Hi,
I’m using PsSetLoadImageNotifyRoutine, to get a notification when Dlls are loaded into a process i’m intersted in.
My callback of course receives 3 arguments, as MSDN mentions:
(ImageFullName, ProcessId, ImageInfo), I noticed “ImageFullName” is most
of the times wrong, or relative, not absolute. For example, i’m getting:
“\Windows\System32\kernel32.dll”, instead of “C:\Windows\System32\kernel32.dll”. This is a problem for me, because i need to open the file and read its contents to calculate SHA1. Is there any way of getting the full path?
Is this a known bug? I don’t think i’m anything wrong, a very simple callback like:
VOID ImageNotify( In_opt PUNICODE_STRING FullImageName,
In HANDLE ProcessId,
In PIMAGE_INFO ImageInfo) {
if (FullImageName != NULL)
DbgPrint(“%wZ”, FullImageName);
}
Also, i was wondering if there is anyway of getting the same notification, but only for the UNLOAD of the image, and not the LOAD.
Thanks.