1

Topic: PsSetLoadImageNotifyRoutine:Create Always 15

Greetings, I register  PsSetLoadImageNotifyRoutine (ModuleImageLoadedNotify); void ModuleImageLoadedNotify (PUNICODE_STRING FullImageName, HANDLE ProcessId, PIMAGE_INFO ImageInfo, BOOLEAN Create) {moduleDebugPrint ((__ FUNCTION __ "(name: %wZ, base: 0x%p, size: 0x%08x, create: %d) \n", FullImageName, ImageInfo-> ImageBase, ImageInfo-> ImageSize, Create));} Win7 x64 (UPD). Create always arrives 15 that on loading that on outswapping. ?

2

Re: PsSetLoadImageNotifyRoutine:Create Always 15

Hello, pva, you wrote: pva> Greetings, pva> I register  pva> PsSetLoadImageNotifyRoutine (ModuleImageLoadedNotify); pva> pva> void ModuleImageLoadedNotify (PUNICODE_STRING FullImageName, HANDLE ProcessId, PIMAGE_INFO ImageInfo, BOOLEAN Create) {pva> moduleDebugPrint ((__ FUNCTION __ "(name: %wZ, base: 0x%p, size: 0x%08x, create: %d) \n", pva> FullImageName, ImageInfo-> ImageBase, ImageInfo-> ImageSize, Create)); pva>} pva> Win7 x64 (UPD). Create always arrives 15 that on loading that on outswapping. ? Registering this  you can only  loading () the user unit or the driver. You do not see outswapping. Called by the operating system to notify the driver when a driver image or a user image (for example, a DLL or EXE) is mapped into virtual memory and there in the documentation at MS a campaign a misprint just in the description of the last parameter for SetLoadImageNotifyRoutine. There for parameter Create it is written: Create [in] Indicates whether the process was created (TRUE) or deleted (FALSE). To a campaign there  from SetCreateProcessNotifyRoutine. Well and concerning 15 - BOOLEAN in wdk  so: typedef UCHAR BOOLEAN; It is necessary  a kernel and there to look, why 15.

3

Re: PsSetLoadImageNotifyRoutine:Create Always 15

Hello, pva, you wrote: pva> Greetings, pva> I register  pva> PsSetLoadImageNotifyRoutine (ModuleImageLoadedNotify); pva> pva> void ModuleImageLoadedNotify (PUNICODE_STRING FullImageName, HANDLE ProcessId, PIMAGE_INFO ImageInfo, BOOLEAN Create) {pva> moduleDebugPrint ((__ FUNCTION __ "(name: %wZ, base: 0x%p, size: 0x%08x, create: %d) \n", pva> FullImageName, ImageInfo-> ImageBase, ImageInfo-> ImageSize, Create)); pva>} pva> Win7 x64 (UPD). Create always arrives 15 that on loading that on outswapping. ? In my opinion, it generally a misprint, parameter Create at this function is not present. Here the declaration of callback-function from old offline WDK (7.1, 8): VOID (*PLOAD_IMAGE_NOTIFY_ROUTINE) (IN PUNICODE_STRING FullImageName, IN HANDLE ProcessId,//where image is mapped IN PIMAGE_INFO ImageInfo);

4

Re: PsSetLoadImageNotifyRoutine:Create Always 15

Hello, okman, you wrote: O> In my opinion, it generally a misprint, parameter Create at this function is not present. Precisely! It was now transversed  - and it appeared. Truth at me and  7600 which.