Update the OB_CALLBACK_CONTEXT_BLOCK define.

Anti-Rootkit/AntiRootkit.h

@@ -223,7 +223,7 @@ struct ObCallbackInfo{
 	PVOID PostOperation;
 	ObjectCallbackType Type;
 	PVOID CallbackEntry;
-	bool Enabled;
+	ULONG Flags;
 	ULONG Operations;
 };
 

KernelLibrary/KernelLibrary.vcxproj

@@ -42,7 +42,7 @@
     <Configuration>Debug</Configuration>
     <Platform Condition="'$(Platform)' == ''">Win32</Platform>
     <RootNamespace>KernelLibrary</RootNamespace>
-    <WindowsTargetPlatformVersion>$(LatestTargetPlatformVersion)</WindowsTargetPlatformVersion>
+    <WindowsTargetPlatformVersion>10.0.19041.0</WindowsTargetPlatformVersion>
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">

KernelLibrary/SysMon.cpp

@@ -551,22 +551,22 @@ bool EnumObCallbackNotify(ULONG callbackListOffset,ObCallbackInfo* info) {
 	nextEntry = callbackListHead->Flink;
 
 	while (nextEntry != callbackListHead) {
-		callbackEntry = CONTAINING_RECORD(nextEntry, OB_CALLBACK_ENTRY, CallbackList);
-		if (ExAcquireRundownProtection(&callbackEntry->RundownProtect)) {
-			KdPrint(("PreOperation %p, PostOperation: %p\n", callbackEntry->PreOperation, callbackEntry->PostOperation));
+		callbackEntry = CONTAINING_RECORD(nextEntry, OB_CALLBACK_ENTRY, CallbackListEntry);
+		if (ExAcquireRundownProtection(&callbackEntry->RundownReference)) {
+			KdPrint(("PreOperation %p, PostOperation: %p\n", callbackEntry->PreCallback, callbackEntry->PostCallback));
 			if (FlagOn(callbackEntry->Operations, OB_OPERATION_HANDLE_CREATE))
 				KdPrint(("Protect handle from creating\n"));
 			if (FlagOn(callbackEntry->Operations, OB_OPERATION_HANDLE_DUPLICATE))
 				KdPrint(("Protect handle from duplicating\n"));
 			info[i].Type = ObjectCallbackType::Thread;
 			info[i].Operations = callbackEntry->Operations;
 			info[i].CallbackEntry = callbackEntry;
-			info[i].PostOperation = callbackEntry->PostOperation;
-			info[i].PreOperation = callbackEntry->PreOperation;
-			info[i].RegistrationHandle = callbackEntry->RegistrationHandle;
-			info[i].Enabled = callbackEntry->Enabled;
+			info[i].PostOperation = callbackEntry->PostCallback;
+			info[i].PreOperation = callbackEntry->PreCallback;
+			info[i].RegistrationHandle = callbackEntry->Registration;
+			info[i].Flags = callbackEntry->Flags;
 			i++;
-			ExReleaseRundownProtection(&callbackEntry->RundownProtect);
+			ExReleaseRundownProtection(&callbackEntry->RundownReference);
 		}
 		nextEntry = nextEntry->Flink;
 	}
@@ -575,22 +575,22 @@ bool EnumObCallbackNotify(ULONG callbackListOffset,ObCallbackInfo* info) {
 	nextEntry = callbackListHead->Flink;
 
 	while (nextEntry != callbackListHead) {
-		callbackEntry = CONTAINING_RECORD(nextEntry, OB_CALLBACK_ENTRY, CallbackList);
-		if (ExAcquireRundownProtection(&callbackEntry->RundownProtect)) {
-			KdPrint(("PreOperation %p, PostOperation: %p\n", callbackEntry->PreOperation, callbackEntry->PostOperation));
+		callbackEntry = CONTAINING_RECORD(nextEntry, OB_CALLBACK_ENTRY, CallbackListEntry);
+		if (ExAcquireRundownProtection(&callbackEntry->RundownReference)) {
+			KdPrint(("PreOperation %p, PostOperation: %p\n", callbackEntry->PreCallback, callbackEntry->PostCallback));
 			if (FlagOn(callbackEntry->Operations, OB_OPERATION_HANDLE_CREATE))
 				KdPrint(("Protect handle from creating\n"));
 			if (FlagOn(callbackEntry->Operations, OB_OPERATION_HANDLE_DUPLICATE))
 				KdPrint(("Protect handle from duplicating\n"));
 			info[i].Type = ObjectCallbackType::Process;
 			info[i].Operations = callbackEntry->Operations;
 			info[i].CallbackEntry = callbackEntry;
-			info[i].PostOperation = callbackEntry->PostOperation;
-			info[i].PreOperation = callbackEntry->PreOperation;
-			info[i].RegistrationHandle = callbackEntry->RegistrationHandle;
-			info[i].Enabled = callbackEntry->Enabled;
+			info[i].PostOperation = callbackEntry->PostCallback;
+			info[i].PreOperation = callbackEntry->PreCallback;
+			info[i].RegistrationHandle = callbackEntry->Registration;
+			info[i].Flags = callbackEntry->Flags;
 			i++;
-			ExReleaseRundownProtection(&callbackEntry->RundownProtect);
+			ExReleaseRundownProtection(&callbackEntry->RundownReference);
 		}
 		nextEntry = nextEntry->Flink;
 	}
@@ -599,22 +599,22 @@ bool EnumObCallbackNotify(ULONG callbackListOffset,ObCallbackInfo* info) {
 	nextEntry = callbackListHead->Flink;
 
 	while (nextEntry != callbackListHead) {
-		callbackEntry = CONTAINING_RECORD(nextEntry, OB_CALLBACK_ENTRY, CallbackList);
-		if (ExAcquireRundownProtection(&callbackEntry->RundownProtect)) {
-			LogInfo("PreOperation %p, PostOperation: %p\n", callbackEntry->PreOperation, callbackEntry->PostOperation);
+		callbackEntry = CONTAINING_RECORD(nextEntry, OB_CALLBACK_ENTRY, CallbackListEntry);
+		if (ExAcquireRundownProtection(&callbackEntry->RundownReference)) {
+			LogInfo("PreOperation %p, PostOperation: %p\n", callbackEntry->PreCallback, callbackEntry->PostCallback);
 			if (FlagOn(callbackEntry->Operations, OB_OPERATION_HANDLE_CREATE))
 				LogInfo("Protect handle from creating\n");
 			if (FlagOn(callbackEntry->Operations, OB_OPERATION_HANDLE_DUPLICATE))
 				LogInfo("Protect handle from duplicating\n");
 			info[i].Type = ObjectCallbackType::Desktop;
 			info[i].Operations = callbackEntry->Operations;
 			info[i].CallbackEntry = callbackEntry;
-			info[i].PostOperation = callbackEntry->PostOperation;
-			info[i].PreOperation = callbackEntry->PreOperation;
-			info[i].RegistrationHandle = callbackEntry->RegistrationHandle;
-			info[i].Enabled = callbackEntry->Enabled;
+			info[i].PostOperation = callbackEntry->PostCallback;
+			info[i].PreOperation = callbackEntry->PreCallback;
+			info[i].RegistrationHandle = callbackEntry->Registration;
+			info[i].Flags = callbackEntry->Flags;
 			i++;
-			ExReleaseRundownProtection(&callbackEntry->RundownProtect);
+			ExReleaseRundownProtection(&callbackEntry->RundownReference);
 		}
 		nextEntry = nextEntry->Flink;
 	}
@@ -637,7 +637,7 @@ LONG GetObCallbackCount(ULONG callbackListOffset) {
 	nextEntry = callbackListHead->Flink;
 
 	while (nextEntry != callbackListHead) {
-		callbackEntry = CONTAINING_RECORD(nextEntry, OB_CALLBACK_ENTRY, CallbackList);
+		callbackEntry = CONTAINING_RECORD(nextEntry, OB_CALLBACK_ENTRY, CallbackListEntry);
 		InterlockedIncrement(&count);
 		nextEntry = nextEntry->Flink;
 	}
@@ -647,7 +647,7 @@ LONG GetObCallbackCount(ULONG callbackListOffset) {
 	nextEntry = callbackListHead->Flink;
 
 	while (nextEntry != callbackListHead) {
-		callbackEntry = CONTAINING_RECORD(nextEntry, OB_CALLBACK_ENTRY, CallbackList);
+		callbackEntry = CONTAINING_RECORD(nextEntry, OB_CALLBACK_ENTRY, CallbackListEntry);
 		InterlockedIncrement(&count);
 		nextEntry = nextEntry->Flink;
 	}
@@ -657,7 +657,7 @@ LONG GetObCallbackCount(ULONG callbackListOffset) {
 	nextEntry = callbackListHead->Flink;
 
 	while (nextEntry != callbackListHead) {
-		callbackEntry = CONTAINING_RECORD(nextEntry, OB_CALLBACK_ENTRY, CallbackList);
+		callbackEntry = CONTAINING_RECORD(nextEntry, OB_CALLBACK_ENTRY, CallbackListEntry);
 		InterlockedIncrement(&count);
 		nextEntry = nextEntry->Flink;
 	}
@@ -848,10 +848,10 @@ bool RemoveObCallbackNotify(POB_CALLBACK_ENTRY pCallbackEntry){
 	if (!pCallbackEntry) {
 		return false;
 	}
-	pCallbackEntry->RegistrationHandle->Count = 0;
-	bool ret =  RemoveEntryList(&pCallbackEntry->CallbackList);
+	pCallbackEntry->Registration->RegistrationCount = 0;
+	bool ret =  RemoveEntryList(&pCallbackEntry->CallbackListEntry);
 	if (!ret) {
-		ObUnRegisterCallbacks(pCallbackEntry->RegistrationHandle);
+		ObUnRegisterCallbacks(pCallbackEntry->Registration);
 	}
 	return ret;
 }
@@ -1132,11 +1132,11 @@ bool StopLogDriverHash() {
 void DisableObCallbackNotify(POB_CALLBACK_ENTRY pCallbackEntry) {
 	if (!pCallbackEntry)
 		return;
-	pCallbackEntry->Enabled = FALSE;
+	pCallbackEntry->Flags = FALSE;
 }
 
 void EnableObCallbackNotify(POB_CALLBACK_ENTRY pCallbackEntry) {
 	if (!pCallbackEntry)
 		return;
-	pCallbackEntry->Enabled = TRUE;
+	pCallbackEntry->Flags = TRUE;
 }

KernelLibrary/SysMon.h

@@ -72,14 +72,14 @@ typedef struct _CM_CALLBACK_CONTEXT_BLOCKEX
 struct _OB_CALLBACK_BLOCK;
 
 typedef struct _OB_CALLBACK_ENTRY {
-	LIST_ENTRY CallbackList;
+	LIST_ENTRY CallbackListEntry;
 	OB_OPERATION Operations;						// 1 for Creations, 2 for Duplications
-	BOOLEAN Enabled;
-	struct _OB_CALLBACK_BLOCK* RegistrationHandle;	// Points to the OB_CALLBACK_BLOCK used for ObUnRegisterCallback
+	ULONG Flags;
+	struct _OB_CALLBACK_BLOCK* Registration;	// Points to the OB_CALLBACK_BLOCK used for ObUnRegisterCallback
 	POBJECT_TYPE ObjectType;
-	POB_PRE_OPERATION_CALLBACK PreOperation;
-	POB_POST_OPERATION_CALLBACK PostOperation;
-	EX_RUNDOWN_REF RundownProtect;
+	POB_PRE_OPERATION_CALLBACK PreCallback;
+	POB_POST_OPERATION_CALLBACK PostCallback;
+	EX_RUNDOWN_REF RundownReference;
 }OB_CALLBACK_ENTRY, * POB_CALLBACK_ENTRY;
 
 
@@ -88,10 +88,10 @@ typedef struct _OB_CALLBACK_ENTRY {
 // x64 0x20 0x40	32	64
 typedef struct _OB_CALLBACK_BLOCK {
 	USHORT Version;
-	USHORT Count;
+	USHORT RegistrationCount;
 	POB_OPERATION_REGISTRATION RegistrationContext;
 	UNICODE_STRING Altitude;
-	OB_CALLBACK_ENTRY Items[ANYSIZE_ARRAY]; // Callback array
+	OB_CALLBACK_ENTRY CallbackContext[ANYSIZE_ARRAY]; // Callback array
 }OB_CALLBACK_BLOCK, * POB_CALLBACK_BLOCK;
 
 

WinArk/ObjectCallbackTable.cpp

@@ -237,7 +237,7 @@ void CObjectCallbackTable::Refresh() {
 				ObjectCallbackInfo info;
 				info.CallbackEntry = p[i].CallbackEntry;
 				info.Operations = p[i].Operations;
-				info.Enabled = p[i].Enabled;
+				info.Enabled = p[i].Flags;
 				info.RegistrationHandle = p[i].RegistrationHandle;
 				info.PreOperation = p[i].PreOperation;
 				info.PostOperation = p[i].PostOperation;