Can one do IO in ELAM InitializeImage callback?

Amit_Kulkarni-2 · November 30, 2011, 5:06am

Hi All,

I am trying to open file in InitializeImage callback of ELAM driver, but the ZwCreateFile fails with error code STATUS_OBJECT_PATH_NOT_FOUND. And I am passing file path obtained in ImageName field of BDCB_IMAGE_INFORMATION which is parameter to the callback.

First of all is it possible to open file and do any IO in the ELAM InitializeImage callback which comes in very early stage of boot process? If no then how can a AV determine a driver is bad?

Thanks & Regards,
Amit.

Petr_Kurtin · November 30, 2011, 10:04am

Don’t issue File IO requests during ELAM callbacks, because we’ll slow down
the whole boot process phase. You should work only with your pre-prepared
SHA-1 signatures.

As for status code, filesystem symlinks are not created yet (they’re ready
in post-boot callback).

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: Wednesday, November 30, 2011 11:06 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Can one do IO in ELAM InitializeImage callback?

Hi All,

I am trying to open file in InitializeImage callback of ELAM driver, but the
ZwCreateFile fails with error code STATUS_OBJECT_PATH_NOT_FOUND. And I am
passing file path obtained in ImageName field of BDCB_IMAGE_INFORMATION
which is parameter to the callback.

First of all is it possible to open file and do any IO in the ELAM
InitializeImage callback which comes in very early stage of boot process? If
no then how can a AV determine a driver is bad?

Thanks & Regards,
Amit.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Amit_Kulkarni-2 · December 1, 2011, 1:26am

Hi Petr Kurtin,

Thanks for the helpful reply.
Do you mean I should compare my pre-prepared SHA-1 signatures with ImageHash field in BDCB_IMAGE_INFORMATION structure?

If this is the case then what about polymorphic and random driver infectors, as image hash will change according to which image is infected and which key is used for encryption etc.

Thanks & Regards,
Amit.

Amit_Kulkarni-2 · December 6, 2011, 1:30am

Also I am not able to find HKLM\ELAM\Measured key spacified in Early Launch Anti-Malware documenation in 32 bit priview build of Windows 8.