Hello gurus,
Recently I’ve met an interesting problem in XP SP2 and Vista (all with latest updates). In my driver I register an image load callback using the following code:
[…] some code before …
ntStatus = PsSetLoadImageNotifyRoutine(ProcessImageLoad);
[…] some code after …
Which is working fine and it reports a valid path of an image being loaded until I rename the directory where executable file resides.
For example, if I run an executable “C:\AAA\file.exe” I got the following path in handler function: “\Device\HarddiskVolume1\AAA\file.exe” which is correct. If I close application file.exe and rename the folder AAA into BBB and run the application, my handler routine obtains me with the same path, i.e. “\Device\HarddiskVolume1\AAA\file.exe” instead of “\Device\HarddiskVolume1\BBB\file.exe” which is a critical issue for me, because I try to calculate SHA1 for the file, and since the path is invalid I got error.
Can someone please shed a light on this issue, and tell me what am I missing?
Thanks, Petr Kizima