资源描述:
《[计算机软件及应用]麦洛克菲内核驱动开发第七课》由会员上传分享,免费在线阅读,更多相关内容在教育资源-天天文库。
1、麦洛克菲内核开发第七课注册表callback和重定向麦洛克菲www.mallocfree.com程君麦洛克菲www.mallocfree.comCallback提纲Callback相关函数Callback原理Callback实现功能注册表重定向提纲注册表的构成注册表调用Callback相关函数NTSTATUSCmRegisterCallback(�INPEX_CALLBACK_FUNCTIONFunction,�INPVOIDContext,�OUTPLARGE_INTEGERCookie//时间);NTSTATUSCmRegisterCallb
2、ackEx(�INPEX_CALLBACK_FUNCTIONFunction,�INPCUNICODE_STRINGAltitude,INPVOIDDriver,�INPVOIDContext,�OUTPLARGE_INTEGERCookie,�PVOIDReserved);Vista以后使用,支持高度NTSTATUSCmUnRegisterCallback(�INLARGE_INTEGERCookie);Callback相关函数CmSetCallbackObjectContext(�INOUTPVOIDObject,�INPLARGE_INTE
3、GERCookie,�INPVOIDNewContext,�OUTOPTIONALPVOID*OldContext);主要用来在一个对象上设置相关的数据结构NTSTATUSCmCallbackGetKeyObjectID(�INPLARGE_INTEGERCookie,�INPVOIDObject,�OUTOPTIONALPULONG_PTRObjectID,�OUTOPTIONALPCUNICODE_STRING*ObjectName);主要用来在vista以后得到key的名字PVOIDCmGetBoundTransaction(�inPLAR
4、GE_INTEGERCookie,�inPVOIDObject);VOIDCmGetCallbackVersion(�OUTOPTIONALPULONGMajor,�OUTOPTIONALPULONGMinor);Callback相关函数EX_CALLBACK_FUNCTIONRegistryCallback;NTSTATUSRegistryCallback(�__inPVOIDCallbackContext,�__in_optPVOIDArgument1,//REG_NOTIFY_CLASS�__in_optPVOIDArgument2//KE
5、Y_INFORMATION�)�{switch((REG_NOTIFY_CLASS)Argument1){caseRegNtPreDeleteKey:returnHOOK_PreNtDeleteKey((PREG_DELETE_KEY_INFORMATION)Argument2);caseRegNtPreSetValueKey:returnHOOK_PreNtSetValueKey((PREG_SET_VALUE_KEY_INFORMATION)Argument2);caseRegNtPreDeleteValueKey:returnHOOK_Pr
6、eNtDeleteValueKey((PREG_DELETE_VALUE_KEY_INFORMATION)Argument2);caseRegNtPreRenameKey:returnHOOK_PreNtRenameKey((PREG_RENAME_KEY_INFORMATION)Argument2);caseRegNtPreCreateKeyEx:returnHOOK_PreNtCreateKeyEx((PREG_CREATE_KEY_INFORMATION)Argument2);caseRegNtPreCreateKeyEx://pre操作r
7、eturnHOOK_PreNtCreateKeyEx((PREG_CREATE_KEY_INFORMATION)Argument2);caseRegNtPostCreateKeyEx://post操作returnHOOK_PostNtCreateKeyEx((PRGG_POST_OPERATION_INFORMATION)Argument2);}Callback相关函数Pre操作REG_XXX_KEY_INFORMATION根据调用的各个不同REG_NOTIFY_CLASS来决定POST操作typedefstruct_REG_POST_OPERA
8、TION_INFORMATION{�PVOIDObject;//pre操作后产生的对象NTSTATUSStatus;//pre完成后将要
![[计算机软件及应用]麦洛克菲内核驱动开发第七课_第1页](https://f25.wenku365.com/file-convert/2021/06/27/19/12/cbae80ed41bb4a666c12f29c23bbddc5/img/1.jpg)
![[计算机软件及应用]麦洛克菲内核驱动开发第七课_第2页](https://f25.wenku365.com/file-convert/2021/06/27/19/12/cbae80ed41bb4a666c12f29c23bbddc5/img/2.jpg)
![[计算机软件及应用]麦洛克菲内核驱动开发第七课_第3页](https://f25.wenku365.com/file-convert/2021/06/27/19/12/cbae80ed41bb4a666c12f29c23bbddc5/img/3.jpg)
![[计算机软件及应用]麦洛克菲内核驱动开发第七课_第4页](https://f25.wenku365.com/file-convert/2021/06/27/19/12/cbae80ed41bb4a666c12f29c23bbddc5/img/4.jpg)
![[计算机软件及应用]麦洛克菲内核驱动开发第七课_第5页](https://f25.wenku365.com/file-convert/2021/06/27/19/12/cbae80ed41bb4a666c12f29c23bbddc5/img/5.jpg)
