Hi, I got a problem to get dll full path in PsSetLoadImageNotifyRoutine, i.e. when a process run, I can get the image path prefixed with c: or \device\harddiskvolumex, but when the its dll is being load, it’s path is always without the prefix, why? and is there any method to solve this?
Unfortunately this is a known problem. You can do some searching for
the DLL file name based on PATH then check to see if the ImageSize makes
sense for the file.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“liyuncheng@163.com” wrote in message
news:xxxxx@ntdev:
> Hi, I got a problem to get dll full path in PsSetLoadImageNotifyRoutine, i.e. when a process run, I can get the image path prefixed with c: or \device\harddiskvolumex, but when the its dll is being load, it’s path is always without the prefix, why? and is there any method to solve this?
Notice the ExtendedInfoPresent bit on Vista and later? This is the way you
can capture the path.
And even on XP or 2003, you can use CONTAINING_RECORD to obtain the
FileObject.
Hum hum hum, you know what, it’s really not recommended but … works.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Monday, October 18, 2010 10:20 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] get dll full path in PsSetLoadImageNotifyRoutine
Unfortunately this is a known problem. You can do some searching for
the DLL file name based on PATH then check to see if the ImageSize makes
sense for the file.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“liyuncheng@163.com” wrote in message
news:xxxxx@ntdev:
> Hi, I got a problem to get dll full path in PsSetLoadImageNotifyRoutine,
i.e. when a process run, I can get the image path prefixed with c: or
\device\harddiskvolumex, but when the its dll is being load, it’s path is
always without the prefix, why? and is there any method to solve this?
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Notice the ExtendedInfoPresent bit on Vista and later? This is the way you can capture the path.
And even on XP or 2003, you can use CONTAINING_RECORD to obtain the FileObject.
Hum hum hum, you know what, it’s really not recommended but … works.
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Monday, October 18, 2010 10:20 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] get dll full path in PsSetLoadImageNotifyRoutine
Unfortunately this is a known problem. You can do some searching for
the DLL file name based on PATH then check to see if the ImageSize makes
sense for the file.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“liyuncheng@163.com” wrote in message
news:xxxxx@ntdev:
> Hi, I got a problem to get dll full path in PsSetLoadImageNotifyRoutine, i.e. when a process run, I can get the image path prefixed with c: or \device\harddiskvolumex, but when the its dll is being load, it’s path is always without the prefix, why? and is there any method to solve this?
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer