I need to calculate the checksum (SHA256) of an executable before it is launched. I plan to do it in the LoadImageNotifyRoutine callback. I have a crypto library in kernel mode to calculate the checksum. Would it be OK if I do it in kernel mode by opening the executable file in the LoadImageNotifyRoutine callback and calculating the checksum?
I wouldn't. I ran into an issue a few years ago where special APCs were disabled in some cases, leading to a deadlock when doing IO. The MS docs were updated at that time. I don't know if the issue is still present on current versions of Windows.
The operating system calls the driver's load-image notify routine at PASSIVE_LEVEL inside a critical region with normal kernel APCs always disabled and sometimes with both kernel and special APCs disabled.
Why not just do the hashing in the process create callback? There is the added benefit of being able to block the process from launching, if you so desire.
It's better to map a PE file and use the BCrypt API in kernel mode.
Calling user mode services from LoadImagyNotify can lead to hard to debug hangs, especially if there are other drivers on the machine doing the same thing in LoadImageNotify (especially on Windows 7 where EPROCESS.AddressCreationLock is locked in the callback and special kernel APCs are disabled).
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.