SKETCH OF HOW RESEARCH MIGHT CONTINUE AND RESULTS BE PRESENTED

OB_CLOSE_METHOD

The OB_CLOSE_METHOD type is a pointer to a routine that can be defined for all objects of the same type. It is specified as the CloseProcedure member of the OBJECT_TYPE_INITIALIZER structure when creating the object type. It is then retained in this structure as nested into the OBJECT_TYPE structure.

Declaration

The modern declaration dates from version 6.1: 

typedef 
VOID 
(*OB_CLOSE_METHOD) (
    EPROCESS *Process, 
    PVOID Object, 
    ULONG_PTR ProcessHandleCount, 
    ULONG_PTR SystemHandleCount);

Originally, the function has one more argument: 

typedef 
VOID 
(*OB_CLOSE_METHOD) (
    EPROCESS *Process, 
    PVOID Object, 
    ACCESS_MASK, 
    ULONG_PTR ProcessHandleCount, 
    ULONG_PTR SystemHandleCount);

This page was created on 22nd June 2020 but was not published until 31st August 2022.

Copyright © 2022. Geoff Chappell. All rights reserved. Conditions apply.