The same status is returned when I use every Altitude ID.
The code:
					
										
																										
            The code:
Code: Select all
bool InstallHooksViaCallbacks()
{
    PAGED_CODE();
    OB_CALLBACK_REGISTRATION ocr = {0};
    RtlInitUnicodeString(&ocr.Altitude, L"323410");
    ocr.Version = OB_FLT_REGISTRATION_VERSION;
    ocr.RegistrationContext = NULL;
    OB_OPERATION_REGISTRATION operations[4] = {0};
    operations[0].ObjectType = PsProcessType;
    operations[0].Operations = OB_OPERATION_HANDLE_CREATE;
    operations[0].PreOperation = ProcessPreCallback;
    operations[1].ObjectType = PsProcessType;
    operations[1].Operations = OB_OPERATION_HANDLE_DUPLICATE;
    operations[1].PreOperation = ProcessPreCallback;
    operations[2].ObjectType = PsThreadType;
    operations[2].Operations = OB_OPERATION_HANDLE_CREATE;
    operations[2].PreOperation = ProcessPreCallback;
    operations[3].ObjectType = PsThreadType;
    operations[3].Operations = OB_OPERATION_HANDLE_DUPLICATE;
    operations[3].PreOperation = ProcessPreCallback;
    ocr.OperationRegistration = operations;
    ocr.OperationRegistrationCount = ARRAYSIZE(operations);
    PVOID cookie = NULL;
    NTSTATUS st = ObRegisterCallbacks(&ocr, &cookie);
    return true;
}