Hello all
I want to detect when PE images have been loaded so I have registered a
handler using PsSetLoadImageNotifyRoutine. While this does exactly what
I want, there appears to be a lack of consistency with the filenames
that are reported.
Many of the filenames use a fully qualified path of the form
\Device\HardDiskVolume1\Program files… etc which is what I want.
However there are a number of variations on this which are not so useful
because they don’t include the volume. Examples of these include (but
are presumably not limited to) the following:-
\Program Files\Microsoft Office.…
\Windows\System32.…
\SystemRoot\System32..
Under these circumstances is it safe to assume that any name that
doesn’t contain the volume is on the system volume or is there another
method for retrieving the fully qualified name?
Alternatively, is there another method for detecting when executable
images are loaded (How does Process Explorer from sysinternals do this
for example - it doesn’t register a PsSetLoadImageNotifyRoutine
callback because I’ve stepped through the system code that invokes the
callbacks and there’s only my routine in the array).
Regards
Mark