PE-Image name

OSR_Community_User · May 26, 2009, 6:04am

I set the notification to load modules: PsSetLoadImageNotifyRoutine(…). Start the process and getting correct name “\Device\HarddiskVolume1\dir0\test.exe”. Rename parent directory of PE-file to “dir1”. Start the process, but again, get name “\Device\HarddiskVolume1\dir0\test.exe”

How do query a valid module name?

OSR_Community_User · May 26, 2009, 7:16am

> PsSetLoadImageNotifyRoutine(…). Start the process and getting

correct name “\Device\HarddiskVolume1\dir0\test.exe”. Rename parent
directory of PE-file to “dir1”. Start the process, but again, get
name “\Device\HarddiskVolume1\dir0\test.exe”

You cannot rename parent directory if there is at least one file open.
Perhaps you didn’t check result of rename operation ?

L.

OSR_Community_User · May 26, 2009, 7:40am

> You cannot rename parent directory if there is at least one file open.

Perhaps you didn’t check result of rename operation ?

Process test.exe terminated before rename, all files closed.

Malcolm_Smith · May 26, 2009, 10:28am

Ladislav Zezula wrote:

> PsSetLoadImageNotifyRoutine(…). Start the process and getting
> correct name “\Device\HarddiskVolume1\dir0\test.exe”. Rename parent
> directory of PE-file to “dir1”. Start the process, but again, get
> name “\Device\HarddiskVolume1\dir0\test.exe”

You cannot rename parent directory if there is at least one file open.
Perhaps you didn’t check result of rename operation ?

Mm will have a section to the image, which is a reference not a handle.
The directory can still be renamed, and as the original poster points
out, filesystems do not guarantee to return current names when queried
on these objects. Opened names may be returned instead.

M

–
This posting is provided “AS IS” with no warranties, and confers no rights.

OSR_Community_User · May 26, 2009, 11:18am

> Mm will have a section to the image, which is a reference not a handle. The directory can still be

renamed, and as the original poster points out, filesystems do not guarantee to return current
names when queried on these objects. Opened names may be returned instead.

Can I get file object by section object?

Eric_Diven · May 26, 2009, 11:28am

Would that do you any good? The name information in a file_object isn’t
guaranteed to be valid outside of the create path.

~Eric

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@rambler.ru
Sent: Tuesday, May 26, 2009 11:17 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] PE-Image name

> Mm will have a section to the image, which is a reference not a
> handle. The directory can still be renamed, and as the
original poster
> points out, filesystems do not guarantee to return current
names when queried on these objects. Opened names may be
returned instead.

Can I get file object by section object?

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online
at http://www.osronline.com/page.cfm?name=ListServer