Hello,
I am given several paths.
Example:
My problem is they essentially all map to the same file. Is there a way to
convert these strings so they are all represented in the same format so I
could compare them?
Thanks
J
You forgot the problems of links, since you could also have:
c:\foo\ntjunk.dll and it be the same file. If you want to be sure you need
to get the filesystem ID and the file ID and compare that for each item you
encounter.
–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“Jonathon” wrote in message news:xxxxx@ntdev…
> Hello,
> I am given several paths.
>
> Example:
> 1) “\WINDOWS\system32\ntdll.dll”
> 2) “c:\windows\system32\ntdll.dll”
> 3) “??\c:\windows\system32\ntdll.dll”
>
> My problem is they essentially all map to the same file. Is there a way
> to
> convert these strings so they are all represented in the same format so I
> could compare them?
>
> Thanks
> J
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4046 (20090430)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
Information from ESET NOD32 Antivirus, version of virus signature database 4046 (20090430)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
Thanks Don… Would you be able to direct me to certain calls I could make
to get the file system ID and file ID?
also, my problem is coming from PsSetLoadImageNotifyRoutine.
http://msdn.microsoft.com/en-us/library/ms802949.aspx
The callback function gives me the “FullImagePath” but for some reason, it
has stripped off all the driver letters and giving me some weird path.
For example, it is giving me “\windows\system32\ntdll.dll” instead of
“c:\windows\system32\ntdll.dll”. It is giving me “\myDir\test.txt” instead
of “c:\myDir\test.txt”.
If it is doing that on purpose, assuming I am given “\myDir\test.txt”, is
there a way I could infer whether this file is coming from
“c:\myDir\test.txt” or “d:\myDir\test.txt” or even “d:\myDir\test.txt”?
thanks for the help
J
On Thu, Apr 30, 2009 at 9:15 AM, Don Burn wrote:
> You forgot the problems of links, since you could also have:
>
> c:\foo\ntjunk.dll and it be the same file. If you want to be sure you need
> to get the filesystem ID and the file ID and compare that for each item you
> encounter.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
> “Jonathon” wrote in message news:xxxxx@ntdev…
> > Hello,
> > I am given several paths.
> >
> > Example:
> > 1) “\WINDOWS\system32\ntdll.dll”
> > 2) “c:\windows\system32\ntdll.dll”
> > 3) “??\c:\windows\system32\ntdll.dll”
> >
> > My problem is they essentially all map to the same file. Is there a way
> > to
> > convert these strings so they are all represented in the same format so I
> > could compare them?
> >
> > Thanks
> > J
> >
> >
> >
> > Information from ESET NOD32 Antivirus, version of virus
> > signature database 4046 (20090430)
> >
> > The message was checked by ESET NOD32 Antivirus.
> >
> > http://www.eset.com
> >
> >
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4046 (20090430)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
You will need to open the file, and then do an
IRP_MJ_QUERY_VOLUME_INFORMATION (or ZwQueryVolumeInformationFile) and an
IRP_MJ_QUERY_INFORMATION (also doable with ZwQueryInformationFile)
–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“Jonathon” wrote in message news:xxxxx@ntdev…
> Thanks Don… Would you be able to direct me to certain calls I could
> make
> to get the file system ID and file ID?
> also, my problem is coming from PsSetLoadImageNotifyRoutine.
> http://msdn.microsoft.com/en-us/library/ms802949.aspx
>
> The callback function gives me the “FullImagePath” but for some reason, it
> has stripped off all the driver letters and giving me some weird path.
>
> For example, it is giving me “\windows\system32\ntdll.dll” instead of
> “c:\windows\system32\ntdll.dll”. It is giving me “\myDir\test.txt”
> instead
> of “c:\myDir\test.txt”.
>
> If it is doing that on purpose, assuming I am given “\myDir\test.txt”, is
> there a way I could infer whether this file is coming from
> “c:\myDir\test.txt” or “d:\myDir\test.txt” or even “d:\myDir\test.txt”?
>
> thanks for the help
>
> J
>
>
> On Thu, Apr 30, 2009 at 9:15 AM, Don Burn wrote:
>
>> You forgot the problems of links, since you could also have:
>>
>> c:\foo\ntjunk.dll and it be the same file. If you want to be sure you
>> need
>> to get the filesystem ID and the file ID and compare that for each item
>> you
>> encounter.
>>
>>
>> –
>> Don Burn (MVP, Windows DDK)
>> Windows Filesystem and Driver Consulting
>> Website: http://www.windrvr.com
>> Blog: http://msmvps.com/blogs/WinDrvr
>>
>>
>> “Jonathon” wrote in message news:xxxxx@ntdev…
>> > Hello,
>> > I am given several paths.
>> >
>> > Example:
>> > 1) “\WINDOWS\system32\ntdll.dll”
>> > 2) “c:\windows\system32\ntdll.dll”
>> > 3) “??\c:\windows\system32\ntdll.dll”
>> >
>> > My problem is they essentially all map to the same file. Is there a
>> > way
>> > to
>> > convert these strings so they are all represented in the same format so
>> > I
>> > could compare them?
>> >
>> > Thanks
>> > J
>> >
>> >
>> >
>> > Information from ESET NOD32 Antivirus, version of virus
>> > signature database 4046 (20090430)
>> >
>> > The message was checked by ESET NOD32 Antivirus.
>> >
>> > http://www.eset.com
>> >
>> >
>>
>>
>>
>> Information from ESET NOD32 Antivirus, version of virus
>> signature database 4046 (20090430)
>>
>> The message was checked by ESET NOD32 Antivirus.
>>
>> http://www.eset.com
>>
>>
>>
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4046 (20090430)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
Information from ESET NOD32 Antivirus, version of virus signature database 4046 (20090430)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
How are you getting a txt file in the load image notify routine? As far as
no drive letter for DLLs, that is the way it works. I don’t recall ever
seeing a drive letter for a DLL. The exe file always has a drive letter.
Bill Wandel
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]
On Behalf Of Jonathon
Sent: Thursday, April 30, 2009 12:23 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Easiest way to compare object names(?)?
Thanks Don… Would you be able to direct me to certain calls I could make
to get the file system ID and file ID?
also, my problem is coming from PsSetLoadImageNotifyRoutine.
http://msdn.microsoft.com/en-us/library/ms802949.aspx
The callback function gives me the “FullImagePath” but for some reason, it
has stripped off all the driver letters and giving me some weird path.
For example, it is giving me “\windows\system32\ntdll.dll” instead of
“c:\windows\system32\ntdll.dll”. It is giving me “\myDir\test.txt” instead
of “c:\myDir\test.txt”.
If it is doing that on purpose, assuming I am given “\myDir\test.txt”, is
there a way I could infer whether this file is coming from
“c:\myDir\test.txt” or “d:\myDir\test.txt” or even “d:\myDir\test.txt”?
thanks for the help
J
On Thu, Apr 30, 2009 at 9:15 AM, Don Burn wrote:
You forgot the problems of links, since you could also have:
c:\foo\ntjunk.dll and it be the same file. If you want to be sure you need
to get the filesystem ID and the file ID and compare that for each item you
encounter.
–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“Jonathon” wrote in message news:xxxxx@ntdev…
> Hello,
> I am given several paths.
>
> Example:
> 1) “\WINDOWS\system32\ntdll.dll”
> 2) “c:\windows\system32\ntdll.dll”
> 3) “??\c:\windows\system32\ntdll.dll”
>
> My problem is they essentially all map to the same file. Is there a way
> to
> convert these strings so they are all represented in the same format so I
> could compare them?
>
> Thanks
> J
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4046 (20090430)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
Information from ESET NOD32 Antivirus, version of virus signature
database 4046 (20090430)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Bill,
I am sorry about that 
but yeah, you are correct. I should be only
getting DLLs or Exes. I guess my main point is how I could get the full
path from the FullImagePath variable in my load module handler.
thanks
On Thu, Apr 30, 2009 at 9:47 AM, Bill Wandel wrote:
> How are you getting a txt file in the load image notify routine? As far
> as no drive letter for DLLs, that is the way it works. I don’t recall ever
> seeing a drive letter for a DLL. The exe file always has a drive letter.
>
> Bill Wandel
>
> ------------------------------
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] *On Behalf Of *Jonathon
> Sent: Thursday, April 30, 2009 12:23 PM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Easiest way to compare object names(?)?
>
> Thanks Don… Would you be able to direct me to certain calls I could make
> to get the file system ID and file ID?
> also, my problem is coming from PsSetLoadImageNotifyRoutine.
> http://msdn.microsoft.com/en-us/library/ms802949.aspx
>
> The callback function gives me the “FullImagePath” but for some reason, it
> has stripped off all the driver letters and giving me some weird path.
>
> For example, it is giving me “\windows\system32\ntdll.dll” instead of
> “c:\windows\system32\ntdll.dll”. It is giving me “\myDir\test.txt” instead
> of “c:\myDir\test.txt”.
>
> If it is doing that on purpose, assuming I am given “\myDir\test.txt”, is
> there a way I could infer whether this file is coming from
> “c:\myDir\test.txt” or “d:\myDir\test.txt” or even “d:\myDir\test.txt”?
>
> thanks for the help
>
> J
>
>
> On Thu, Apr 30, 2009 at 9:15 AM, Don Burn wrote:
>
>> You forgot the problems of links, since you could also have:
>>
>> c:\foo\ntjunk.dll and it be the same file. If you want to be sure you
>> need
>> to get the filesystem ID and the file ID and compare that for each item
>> you
>> encounter.
>>
>>
>> –
>> Don Burn (MVP, Windows DDK)
>> Windows Filesystem and Driver Consulting
>> Website: http://www.windrvr.com
>> Blog: http://msmvps.com/blogs/WinDrvr
>>
>>
>> “Jonathon” wrote in message news:xxxxx@ntdev…
>> > Hello,
>> > I am given several paths.
>> >
>> > Example:
>> > 1) “\WINDOWS\system32\ntdll.dll”
>> > 2) “c:\windows\system32\ntdll.dll”
>> > 3) “??\c:\windows\system32\ntdll.dll”
>> >
>> > My problem is they essentially all map to the same file. Is there a way
>> > to
>> > convert these strings so they are all represented in the same format so
>> I
>> > could compare them?
>> >
>> > Thanks
>> > J
>> >
>> >
>> >
>> > Information from ESET NOD32 Antivirus, version of virus
>> > signature database 4046 (20090430)
>> >
>> > The message was checked by ESET NOD32 Antivirus.
>> >
>> > http://www.eset.com
>> >
>> >
>>
>>
>>
>> Information from ESET NOD32 Antivirus, version of virus
>> signature database 4046 (20090430)
>>
>> The message was checked by ESET NOD32 Antivirus.
>>
>> http://www.eset.com
>>
>>
>>
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Bill,
Well you would not, but it could be any other DLL name
–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“Bill Wandel” wrote in message news:xxxxx@ntdev…
> How are you getting a txt file in the load image notify routine? As far as
> no drive letter for DLLs, that is the way it works. I don’t recall ever
> seeing a drive letter for a DLL. The exe file always has a drive letter.
>
> Bill Wandel
>
>
>
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]
> On Behalf Of Jonathon
> Sent: Thursday, April 30, 2009 12:23 PM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Easiest way to compare object names(?)?
>
>
> Thanks Don… Would you be able to direct me to certain calls I could
> make
> to get the file system ID and file ID?
>
> also, my problem is coming from PsSetLoadImageNotifyRoutine.
> http://msdn.microsoft.com/en-us/library/ms802949.aspx
>
> The callback function gives me the “FullImagePath” but for some reason, it
> has stripped off all the driver letters and giving me some weird path.
>
> For example, it is giving me “\windows\system32\ntdll.dll” instead of
> “c:\windows\system32\ntdll.dll”. It is giving me “\myDir\test.txt”
> instead
> of “c:\myDir\test.txt”.
>
> If it is doing that on purpose, assuming I am given “\myDir\test.txt”, is
> there a way I could infer whether this file is coming from
> “c:\myDir\test.txt” or “d:\myDir\test.txt” or even “d:\myDir\test.txt”?
>
> thanks for the help
>
> J
>
>
> On Thu, Apr 30, 2009 at 9:15 AM, Don Burn wrote:
>
>
> You forgot the problems of links, since you could also have:
>
> c:\foo\ntjunk.dll and it be the same file. If you want to be sure you
> need
> to get the filesystem ID and the file ID and compare that for each item
> you
> encounter.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
> “Jonathon” wrote in message news:xxxxx@ntdev…
>
>> Hello,
>> I am given several paths.
>>
>> Example:
>> 1) “\WINDOWS\system32\ntdll.dll”
>> 2) “c:\windows\system32\ntdll.dll”
>> 3) “??\c:\windows\system32\ntdll.dll”
>>
>> My problem is they essentially all map to the same file. Is there a way
>> to
>> convert these strings so they are all represented in the same format so I
>> could compare them?
>>
>> Thanks
>> J
>>
>>
>>
>
>>_____ Information from ESET NOD32 Antivirus, version of virus
>> signature database 4046 (20090430)
>>
>> The message was checked by ESET NOD32 Antivirus.
>>
>> http://www.eset.com
>>
>>
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature
> database 4046 (20090430)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the
> List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4046 (20090430)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
Information from ESET NOD32 Antivirus, version of virus signature database 4046 (20090430) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
> The callback function gives me the “FullImagePath” but for some reason, it has stripped off all
the driver letters and giving me some weird path.
For example, it is giving me “\windows\system32\ntdll.dll” instead of “c:\windows\system32\ntdll.dll”.
It is giving me “\myDir\test.txt” instead of “c:\myDir\test.txt”.
This is the way it works - drive letter is needed only for locating a volume FSD is mounted on so that the system can discover the right DEVICE_OBJECT to send IRP_MJ_CREATE to. Once file system knows the volume it is mounted on it does not need drive letter to locate the file. This is why the path that you obtain from FILE_OBJECT does not have a drive letter …
I guess my main point is how I could get the full path from the FullImagePath variable in my load
module handler.
I am afraid this parameter is not going to help you here - you need a different approach. Your callback gets, first, ID of a process where image is mapped, and, second, a pointer to IMAGE_INFO that, among other things, tells you base address (as known in the target address space) that image is mapped to. IIRC, ZwQueryVirtualMemory() is not exported by ntoskrnl.exe, so that you will need UM assistance here.
Send this data to the UM helper app that will do OpenProcess() - GetMappedFileName() sequence,
and that’s it…
Anton Bassov
Thanks Anton. The info was very useful. As a legacy driver though that
does not attach to any volumes, what volume would it assume I am attached
it? And, if I do attach to a volume, if I am loading modules on other
volumes, would the FullImagePath parameter show the absolute path to the
module? or would I still get “\myDir\test.txt”?
Thanks
On Thu, Apr 30, 2009 at 10:32 PM, wrote:
> > The callback function gives me the “FullImagePath” but for some reason,
> it has stripped off all
> > the driver letters and giving me some weird path.
>
> > For example, it is giving me “\windows\system32\ntdll.dll” instead of
> “c:\windows\system32\ntdll.dll”.
> > It is giving me “\myDir\test.txt” instead of “c:\myDir\test.txt”.
>
>
> This is the way it works - drive letter is needed only for locating a
> volume FSD is mounted on so that the system can discover the right
> DEVICE_OBJECT to send IRP_MJ_CREATE to. Once file system knows the volume it
> is mounted on it does not need drive letter to locate the file. This is why
> the path that you obtain from FILE_OBJECT does not have a drive letter
> …
>
>
> > I guess my main point is how I could get the full path from the
> FullImagePath variable in my load
> > module handler.
>
>
> I am afraid this parameter is not going to help you here - you need a
> different approach. Your callback gets, first, ID of a process where
> image is mapped, and, second, a pointer to IMAGE_INFO that, among other
> things, tells you base address (as known in the target address space) that
> image is mapped to. IIRC, ZwQueryVirtualMemory() is not exported by
> ntoskrnl.exe, so that you will need UM assistance here.
> Send this data to the UM helper app that will do OpenProcess() -
> GetMappedFileName() sequence,
> and that’s it…
>
>
> Anton Bassov
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
You attaching to a volume has nothing to do with this. Anton’s statement
about volumes is about the path in FILE_OBJECTS and is not really related to
your question. His suggestion about using a user mode helper seems to be the
way to go.
Bill Wandel
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]
On Behalf Of Jonathon
Sent: Friday, May 01, 2009 10:00 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Easiest way to compare object names(?)?
Thanks Anton. The info was very useful. As a legacy driver though that
does not attach to any volumes, what volume would it assume I am attached
it? And, if I do attach to a volume, if I am loading modules on other
volumes, would the FullImagePath parameter show the absolute path to the
module? or would I still get “\myDir\test.txt”?
Thanks
On Thu, Apr 30, 2009 at 10:32 PM, wrote:
> The callback function gives me the “FullImagePath” but for some reason, it
has stripped off all
> the driver letters and giving me some weird path.
> For example, it is giving me “\windows\system32\ntdll.dll” instead of
“c:\windows\system32\ntdll.dll”.
> It is giving me “\myDir\test.txt” instead of “c:\myDir\test.txt”.
This is the way it works - drive letter is needed only for locating a volume
FSD is mounted on so that the system can discover the right DEVICE_OBJECT to
send IRP_MJ_CREATE to. Once file system knows the volume it is mounted on it
does not need drive letter to locate the file. This is why the path that
you obtain from FILE_OBJECT does not have a drive letter …
> I guess my main point is how I could get the full path from the
FullImagePath variable in my load
> module handler.
I am afraid this parameter is not going to help you here - you need a
different approach. Your callback gets, first, ID of a process where
image is mapped, and, second, a pointer to IMAGE_INFO that, among other
things, tells you base address (as known in the target address space) that
image is mapped to. IIRC, ZwQueryVirtualMemory() is not exported by
ntoskrnl.exe, so that you will need UM assistance here.
Send this data to the UM helper app that will do OpenProcess() -
GetMappedFileName() sequence,
and that’s it…
Anton Bassov
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
> As a legacy driver though that does not attach to any volumes, what volume would it assume
I am attached it?
As Bill told you already, I just explained to you why you get the “mangled” path( it is being obtained from FILE_OBJECT that has no idea about drive letter) - it has nothing to do with the actual solution that I proposed…
Anton Bassov