PsSetLoadImageNotifyRoutine wrong path.

Hi,

I’m using PsSetLoadImageNotifyRoutine, to get a notification when Dlls are loaded into a process i’m intersted in.
My callback of course receives 3 arguments, as MSDN mentions:
(ImageFullName, ProcessId, ImageInfo), I noticed “ImageFullName” is most
of the times wrong, or relative, not absolute. For example, i’m getting:
“\Windows\System32\kernel32.dll”, instead of “C:\Windows\System32\kernel32.dll”. This is a problem for me, because i need to open the file and read its contents to calculate SHA1. Is there any way of getting the full path?
Is this a known bug? I don’t think i’m anything wrong, a very simple callback like:

VOID ImageNotify( In_opt PUNICODE_STRING FullImageName,
In HANDLE ProcessId,
In PIMAGE_INFO ImageInfo) {

if (FullImageName != NULL)
DbgPrint(“%wZ”, FullImageName);
}

Also, i was wondering if there is anyway of getting the same notification, but only for the UNLOAD of the image, and not the LOAD.

Thanks.

Just ready my post below yours and Tomas answers.

Also, i tried to get the name with the file object that i got from CONTAINING_RECORD(ImageInfo) after browsing threads with the same issue on ntdev.

But sometimes it deadlocks my system.