The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
I'm trying to develop a Minifilter to not allow to load an specific dll directly.
The process description is:
1 - An application wants to use this dll so ejecutes LoadLibrary("original.dll").
2 - This LoadLibrary try generates a IRP_MJ_CREATE precreate callback in the Minifilter and it changes (reparse) this file name with another dll made by me (with the same interface than the original).
3 - Because the reparse has been done, another IRP_MJ_CREATE precreate callback is executed, now with my dll name, so the filter allow it and do nothing.
4 - The application loads my dll.
5 - The application executes the first dll function in my dll, and my dll try to load original one executing LoadLibrary but using an specific dll name (for example: abcde.dll; this name is known for my dll and in the minifilter).
6 - This LoadLibrary generates another IRP_MJ_CREATE precreate callback in the filter to load "abcde.dll". The filter changes this name to the original one.
7 - Because this reparse has been done, it generates another IRP_MJ_CREATE precreate callback, now with the original one. In the minifilter I have the code to recognize this situation an in this case it doens't made any file change name (I save the process ID and an status for each process in each load try to know if the load dlls process is as I expect).
8 - The result is the application loads my dll and my dll loads the original. I have total control of the original dll execution.
The problem is this: If I try to open another application instance (the same application that loads the same original dll) with or without closing the first one, the IRP_MJ_CREATE precreate callback received has got my dll filename in the first callback. This is complete impossible. The application doen't know anything about the name of my dll and my dll is loading when an specific dll exported funcition call and this call has not be executed yet). It only knows the original name. So, who are doing this call using my dll? It is like if I made a reparser for this original.dll one time, all future LoadLibrary("original.dll") are changed to my dll without executing anything in the Minifilter. Is it true? it works again if I restart the computer but only for the first time the application is executed. Any idea?
|Upcoming OSR Seminars|
|OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!|
|Internals & Software Drivers||30 Nov 2020||LIVE ONLINE|
|Writing WDF Drivers||7 Dec 2020||LIVE ONLINE|
|Developing Minifilters||Early 2021||LIVE ONLINE|