Hello,
On Win XP, I hooked the LoadImage notification using PsSetLoadImageNotifyRoutine. However, when I examine the memory pointed to by ImageBase method handed to me by the routine, it appears that the DLL has not been mapped in yet. Is this expected ? Is there any documented way in the kernel to get notification of a DLL AFTER it has been mapped into the process. If I can get the path from which the DLL was loaded that would be very helpful.
Thanks.
> it appears that the DLL has not been mapped in yet
The notification is called after MiMapViewOfImageSection. So, the image has
been mapped and _IMAGE_INFO.ImageBase points to PE header with the MZ
signature. In most cases physical pages have yet not been assigned to
virtual ones( this is “demand paging”, pages will be brought in by the page
fault handler) and if you use a debugger( i.e. break point is inside your
notification routine ) it might appear as not yet loaded image.
–
Slava Imameyev, xxxxx@hotmail.com
wrote in message news:xxxxx@ntfsd…
> Hello,
>
> On Win XP, I hooked the LoadImage notification using
> PsSetLoadImageNotifyRoutine. However, when I examine the memory pointed to
> by ImageBase method handed to me by the routine, it appears that the DLL
> has not been mapped in yet. Is this expected ? Is there any documented way
> in the kernel to get notification of a DLL AFTER it has been mapped into
> the process. If I can get the path from which the DLL was loaded that
> would be very helpful.
>
> Thanks.
>
Is your goal to find the path from which the DLL is loaded? If so, the
callback function you provide to PsSetLoadImageNotifyRoutine should
already have that information (when it’s called): the first parameter
FullImageName is the full UNC path name of the DLL being loaded.
Hao
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@hotmail.com
Sent: Friday, February 23, 2007 1:34 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] PsSetLoadImageNotifyRoutine strangness
Hello,
On Win XP, I hooked the LoadImage notification using
PsSetLoadImageNotifyRoutine. However, when I examine the memory pointed
to by ImageBase method handed to me by the routine, it appears that the
DLL has not been mapped in yet. Is this expected ? Is there any
documented way in the kernel to get notification of a DLL AFTER it has
been mapped into the process. If I can get the path from which the DLL
was loaded that would be very helpful.
Thanks.
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@securitastech.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Hao Wang wrote:
Is your goal to find the path from which the DLL is loaded? If so, the
callback function you provide to PsSetLoadImageNotifyRoutine should
already have that information (when it’s called): the first parameter
FullImageName is the full UNC path name of the DLL being loaded.
Thanks Hao. Nope my goal is to patch the DLL in-memory image. So I need
it to be mapped into memory.
Hao
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@hotmail.com
Sent: Friday, February 23, 2007 1:34 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] PsSetLoadImageNotifyRoutine strangnessHello,
On Win XP, I hooked the LoadImage notification using
PsSetLoadImageNotifyRoutine. However, when I examine the memory pointed
to by ImageBase method handed to me by the routine, it appears that the
DLL has not been mapped in yet. Is this expected ? Is there any
documented way in the kernel to get notification of a DLL AFTER it has
been mapped into the process. If I can get the path from which the DLL
was loaded that would be very helpful.Thanks.
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17You are currently subscribed to ntfsd as: xxxxx@securitastech.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Slava Imameyev wrote:
> it appears that the DLL has not been mapped in yet
The notification is called after MiMapViewOfImageSection. So, the image has
been mapped and _IMAGE_INFO.ImageBase points to PE header with the MZ
signature. In most cases physical pages have yet not been assigned to
virtual ones( this is “demand paging”, pages will be brought in by the page
fault handler) and if you use a debugger( i.e. break point is inside your
notification routine ) it might appear as not yet loaded image.
Thanks Slava. SO what your saying is that even though I might be able to
see the page in the debugger, if I just let the code run, I should be
able to access the memory ImageBase because the fault handler will page
it in.
Btw… is there in WinDBG to force the page to be page in ?
Thanks once again.
> if I just let the code run, I should be
able to access the memory ImageBase because the fault handler will page it
in.
Yes.
is there in WinDBG to force the page to be page in ?
I do not know exactly about WinDBG( there is special WinDBG forum here at
OSR.
), as I remember SoftICE could do this using kernel’s page fault handler. At
least you might touch each page in your callback and then break in the
debugger.
–
Slava Imameyev, xxxxx@hotmail.com
“Bob TK” wrote in message news:xxxxx@ntfsd…
> Slava Imameyev wrote:
>>> it appears that the DLL has not been mapped in yet
>>
>> The notification is called after MiMapViewOfImageSection. So, the image
>> has been mapped and _IMAGE_INFO.ImageBase points to PE header with the MZ
>> signature. In most cases physical pages have yet not been assigned to
>> virtual ones( this is “demand paging”, pages will be brought in by the
>> page fault handler) and if you use a debugger( i.e. break point is inside
>> your notification routine ) it might appear as not yet loaded image.
>>
>
> Thanks Slava. SO what your saying is that even though I might be able to
> see the page in the debugger, if I just let the code run, I should be able
> to access the memory ImageBase because the fault handler will page it in.
>
> Btw… is there in WinDBG to force the page to be page in ?
>
> Thanks once again.
>
there is a .pagein command available in windbg though i think it is
supported only on targets xp and above
On 2/27/07, Slava Imameyev wrote:
>
> > if I just let the code run, I should be
> > able to access the memory ImageBase because the fault handler will page it
> > in.
>
> Yes.
>
> >is there in WinDBG to force the page to be page in ?
>
> I do not know exactly about WinDBG( there is special WinDBG forum here at
> OSR.
> ), as I remember SoftICE could do this using kernel’s page fault handler. At
> least you might touch each page in your callback and then break in the
> debugger.
>
> –
> Slava Imameyev, xxxxx@hotmail.com
>
>
> “Bob TK” wrote in message news:xxxxx@ntfsd…
> > Slava Imameyev wrote:
> >>> it appears that the DLL has not been mapped in yet
> >>
> >> The notification is called after MiMapViewOfImageSection. So, the image
> >> has been mapped and _IMAGE_INFO.ImageBase points to PE header with the MZ
> >> signature. In most cases physical pages have yet not been assigned to
> >> virtual ones( this is “demand paging”, pages will be brought in by the
> >> page fault handler) and if you use a debugger( i.e. break point is inside
> >> your notification routine ) it might appear as not yet loaded image.
> >>
> >
> > Thanks Slava. SO what your saying is that even though I might be able to
> > see the page in the debugger, if I just let the code run, I should be able
> > to access the memory ImageBase because the fault handler will page it in.
> >
> > Btw… is there in WinDBG to force the page to be page in ?
> >
> > Thanks once again.
> >
>
>
>
> —
> Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>