I’m writing a minifilter that catches IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION to examine executables. Most DLLs are shared between processes, so I only want to examine an executable the first time it is loaded, not every time it is shared to another process. The CONTROL_AREA keeps track of the reference count, but that structure isn’t publically defined (yes, I know it can be seen in the debugger). So, how can I perform my scan just once, the first time the image is mapped?
Did you explore this https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntddk/nf-ntddk-pssetloadimagenotifyroutineex
Along with other that I think might be useful.
Yes, but I need to be able to prevent an image from being loaded, so it has to be a minifilter
Thanks
Y