when a process is being launching, I receive LoadImageNotifyRoutine callback
with IMAGE_INFO structure. In most cases, IMAGE_INFO.ImageBase is the same
with PEB.ImageBaseAddress value, but the image address in PEB is sometimes
different and it’s preferred against IMAGE_INFO value. I have got one
application which behaves like that (ThinApp package, to be exact). Since I
analyze executables directly in LoadImageNotifyRoutine, I would like to know
how it’s possible those two addresses are sometimes different and which one
should be preferred.
e.g. I got in LoadImageNotifyRoutine:
FullImageName = “\Device\HarddiskVolume2\GetDataBack for FAT.exe”
PEB.ImageBaseAddress points to the base of the exe image used to create the process.
The ImageBase you get in LoadImageNotifyRoutine points to the currently loaded (mapped) image, which, in your case, is some other exe/dll that is being mapped into the process.
If you’re writing an AV software that scans all images reported by LoadImageNotifyRoutine, you would’ve already scanned the image the PEB is pointing to at this stage, so scanning it again is pointless. Thus, you should probably scan the currently loaded image.
> PEB.ImageBaseAddress points to the base of the exe image used to create
the process.
The ImageBase you get in LoadImageNotifyRoutine points to the currently
loaded (mapped) image, which, in your case, is some other exe/dll that is
being mapped into the process.
I dare to disagree. It’s not some other exe/dll mapped into the process -
it’s the first LoadImage callback for new created process. That
LoadImageNotifyRoutine callback is called directly from nt!DbgkCreateThread
(this function is called when a new thread begins to execute; since it was
the first thread in the process, it calls LoadImage callback for the module
EXE file and then for ntdll.dll).