Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

Reparse the file (dll) to load is like be persistent in windows???

rsalvarez280rsalvarez280 Member Posts: 9

Hi All.
I'm trying to develop a Minifilter to not allow to load an specific dll directly.
The process description is:
1 - An application wants to use this dll so ejecutes LoadLibrary("original.dll").
2 - This LoadLibrary try generates a IRP_MJ_CREATE precreate callback in the Minifilter and it changes (reparse) this file name with another dll made by me (with the same interface than the original).
3 - Because the reparse has been done, another IRP_MJ_CREATE precreate callback is executed, now with my dll name, so the filter allow it and do nothing.
4 - The application loads my dll.
5 - The application executes the first dll function in my dll, and my dll try to load original one executing LoadLibrary but using an specific dll name (for example: abcde.dll; this name is known for my dll and in the minifilter).
6 - This LoadLibrary generates another IRP_MJ_CREATE precreate callback in the filter to load "abcde.dll". The filter changes this name to the original one.
7 - Because this reparse has been done, it generates another IRP_MJ_CREATE precreate callback, now with the original one. In the minifilter I have the code to recognize this situation an in this case it doens't made any file change name (I save the process ID and an status for each process in each load try to know if the load dlls process is as I expect).
8 - The result is the application loads my dll and my dll loads the original. I have total control of the original dll execution.

The problem is this: If I try to open another application instance (the same application that loads the same original dll) with or without closing the first one, the IRP_MJ_CREATE precreate callback received has got my dll filename in the first callback. This is complete impossible. The application doen't know anything about the name of my dll and my dll is loading when an specific dll exported funcition call and this call has not be executed yet). It only knows the original name. So, who are doing this call using my dll? It is like if I made a reparser for this original.dll one time, all future LoadLibrary("original.dll") are changed to my dll without executing anything in the Minifilter. Is it true? it works again if I restart the computer but only for the first time the application is executed. Any idea?



  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,266

    I assume that the image code looks up the name of the opened DLL and saves it away to avoid (undisclosed) issues later. When it does the open again it asks for the saved name. Easy to test - watch a trce and look for it querying the name.

  • rsalvarez280rsalvarez280 Member Posts: 9

    @rod_widdowson said:
    I assume that the image code looks up the name of the opened DLL and saves it away to avoid (undisclosed) issues later. When it does the open again it asks for the saved name. Easy to test - watch a trce and look for it querying the name.

    What???? Sorry but I don't understand you.

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,266
    1. Image execution opens c:\folder\my_evil_dll
    2. You reparse that to c:\nice_folder\my_nice.dll
    3. Things are looking good.
    4. Someone else comes along and opens the dll. Image activation goes "Hey I opened this image, what was its name"
    5. Image execution asks "What is the name of that file I opened"
    6. The filesystem says c:\nice_folder\my_nice.dll
    7. Image activation asks to openc:\nice_folder\my_nice.dll
  • Gabriel_BerceaGabriel_Bercea Member - All Emails Posts: 482

    Why don't you in step 7 instead of using the reparse technique in which you will not be able to identify between the 2 creates just do the create yourself.
    So from PRE-CREATE, you recognise your name pattern: "abcde.dll", now instead of doing the the reparse technique, you simply call FltCreateFileEx or whatever you want with the original DLL name and complete the original create with the result of your FltCreateFileEx and be done with it ?
    Could this work ?

    Of course, there is another way. If I am not mistaking the reparses come with a specific ECP which as payload has something like:
    Original File Name and Reparsed File Name.
    In theory you should be able to have user-mode ECP, but I am not sure how that works in practice as the user-mode callable APIs don't have a way of supplying these, despite the fact that these 2 routines exist in kernel: FsRtlIsEcpFromUserMode and FltIsEcpFromUserMode.
    BTW, could anyone shed some light here ? User-mode ECPs ?

    You could of course from your own dll you could try to load the library yourself without the help of LoadLibrary, this way your CreateFile could be accompanied by an EA parameter which would "inform" your filter that it is in fact your dll call that is doing the loading. This would take away the necessity of the name fuzzing/translating but would add the complexity of writing your own loader.


Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 13-17 May 2024 Live, Online
Developing Minifilters 1-5 Apr 2024 Live, Online
Internals & Software Drivers 11-15 Mar 2024 Live, Online
Writing WDF Drivers 20-24 May 2024 Live, Online