Hello,
I have set callback using PsSetLoadImageNotifyRoutine.
In the callback, I get the paths for .exe as
\Device\HarddiskVolume1\windows\system32\lsass.exe
but for .dll i get path like \windows\system32\ntdll.dll.
My question -
Is it documented ?
Thanks
Sourabh
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/06/14 09:39, xxxxx@gmail.com wrote:
Hello,
I have set callback using PsSetLoadImageNotifyRoutine.
In the callback, I get the paths for .exe as
\Device\HarddiskVolume1\windows\system32\lsass.exe
but for .dll i get path like \windows\system32\ntdll.dll.
Yes, I had similar behavior. In addition to that some module names
were becoming empty afterwards.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJS8ylwAAoJEK64IL1uI2ha1GUH/jfqyVKumw3HxJRYwBp9FU4F
lBXP+k6JHMwBUO1cHGp6ngUXsJlWRdtWnQ66VkO/SL6L3HZxmmqW/jEqrgFoC45X
ff5WEyarQT+YIfj7jfSLgyyXAzoYWOXwmDeOdD7m+7PwuVTZX5uL2zthmWUIzBiy
HNn2lx8W0Fx8qU4Ja50IQX4Eoy/y1GJpTfTV9koxe1EmGTNyUi1zqXybDlOJZkox
C4J44ud7y8170vSXEOLAA2coIBcCMNqQY2QNKeOmJD1rPi5yPxqe21qt7M0Jg1VI
3w4tScwnjw1k9t+pi2N5uUGxdpXuwgV+xZfjZKo6zz4xoM9HUPibKMIpIuRr+10=
=inji
-----END PGP SIGNATURE-----
xdc
February 9, 2014, 2:59pm
3
Hi,
In Vista+ kernels it should be fixed already by Microsoft.
In case of older kernels (this is most likely your case) you have no
other choice then just take it manually.
Use information how windows kernel is performing notifications:
Use CONTAINING_RECORD on UNICODE_STRING you are receiving in callback to
take FILE_OBJECT struct.
From FILE_OBJECT take DeviceObject then take its name (e.g via
IoGetDevicePropery) and finally do some concatenations job.
xdc
W dniu 6. 2. 2014 6:39, xxxxx@gmail.com pisze:
Hello,
I have set callback using PsSetLoadImageNotifyRoutine.
In the callback, I get the paths for .exe as
\Device\HarddiskVolume1\windows\system32\lsass.exe
but for .dll i get path like \windows\system32\ntdll.dll.
My question -
Is it documented ?
Thanks
Sourabh
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Hi xdc,
I have observed same behavior from windows XP to Windows 8…
thanks