Hi All,
We encountered a issue while attempting to retrieve the file object’s
path name associated with process section object after renaming the
folder that contains the executable image.
File System: NTFS
OS: seems like all x32 NT based (2000, XP, 2003 & their SP)
Steps to reproduce:
- Create a new folder named “1” on disk (for example, C:)
- Copy any executable file (e.g., “test.exe”) to the created folder.
- Execute this application.
- Exit from this application (e.g., “test.exe”).
- Rename folder “1” to another name (for example, “2”).
- Execute the application located in this folder (“2\test.exe”) that
was executed at step 3.
What did we get?
The new process is successfully running, however we can’t get the
correct path name for the section object associated with this process,
and also we got the incorrect path name in the
PsSetLoadImageNotifyRoutine callback routine (see below example #4).
As a result of querying the path name of process section we got:
\Device\HardDiskXXX\1\test.exe
Instead of expected:
\Device\HardDiskXXX\2\test.exe
We tried the different methods of getting the path name for the
section object associated with the process. All methods, except the
reading PEB give the incorrect path name:(
Example #1.
PSECTION pSection;
…
get section for process executable image
…
PFILE_OBJECT pSectionFile =
pSection->Segment->ControlArea->FilePointer;
ObQueryNameString(pSectionFile, …);
Example #2.
Use IoQueryFileInformation for file object associated with process
section object
or
use ObOpenObjectByName AND ZwQueryInformationFile for this file object
Example #3.
Direct scan file object fields and get file path name.
Example #4.
VOID
NTAPI
_PsSetLoadImageNotifyRoutine(
IN PUNICODE_STRING FullImageName,
IN HANDLE ProcessId,
IN PIMAGE_INFO ImageInfo)
{
KdPrint((“Load image: %ws\n”, FullImageName->Buffer));
}
EXTERN_C
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT pDriverObject,
IN PUNICODE_STRING pRegistryPath)
{
return PsSetLoadImageNotifyRoutine(&_PsSetLoadImageNotifyRoutine);
}
Basing on PDB information (ntoskrnl.exe) the unexported function
MmGetFileNameForSection that is called
before executing load-image callback routine got the invalid path name
also.
What can anybody say on this matter?
Best regards,
Andrey Alekseev
Development Team
ISV System Safety Ltd.
http://www.syssafety.com