no loadimagenotification for forked process

db1 · October 10, 2014, 6:03am

Hi,

I was playing with a native api implementation of fork() and noticed that I get a LoadImageNotification() callback for the main process binary and ntdll.dll but *not* for any other modules the parent had loaded.

I verified that the other modules still exists in the child and can be successfully called there.

Is this expected behavior ?
I make security decisions based on LoadImageNotify and this probably breaks my project.

Many thanks,
db

Petr_Kurtin · October 10, 2014, 12:21pm

The question is, what do you mean by fork() fn? Windows doesn’t have
anything quite like that.

LoadImageNotification callback is invoked correctly for every newly
loaded/mapped image into memory. If you miss some calls, then images were
probably loaded/copied manually (?) or you overlooked something…

OSR_Community_User · October 10, 2014, 1:08pm

Actually, the OS kernel does support clone operations. I suspect that because it becomes a “dup handle” operation on the section objects it doesn’t trigger any sort of callback because it wasn’t “loaded”. I’m a bit surprised it would call it for the base image, but that’s likely an artifact of the implementation.

MM has quite a bit of support for this and has since NT 3.1 (when there was a POSIX subsystem and it supported fork()) and there are articles in the archives (e.g., http://www.osronline.com/showThread.CFM?link=90669) that discuss this almost a decade back. The functionality is still present in Windows today.

As for the OP, if you are assuming that you will be told something is loaded when it isn’t and that breaks y our product, I’m not sure what we can do to help you on that. If it’s not possible to figure out this is a clone operation from the notify callback (there’s a lot of information in the EX version) it’s probably not possible to implement your functionality on Windows.

Tony
OSR

Adam-3 · October 12, 2014, 9:31am

If I understand your question, and you’re talking about the windows implementation of fork() that uses final function ZwResumeThread() to “start” the process from user space, you may want to try PsSetCreateThreadNotifyRoutine() to catch it. It worked for me (but we may be talking about different code since there’s no source posted here).