I use PsSetLoadImageNotifyRoutine to register a callback on Vista. I supposed to get notified when executable image is loaded. But I got many notifies for non-execlutable garbage images.
When windows explorer.exe displays file name list, it needs to get file’s Icon, Version, Size… But each time it extracts these information, it calls kernel32!LoadLibraryExW and ntdll!ZwMapViewOfSection, in turn the kernel nt!NtMapViewOfsection and LoadImageNotifyRoutine are called. See below For an example:
ChildEBP RetAddr
94514afc 81a1cc40 nt!DbgBreakPoint
94514b1c 819d15ae nt!PsCallImageNotifyRoutines+0x31
94514bb8 819d0632 nt!MiMapViewOfImageSection+0x815
94514c2c 819d0727 nt!MiMapViewOfSection+0x22c
94514c5c 819d0342 nt!MmMapViewOfSection+0x2a
94514cd8 9721a5d0 nt!NtMapViewOfSection+0x203
94514d34 76f9e524 nt!KiFastCallEntry+0x12a
02b8f19c 76f9d19c ntdll!KiFastSystemCallRet
02b8f1a0 76f8017d ntdll!ZwMapViewOfSection+0xc
02b8f2b4 76f7ab54 ntdll!LdrpCheckForLoadedDll+0x363
02b8f334 7685ef0d ntdll!LdrGetDllHandleEx+0x2a6
02b8f39c 75637e94 kernel32!LoadLibraryExW+0x1df
02b8f3e0 75638073 apphelp!GetFileVersionInfoSizeExW+0x30
02b8f3f4 75637fba apphelp!GetFileVersionInfoSizeW+0x12
02b8f444 75634f02 apphelp!SdbpGetVersionAttributes+0xdd
02b8f458 75634e9d apphelp!SdbpGetAttribute+0xa9
02b8f48c 756355a6 apphelp!SdbpCheckAttribute+0xaf
02b8f4bc 756354bf apphelp!SdbpCheckAllAttributes+0xa1
02b8f76c 756351be apphelp!SdbpCheckForMatch+0x528
Doesn’t anybody have any idea?
Thanks.
xxxxx@hotmail.com wrote:
I use PsSetLoadImageNotifyRoutine to register a callback on Vista. I supposed to get notified when executable image is loaded. But I got many notifies for non-execlutable garbage images.
When windows explorer.exe displays file name list, it needs to get file’s Icon, Version, Size… But each time it extracts these information, it calls kernel32!LoadLibraryExW and ntdll!ZwMapViewOfSection, in turn the kernel nt!NtMapViewOfsection and LoadImageNotifyRoutine are called. See below For an example:
…
Doesn’t anybody have any idea?
An idea about what? You have accurately described the way things are.
What’s the problem?
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
WDK:“The PsSetLoadImageNotifyRoutine routine registers a driver-supplied callback that is subsequently notified whenever an image is loaded for execution.”
According to WDK and other OSs, like WinXP, the only the image which will be executed will be notified. But on Vista, all garbage images (will not be executed, like just explorer reads file version and size) are notified also. My driver got many garbage image notifies, and it can not identify which one will be executed.
Hope I can make this clear.
Thank you.
There are two ways how LoadLibraryEx() can load image into memory. Normally i.e. as executable and in this case I’d say it is correct notify routine is called. The second possibility is if the flag LOAD_LIBRARY_AS_DATAFILE is specified and in this case it shouldn’t be called.
From the stack trace is seems as the first case is valid; you can verify it in the debugger. The different behaviour in XP can be caused by different implementation in the user mode when exploder accesses version info. Try to examine apphelp.dll for XP and Vista.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of xxxxx@hotmail.com[SMTP:xxxxx@hotmail.com]
Reply To: Windows System Software Devs Interest List
Sent: Thursday, October 19, 2006 1:48 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] PsSetLoadImageNotifyRoutine on Vista 5744
WDK:“The PsSetLoadImageNotifyRoutine routine registers a driver-supplied callback that is subsequently notified whenever an image is loaded for execution.”
According to WDK and other OSs, like WinXP, the only the image which will be executed will be notified. But on Vista, all garbage images (will not be executed, like just explorer reads file version and size) are notified also. My driver got many garbage image notifies, and it can not identify which one will be executed.
Hope I can make this clear.
Thank you.
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
I debuged, and found that there is difference between the Vista Beta and others released OS.
In Vista Beta, the Flags (0x20) in _CONTROL_AREA is always set in new SectionObject, no matter how to LoadLibrary (image), it causes ZwMapViewOfSection calls notofication routine always. This must impact the performance. I don’t know if MS will improve this in release version or not.
Thanks.
I mean, even we only call GetFileVersionInfoW(), the notification routine will be called on Vista Beta.