A forum for reverse engineering, OS internals and malware analysis 

Can we get read pid in LoadImageNotify

Ask your beginner questions here.

Can we get read pid in LoadImageNotify

 #13824  by myid
 Sat Jun 09, 2012 3:02 am
I use PsGetCurrentProcessId in LoadImageNotify, but i get 4 forever.

Can I get real pid in LoadImageNotify?

Do not use hook, because we cannot hook legally in Windows x64.

Re: Can we get read pid in LoadImageNotify

 #13826  by EP_X0FF
 Sat Jun 09, 2012 3:38 am
For drivers there always will be "System" because they are loaded in context of system process. The ProcessId handle of callback routine identifies the process in which the image has been mapped, but this handle is zero if the newly loaded image is a driver.

Re: Can we get read pid in LoadImageNotify

 #13829  by myid
 Sat Jun 09, 2012 4:09 am
EP_X0FF wrote:For drivers there always will be "System" because they are loaded in context of system process. The ProcessId handle of callback routine identifies the process in which the image has been mapped, but this handle is zero if the newly loaded image is a driver.
So, no one can get real PID in LoadImageNotify, right?

Re: Can we get read pid in LoadImageNotify

 #13848  by EP_X0FF
 Sun Jun 10, 2012 12:39 am
myid wrote:
EP_X0FF wrote:For drivers there always will be "System" because they are loaded in context of system process. The ProcessId handle of callback routine identifies the process in which the image has been mapped, but this handle is zero if the newly loaded image is a driver.
So, no one can get real PID in LoadImageNotify, right?
Yes, you need workaround. As example take Kaspersky AV. By killing it "proactive" part step by step (remove service hooks, remove notifies) you can see how they implemented info gathering for their "Driver loading" popup. Or look inside it source codes (warning: they are awful).
 Return to “Newbie Questions”