PsSetLoadImageNotifyRoutine question

Hello!

In documentation about PsSetLoadImageNotifyRotuine you can find following:
“In Windows 7, Windows Server 2008 R2, and earlier versions of Windows, the operating system holds an internal system lock during calls to load-image notify routines for images loaded in user process address space (user space). To avoid deadlocks, load-image notify routines must not call system routines that map, allocate, query, free, or perform other operations on user-space virtual memory.”

Questions regarding above is:

  1. what is this “internal system lock” - is it locked address space of given process?
  2. By “map, allocate, query, free or perform other operations on user-space virtual memory.” they mean usage of Mm* (like MmProbeAndLock or Mm mapping functions) and Zw* ?
  3. If answer for question #1 if yes - then is it possible that process can do anything with its memory when this callback is called? (like change protection or commit memory or any other operation)

many thanks for any answers.

#1: yes
#2: yes
#3: no

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Friday, February 1, 2013 1:59 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] PsSetLoadImageNotifyRoutine question

Hello!

In documentation about PsSetLoadImageNotifyRotuine you can find following:
“In Windows 7, Windows Server 2008 R2, and earlier versions of Windows, the operating system holds an internal system lock during calls to load-image notify routines for images loaded in user process address space (user space). To avoid deadlocks, load-image notify routines must not call system routines that map, allocate, query, free, or perform other operations on user-space virtual memory.”

Questions regarding above is:

  1. what is this “internal system lock” - is it locked address space of given process?
  2. By “map, allocate, query, free or perform other operations on user-space virtual memory.” they mean usage of Mm* (like MmProbeAndLock or Mm mapping functions) and Zw* ?
  3. If answer for question #1 if yes - then is it possible that process can do anything with its memory when this callback is called? (like change protection or commit memory or any other operation)

many thanks for any answers.

LoadImageNotifyRoutine can be invoked from three different NT kernel places
and Mm- process lock is not held when this callback is invoked during
process startup. Immediately after ProcessNotify callback invocation, your
LoadImageNotify callback will be called for main executable file and
ntdll.dll. In this time you can use any Mm/Zw (alloc/protection) functions
without fear (see different callstacks). I saw that other drivers usually
queue a workitem to allocate user-mode memory.