-
Notifications
You must be signed in to change notification settings - Fork 45
Expand file tree
/
Copy pathregStruct.h
More file actions
115 lines (91 loc) · 2.59 KB
/
regStruct.h
File metadata and controls
115 lines (91 loc) · 2.59 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
#ifndef _REG_STRUCT_H
#define _REG_STRUCT_H
#define MAX_ALTITUDE_BUFFER_LENGTH 10
typedef struct _RMCALLBACK_CONTEXT {
//
// A bit mask of all transaction notifications types that the RM Callback is
// notified of.
//
ULONG Notification;
//
// The handle to an enlistment
//
HANDLE Enlistment;
} RMCALLBACK_CONTEXT, *PRMCALLBACK_CONTEXT;
//
// List of callback modes
//
typedef enum _CALLBACK_MODE {
CALLBACK_MODE_PRE_NOTIFICATION_BLOCK,
CALLBACK_MODE_PRE_NOTIFICATION_BYPASS,
CALLBACK_MODE_POST_NOTIFICATION_OVERRIDE_ERROR,
CALLBACK_MODE_POST_NOTIFICATION_OVERRIDE_SUCCESS,
CALLBACK_MODE_TRANSACTION_REPLAY,
CALLBACK_MODE_TRANSACTION_ENLIST,
CALLBACK_MODE_MULTIPLE_ALTITUDE_BLOCK_DURING_PRE,
CALLBACK_MODE_MULTIPLE_ALTITUDE_INTERNAL_INVOCATION,
CALLBACK_MODE_MULTIPLE_ALTITUDE_MONITOR,
CALLBACK_MODE_SET_CALL_CONTEXT,
CALLBACK_MODE_SET_OBJECT_CONTEXT,
CALLBACK_MODE_CAPTURE,
CALLBACK_MODE_VERSION_BUGCHECK,
CALLBACK_MODE_VERSION_CREATE_OPEN_V1,
} CALLBACK_MODE;
typedef struct _CALLBACK_CONTEXT {
//
// List of callback contexts currently active
//
LIST_ENTRY CallbackCtxList;
//
// Specifies which callback helper method to use
//
CALLBACK_MODE CallbackMode;
//
// Records the current ProcessId to filter out registry operation from
// other processes.
//
HANDLE ProcessId;
//
// Records the altitude that the callback was registered at
//
UNICODE_STRING Altitude;
WCHAR AltitudeBuffer[MAX_ALTITUDE_BUFFER_LENGTH];
//
// Records the cookie returned by the registry when the callback was
// registered
//
LARGE_INTEGER Cookie;
//
// A pointer to the context for the transaction callback.
// Used to enlist on a transaction. Only used in the transaction samples.
//
PRMCALLBACK_CONTEXT RMCallbackCtx;
//
// These fields record information for verifying the behavior of the
// certain samples. They are not used in all samples
//
//
// Number of times the RegNtCallbackObjectContextCleanup
// notification was received
//
LONG ContextCleanupCount;
//
// Number of times the callback saw a notification with the call or
// object context set correctly.
//
LONG NotificationWithContextCount;
//
// Number of times callback saw a notirication without call or without
// object context set correctly
//
LONG NotificationWithNoContextCount;
//
// Number of pre-notifications received
//
LONG PreNotificationCount;
//
// Number of post-notifications received
//
LONG PostNotificationCount;
} CALLBACK_CONTEXT, *PCALLBACK_CONTEXT;
#endif