Hi all.
I am trying to make a development to intercept attempts to load a specific dll and change it for another dll (with the exact interface) that I have developed. The idea is when applications try to load the original dll, they really loads my dll and my dll loads the original and pass-throw all the dll calls to the original. The Idea is to not allow to load the dll directly (my dll will make some checks to decide if the dll functions execution are allowed or not).
I have made a Minifilter and when the original dll is going to be loaded, in IRP_MJ_CREATE I change the dll file name to be loaded, set the status to STATUS_REPARSE, set the Information to IO_REPARSE and return FLT_PREOP_COMPLETE. It is working fine and my dll is loaded instead of the original one.
The problem comes when my dll try to load the original and this load goes to the Minifilter too. To know in the Minifilter that this try to load is from my dll, I have changed the name to load. If in IRP_MJ_CREATE, the minifilter receives the name as “abcd.dll” (for example), I change the name to original dll, set again status to STATUS_REPARSE, Information to IO_REPARSE and return FLT_PREOP_COMPLETE. This originates another IRP_MJ_CREATE, with the original dll name, so all starts again and repeat in a infinite loop until crash.
The question is: How could I know that the second IRP_MJ_CREATE is because a REPARSE has been done in the previous one? Is it possible? I need to recognize in the Minifilter if the attempt to load comes from my dll or not, to not change the name (if comes from my dll) or change it (if comes from another process or dll). Thinking that the process is always the same becauser I talk about dlls, not proccesses.
Regards.