// 署名权

// right to sign one's name on a piece of work

// PowerBy: LyShark

typedef struct _OBJECT_TYPE_INITIALIZER

{

    USHORT Length;                // Uint2B

    UCHAR ObjectTypeFlags;            // UChar

    ULONG ObjectTypeCode;             // Uint4B

    ULONG InvalidAttributes;          // Uint4B

    GENERIC_MAPPING GenericMapping;   // _GENERIC_MAPPING

    ULONG ValidAccessMask;       // Uint4B

    ULONG RetainAccess;         // Uint4B

    POOL_TYPE PoolType;        // _POOL_TYPE

    ULONG DefaultPagedPoolCharge;  // Uint4B

    ULONG DefaultNonPagedPoolCharge; // Uint4B

    PVOID DumpProcedure;       // Ptr64     void

    PVOID OpenProcedure;      // Ptr64     long

    PVOID CloseProcedure;     // Ptr64     void

    PVOID DeleteProcedure;        // Ptr64     void

    PVOID ParseProcedure;     // Ptr64     long

    PVOID SecurityProcedure;      // Ptr64     long

    PVOID QueryNameProcedure;     // Ptr64     long

    PVOID OkayToCloseProcedure;     // Ptr64     unsigned char

    ULONG WaitObjectFlagMask;     // Uint4B

    USHORT WaitObjectFlagOffset;    // Uint2B

    USHORT WaitObjectPointerOffset;   // Uint2B

}OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;

typedef struct _OBJECT_TYPE

{

    LIST_ENTRY TypeList;           // _LIST_ENTRY

    UNICODE_STRING Name;         // _UNICODE_STRING

    PVOID DefaultObject;         // Ptr64 Void

    UCHAR Index;             // UChar

    ULONG TotalNumberOfObjects;      // Uint4B

    ULONG TotalNumberOfHandles;      // Uint4B

    ULONG HighWaterNumberOfObjects;    // Uint4B

    ULONG HighWaterNumberOfHandles;    // Uint4B

    OBJECT_TYPE_INITIALIZER TypeInfo;  // _OBJECT_TYPE_INITIALIZER

    EX_PUSH_LOCK TypeLock;         // _EX_PUSH_LOCK

    ULONG Key;                 // Uint4B

    LIST_ENTRY CallbackList;       // _LIST_ENTRY

}OBJECT_TYPE, *POBJECT_TYPE;

typedef struct _OB_CALLBACK

{

    LIST_ENTRY ListEntry;

    ULONGLONG Unknown;

    HANDLE ObHandle;

    PVOID ObTypeAddr;

    PVOID PreCall;

    PVOID PostCall;

}OB_CALLBACK, *POB_CALLBACK;

VOID DriverUnload(PDRIVER_OBJECT pDriverObject)

{

}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)

{

    NTSTATUS status = STATUS_SUCCESS;

    DbgPrint("hello lyshark.com \n");

    POB_CALLBACK pObCallback = NULL;

    // 直接获取 CallbackList 链表

    LIST_ENTRY CallbackList = ((POBJECT_TYPE)(*PsProcessType))->CallbackList;

    // 开始遍历

    pObCallback = (POB_CALLBACK)CallbackList.Flink;

    do

    {

        if (FALSE == MmIsAddressValid(pObCallback))

        {

            break;

        }

        if (NULL != pObCallback->ObHandle)

        {

            // 显示

            DbgPrint("[LyShark.com] ObHandle = %p | PreCall = %p | PostCall = %p \n", pObCallback->ObHandle, pObCallback->PreCall, pObCallback->PostCall);

        }

        // 获取下一链表信息

        pObCallback = (POB_CALLBACK)pObCallback->ListEntry.Flink;

    } while (CallbackList.Flink != (PLIST_ENTRY)pObCallback);

    return status;

}