>    
<\/span><\/span>    OB_OPERATION_REGISTRATION obOpreationRegistration =<\/span> {0<\/span>};
<\/span><\/span>    OB_CALLBACK_REGISTRATION obCbRegistration =<\/span> {0<\/span>};
<\/span><\/span>    
<\/span><\/span>    obOpreationRegistration.ObjectType =<\/span> *<\/span>PsProcessType;
<\/span><\/span>    obOpreationRegistration.Operations =<\/span> OB_OPERATION_HANDLE_CREATE;
<\/span><\/span>    obOpreationRegistration.PreOperation =<\/span> TestRoutine;
<\/span><\/span>    
<\/span><\/span>    obCbRegistration.Version =<\/span> ObGetFilterVersion();
<\/span><\/span>    UNICODE_STRING altitude =<\/span> {0<\/span>};
<\/span><\/span>    RtlInitUnicodeString(&<\/span>altitude, "114514"<\/span>);
<\/span><\/span>    obCbRegistration.Altitude =<\/span> altitude;
<\/span><\/span>    obCbRegistration.OperationRegistrationCount =<\/span> 1<\/span>;
<\/span><\/span>    obCbRegistration.RegistrationContext =<\/span> NULL;
<\/span><\/span>    obCbRegistration.OperationRegistration =<\/span> &<\/span>obOpreationRegistration;
<\/span><\/span>    
<\/span><\/span>    ObRegisterCallbacks(&<\/span>obCbRegistration, &<\/span>RegistrationHandle);
<\/span><\/span>    DriverObject-><\/span>DriverUnload =<\/span> UnloadDriver;
<\/span><\/span>    return<\/span> STATUS_SUCCESS;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>保护特定进程示例<\/h3>
OB_PREOP_CALLBACK_STATUS TestRoutine<\/span>(
<\/span><\/span>    _In_ PVOID RegistrationContext,
<\/span><\/span>    _Inout_ POB_PRE_OPERATION_INFORMATION OperationInformation
<\/span><\/span>) {
<\/span><\/span>    if<\/span> (OperationInformation-><\/span>Object) {
<\/span><\/span>        pEPROCESS pEprocess =<\/span> (pEPROCESS)(OperationInformation-><\/span>Object);
<\/span><\/span>        if<\/span> (_stricmp("calc.exe"<\/span>, pEprocess-><\/span>ImageFileName) ==<\/span> 0<\/span>) {
<\/span><\/span>            DbgPrint("Done!<\/span>\n<\/span>"<\/span>);
<\/span><\/span>            \/\/ 移除所有访问权限
<\/span><\/span><\/span><\/span>            OperationInformation-><\/span>Parameters-><\/span>CreateHandleInformation.DesiredAccess =<\/span> 0<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    return<\/span> OB_PREOP_SUCCESS;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>回调操作信息结构<\/h2>
typedef<\/span> struct<\/span> _OB_PRE_OPERATION_INFORMATION {
<\/span><\/span>    _In_ OB_OPERATION Operation;
<\/span><\/span>    union<\/span> {
<\/span><\/span>        _In_ ULONG Flags;
<\/span><\/span>        struct<\/span> {
<\/span><\/span>            _In_ ULONG KernelHandle : 1<\/span>;
<\/span><\/span>            _In_ ULONG Reserved : 31<\/span>;
<\/span><\/span>        };
<\/span><\/span>    };
<\/span><\/span>    _In_ PVOID Object;
<\/span><\/span>    _In_ POBJECT_TYPE ObjectType;
<\/span><\/span>    _Out_ PVOID CallContext;
<\/span><\/span>    _In_ POB_PRE_OPERATION_PARAMETERS Parameters;
<\/span><\/span>} OB_PRE_OPERATION_INFORMATION, *<\/span>POB_PRE_OPERATION_INFORMATION;
<\/span><\/span><\/code><\/pre>成员说明：<\/p>

Operation<\/code>: 触发回调的操作类型（创建或dump）<\/li>
KernelHandle<\/code>: 是否是内核调用的<\/li>
Object<\/code>: 被操作的对象<\/li>
ObjectType<\/code>: 对象类型<\/li>
CallContext<\/code>: 回调参数<\/li>
Parameters<\/code>: 描述当前操作的具体参数，可用于设置权限等<\/li>
<\/ul>
总结<\/h2>
Windows内核回调机制提供了强大的系统监控和干预能力，可以用于：<\/p>

监控进程、线程创建和销毁<\/li>
监控模块加载<\/li>
拦截和处理对象操作<\/li>
实现系统保护和安全监控<\/li>
<\/ol>
使用时需要注意：<\/p>

某些回调需要修改驱动模块Flags才能正常工作<\/li>
内核内存操作需要处理CR0写保护<\/li>
回调函数应尽可能高效，避免影响系统性能<\/li>
卸载驱动时要正确移除所有注册的回调<\/li>
<\/ul>