Addendum

Object Notifications

The Windows kernel provides mechanisms to notify drivers when handles to certain object types (e.g., process, thread, desktop) are opened or duplicated.

There are two kinds of operations:

• Pre-operation: Invoked before the handle is created or duplicated; allows the driver to modify or block the operation.
• Post-operation: Called after the handle has been successfully created or duplicated.

Key Windows Kernel Structures

_CALLBACK_ENTRY_ITEM

This undocumented structure holds information about registered object callbacks, used by the kernel to notify appropriate drivers.

It is linked to a specific object type via the CallbackList member of the _OBJECT_TYPE structure.

typedef struct _CALLBACK_ENTRY_ITEM {
    LIST_ENTRY EntryItemList;
    OB_OPERATION Operations;
    DWORD Active;
    CALLBACK_ENTRY * CallbackEntry;
    PVOID ObjectType;
    POB_PRE_OPERATION_CALLBACK PreOperation;       //offset 0x28
    POB_POST_OPERATION_CALLBACK PostOperation;     //offset 0x30
    QWORD unk;
} CALLBACK_ENTRY_ITEM, * PCALLBACK_ENTRY_ITEM;