Is there a way I can tell in IRP_MJ_CREATE that a exe
or dll (or any other type of executable code) is just
being opened in the process of being loaded for
execution?
My driver does different things based on read or write
access when files are opened. I’ve noticed that exe
and dll files are opened with write access when they
are run but they’re not written to. I’d like to
notice that it is being opened to be executed and take
the read access path in my code.
Are there scenarios where these files are modified
when they are opened to be executed?
Thanks,
Randy
Do you Yahoo!?
Yahoo! Tax Center - File online, calculators, forms, and more
http://tax.yahoo.com