PsSetLoadImageNotifyRoutine

Hello,

I have set callback using PsSetLoadImageNotifyRoutine.

In the callback, I get the paths for .exe as
\Device\HarddiskVolume1\windows\system32\lsass.exe

but for .dll i get path like \windows\system32\ntdll.dll.

My question -

Is it documented ?

Thanks
Sourabh

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/06/14 09:39, xxxxx@gmail.com wrote:

Hello,

I have set callback using PsSetLoadImageNotifyRoutine.

In the callback, I get the paths for .exe as
\Device\HarddiskVolume1\windows\system32\lsass.exe

but for .dll i get path like \windows\system32\ntdll.dll.

Yes, I had similar behavior. In addition to that some module names
were becoming empty afterwards.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJS8ylwAAoJEK64IL1uI2ha1GUH/jfqyVKumw3HxJRYwBp9FU4F
lBXP+k6JHMwBUO1cHGp6ngUXsJlWRdtWnQ66VkO/SL6L3HZxmmqW/jEqrgFoC45X
ff5WEyarQT+YIfj7jfSLgyyXAzoYWOXwmDeOdD7m+7PwuVTZX5uL2zthmWUIzBiy
HNn2lx8W0Fx8qU4Ja50IQX4Eoy/y1GJpTfTV9koxe1EmGTNyUi1zqXybDlOJZkox
C4J44ud7y8170vSXEOLAA2coIBcCMNqQY2QNKeOmJD1rPi5yPxqe21qt7M0Jg1VI
3w4tScwnjw1k9t+pi2N5uUGxdpXuwgV+xZfjZKo6zz4xoM9HUPibKMIpIuRr+10=
=inji
-----END PGP SIGNATURE-----

Hi,

In Vista+ kernels it should be fixed already by Microsoft.
In case of older kernels (this is most likely your case) you have no
other choice then just take it manually.
Use information how windows kernel is performing notifications:
Use CONTAINING_RECORD on UNICODE_STRING you are receiving in callback to
take FILE_OBJECT struct.
From FILE_OBJECT take DeviceObject then take its name (e.g via
IoGetDevicePropery) and finally do some concatenations job.

xdc

W dniu 6. 2. 2014 6:39, xxxxx@gmail.com pisze:

Hello,

I have set callback using PsSetLoadImageNotifyRoutine.

In the callback, I get the paths for .exe as
\Device\HarddiskVolume1\windows\system32\lsass.exe

but for .dll i get path like \windows\system32\ntdll.dll.

My question -

Is it documented ?

Thanks
Sourabh


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Hi xdc,

I have observed same behavior from windows XP to Windows 8…

thanks