// The ObRegisterCallbacks routine registers a list of callback routines for thread, process, and desktop handle operations.
// This function is a most public method used by anti cheat / anti virus software.
// Offical document:
// https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-obregistercallbacks
// Function syntax:
// NTSTATUS ObRegisterCallbacks(
// POB_CALLBACK_REGISTRATION CallbackRegistration,
// PVOID *RegistrationHandle
// );
// _OB_CALLBACK_REGISTRATION struct:
// typedef struct _OB_CALLBACK_REGISTRATION {
// USHORT Version;
// Callback version, in kernel use OB_FLT_REGISTRATION_VERSION
// USHORT OperationRegistrationCount;
// UNICODE_STRING Altitude;
// Load order, any value, can not be NULL.
// PVOID RegistrationContext;
// When callback be called, it will pass to function, it's defined by ownself.
// OB_OPERATION_REGISTRATION *OperationRegistration;
// } OB_CALLBACK_REGISTRATION, *POB_CALLBACK_REGISTRATION;
// OB_OPERATION_REGISTRATION struct:
// typedef struct _OB_OPERATION_REGISTRATION {
// POBJECT_TYPE *ObjectType;
// Callback type, use one of PsProcessType / PsThreadType / ExDesktopObjectType.
// ExDesktopObjectType supported in win10, not earlier.
// OB_OPERATION Operations;
// Use one or more sign:
// OB_OPERATION_HANDLE_CREATE: A new process / thread / desktop handle has been opened or will be opened
// OB_OPERATION_HANDLE_DUPLICATE: A new process handle / thread handle / desktop handle has been duplicated or will be duplicated
// POB_PRE_OPERATION_CALLBACK PreOperation;
// Points to ObjectPreCallback, will be call before requested operation occurs.
// POB_POST_OPERATION_CALLBACK PostOperation;
// Points to ObjectPostCallback, will be call after requested operation occurs.
// } OB_OPERATION_REGISTRATION, *POB_OPERATION_REGISTRATION;
// PEPROCESS IoThreadToProcess ( _In_ PETHREAD Thread );
// Return the process whitch own the thread.
// HANDLE PsGetProcessId ( _In_ PEPROCESS Process );
// Return the process's id.