Truncated path in FullImageName in PsSetLoadImageNotifyRoutine for DLL Modules ?

NTDEV
1

Hi Driver Gurus,

I need to monitor when some specific DLLs are loaded in any process and if
those DLL’s are loaded then we need to do some other app specific actions.
We are using PsSetLoadImageNotifyRoutine() for registering a callback.
It is working fine and it is notifying us for every image that is getting
loaded in any process. For the EXE file itself we receive complete fully
qualified path, but for DLL Modules we are getting the FullImageName in a
really weird truncated format. It does not have the Drive letter or the
HardDisc and Volume information in it. For a DLL located in
c:\MyApp\MyDLL.dll we are getting only “\MyApp\MyDLL.dll”.
It is very important for us to know the exact and full path.
How can I get the complete path for the DLL that are getting loaded?
For the actual Executable file we are always getting the correct Full path.

Thanks in Advance,
~Semal
*
*

2

Quick answer is this how it works. The execuatable returns the full path
while the DLLs do not.
This question has been asked before. I don’t recall anyone posting a way to
get the full path of the DLLs.

Bill Wandel

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]
On Behalf Of Semal Patil
Sent: Wednesday, July 14, 2010 9:40 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Truncated path in FullImageName in
PsSetLoadImageNotifyRoutine for DLL Modules ?

Hi Driver Gurus,

I need to monitor when some specific DLLs are loaded in any process and if
those DLL’s are loaded then we need to do some other app specific actions.
We are using PsSetLoadImageNotifyRoutine() for registering a callback.
It is working fine and it is notifying us for every image that is getting
loaded in any process. For the EXE file itself we receive complete fully
qualified path, but for DLL Modules we are getting the FullImageName in a
really weird truncated format. It does not have the Drive letter or the
HardDisc and Volume information in it. For a DLL located in
c:\MyApp\MyDLL.dll we are getting only “\MyApp\MyDLL.dll”.
It is very important for us to know the exact and full path.
How can I get the complete path for the DLL that are getting loaded?
For the actual Executable file we are always getting the correct Full path.

Thanks in Advance,
~Semal
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer