Hi Ken,
Thanks a lot for your feedback.
I think you might have mis-understood what we are doing here.
I am not reading any fields that are not present in the definition of the IMAGE_INFO structure for these platforms. In fact I am not at all using the IMAGE_INFO structure and that is what makes it more shady and hence I am super suscipicious about this code.
Please have a look at the following function; we pass in the “FullImageName” that we get from the LoadImageNotifyRoutineCallback to this function as the input, i_pUsImageName. And directly call CONTAINING_RECORD(i_pUsImageName,FILE_OBJECT,FileName); on that.
I tried to load a DLL located on C:\ABC\XYZ.DLL and also d:\ABC\XYZ.DLL, in both cases I got the correct HardDisc and Volume. And we had tested it on Windows XP SP3 and Windows 2003 Server and it actually seems to work.
This may be a total fluke, So I am ready to take up any flak ![:wink: :wink:](/images/emoji/twitter/wink.png?v=12)
Any comments / suggestions and criticism are welcome.
By the way I had originally posted my problem in the past here but never got any response;
http://www.osronline.com/showthread.cfm?link=185940
Do you have any advice or suggestions for me here? Is it really IMPOSSIBLE to get the complete path of a DLL that is getting loaded?
Thanks in Advance,
Regards,
~Semal
BOOLEAN GetFullyQualifiedObjectName(IN PUNICODE_STRING i_pUsImageName,OUT PUNICODE_STRING o_pUsFullImageName)
{
PFILE_OBJECT pFileObject = NULL;
PDEVICE_OBJECT pDeviceObject = NULL;
WCHAR wstrDeviceName[50+(sizeof(UNICODE_STRING)/sizeof(WCHAR))+1] = {0};
ULONG ResultLength = 0;
ULONG BufferLength = 0;
UNICODE_STRING usDeviceName;
NTSTATUS Status = STATUS_SUCCESS;
PDEVICE_EXTENSION deviceExtension = g_FilterCDO->DeviceExtension;
if(!i_pUsImageName || !o_pUsFullImageName)
return FALSE;
//Retrive File Object structure
pFileObject = CONTAINING_RECORD(i_pUsImageName,FILE_OBJECT,FileName);
if(!pFileObject)
return FALSE;
//Retrive Device Object structure
pDeviceObject = pFileObject->DeviceObject;
if(!pDeviceObject)
return FALSE;
//Leave Dlls which are not from File Disk or Network.
if( FILE_DEVICE_DISK != pDeviceObject->DeviceType &&
FILE_DEVICE_NETWORK_FILE_SYSTEM != pDeviceObject->DeviceType
)
return FALSE;
//Retrive Device name for File Disk Dlls.
if(FILE_DEVICE_DISK == pDeviceObject->DeviceType)
{
BufferLength = 50+(sizeof(UNICODE_STRING)/sizeof(WCHAR))+1;
Status = IoGetDeviceProperty( pDeviceObject,
DevicePropertyPhysicalDeviceObjectName ,
BufferLength,
wstrDeviceName,
&ResultLength);
if(STATUS_SUCCESS != Status)
return FALSE;
RtlInitUnicodeString(&usDeviceName,wstrDeviceName);
}
//Retrive Device name for Networks Dlls.
else if(FILE_DEVICE_NETWORK_FILE_SYSTEM == pDeviceObject->DeviceType)
{
if( deviceExtension->OsType == WINDOWS_VISTA || deviceExtension->OsType == WINDOWS_SERVER_2008 || deviceExtension->OsType == WINDOWS_7)
RtlInitUnicodeString(&usDeviceName, L"\Device\Mup");
else
RtlInitUnicodeString(&usDeviceName, L"\Device\LanmanRedirector");
}
//Prefix Device name to FullImage path.
//Path convert from Relative to Full.
o_pUsFullImageName->Length = usDeviceName.Length;
RtlCopyUnicodeString(o_pUsFullImageName,&usDeviceName);
RtlAppendUnicodeStringToString(o_pUsFullImageName,i_pUsImageName);
return TRUE;
}