You are thinking of AppInit_DLLs, and no they are enumerated and loaded by user32.dll.
-Jeff
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@flounder.com
Sent: Thursday, March 28, 2013 3:50 PM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Blocking a image from loading
I remember something about a Registry key that causes DLLs to be loaded.
Would these count as “preloaded” DLLs in this regard? It might defeat an attempt to use this technique to block the loading of a DLL.
Also, a question: are permitted DLLs “whitelisted” or forbidden DLLs “blacklisted”? If this is a piece of security software? I can defeat either blacklisting or whitelisting easily and I also see ways in which it will fail for legitimate usages.
If the goal is to allow the DLL to be loaded only by its “legitimate”
application, as part of a licensing mechanism, it wouldn’t take much effort to discover this and defeat it.
joe
I think you are referring to PsSetCreateProcessNotifyRoutineEx(),
there is not an equivalent Ex routine for PsSetLoadImageNotify().
In the former callback you are able to set a failure status on the
process being created but you are not able to keep specific modules
from loading. If you need to keep specific modules from loading then
you’ll need to do this within pre-create in a mini-filter for the
given process as it opens and loads libraries.
Note this technique won’t work for a set of system libraries that are
preloaded such as ntdll.
Pete
On 3/28/2013 4:32 AM, Don Burn wrote:
> Use PsSetLoadImageNotifyEx to do this. If you need to support the
> older call, there are a lot of nasty tricks required.
>
>
> Don Burn
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
>
> “xxxxx@cdac.in” wrote in message
>> news:xxxxx@ntfsd:
>>
>>> I am writing a mini filter driver which monitors the loading of
>>> images(ex:dll files, sys files). For this purpose I registered a
>>> LoadImageNotifyRoutine using PSsetLoadImageNotifyRoutine. In
>>> LoadImageNotifyRoutine I need to block some dll files from loading.
>>> How this thing can be done using LoadImageNotifyRoutine?
>>> LoadImageNotifyRoutine is having 3 parameters they are
>>> 1.FullImageName, 2. ProcessId, // where image is mapped 3.
>>> ImageInfo ImageInfo of type PIMAGE_INFO.
>>>
>>> If it is not possible to block from these parameters please suggest
>>> me other possible solutions.
>>> Thanks a lot in advance
>>
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> OSR is hiring!! Info at http://www.osr.com/careers
>>
>> For our schedule of debugging and file system seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>
> –
> Kernel Drivers
> Windows File System and Device Driver Consulting www.KernelDrivers.com
> 866.263.9295
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
—
NTFSD is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer