Home Library Learn Downloads Support Community
Sign in | United States - English | |
2 out of 2 rated this helpful - Rate this topic

PsSetLoadImageNotifyRoutine routine

The PsSetLoadImageNotifyRoutine routine registers a driver-supplied callback that is subsequently notified whenever an image is loaded (or mapped into memory).

Syntax

Copy 
NTSTATUS PsSetLoadImageNotifyRoutine(
  __in  PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine
);

Parameters

NotifyRoutine [in]

Specifies the entry point of the caller-supplied load-image callback.

Return value

PsSetLoadImageNotifyRoutine either returns STATUS_SUCCESS or it returns STATUS_INSUFFICIENT_RESOURCES if it failed the callback registration.

Remarks

Highest-level system-profiling drivers can call PsSetLoadImageNotifyRoutine to set up their load-image notify routines, declared as follows:

Copy 

VOID
  (*PLOAD_IMAGE_NOTIFY_ROUTINE)(
    __in_opt PUNICODE_STRING  FullImageName,
    __in HANDLE  ProcessId,
    __in PIMAGE_INFO  ImageInfo
    );

After such a driver's callback has been registered, the system calls its load-image notify routine whenever an executable image is mapped into virtual memory, whether in system space or user space, before the execution of the image begins. Additionally, the system calls this routine when a DLL image is mapped into user-space virtual memory.

A driver must remove any callbacks it registers before it unloads. You can remove the callback by calling the PsRemoveLoadImageNotifyRoutine routine.

When the main executable image for a newly created process is loaded, the load-image notify routine runs in the context of the new process.

When the load-image notify routine is called, the input FullImageName points to a buffered Unicode string that identifies the executable image file. (The FullImageName parameter can be NULL in cases in which the operating system is unable to obtain the full name of the image at process creation time.) The ProcessId handle identifies the process in which the image has been mapped, but this handle is zero if the newly loaded image is a driver. The buffered data at ImageInfo is formatted as follows:

Copy 

typedef struct  _IMAGE_INFO {
    union {
        ULONG  Properties;
        struct {
            ULONG ImageAddressingMode  : 8; //code addressing mode
            ULONG SystemModeImage      : 1; //system mode image
            ULONG ImageMappedToAllPids : 1; //mapped in all processes
            ULONG Reserved             : 22;
        };
    };
    PVOID  ImageBase;
    ULONG  ImageSelector;
    ULONG  ImageSize;
    ULONG  ImageSectionNumber;
} IMAGE_INFO, *PIMAGE_INFO;

When such a profiling driver's load-image routine is called, the members of this structure contain the following information:

ImageAddressingMode

Always set to IMAGE_ADDRESSING_MODE_32BIT.

SystemModeImage

Set either to one for newly loaded kernel-mode components, such as drivers, or to zero for images that are mapped into user space.

ImageMappedToAllPids and Reserved

Always set to zero.

ImageBase

Set to the virtual base address of the image.

ImageSelector

Always set to zero.

ImageSize

Set to the virtual size, in bytes, of the image.

ImageSectionNumber

Always set to zero.

For Windows Vista and later versions of Windows, the IMAGE_INFO structure definition changes to the following:

Copy 

typedef struct _IMAGE_INFO {
    union {
        ULONG Properties;
        struct {
            ULONG ImageAddressingMode  : 8;  // Code addressing mode
            ULONG SystemModeImage      : 1;  // System mode image
            ULONG ImageMappedToAllPids : 1;  // Image mapped into all processes
            ULONG ExtendedInfoPresent  : 1;  // IMAGE_INFO_EX available
            ULONG Reserved             : 21;
        };
    };
    PVOID       ImageBase;
    ULONG       ImageSelector;
    SIZE_T      ImageSize;
    ULONG       ImageSectionNumber;
} IMAGE_INFO, *PIMAGE_INFO;

If the ExtendedInfoPresent flag is set, the IMAGE_INFO structure is part of a larger, extended version of the image information structure. In this case, the load-image notify routine can use the CONTAINING_RECORD macro in the Winnt.h header file to obtain the base address of the following structure:

Copy 

typedef struct _IMAGE_INFO_EX {
    SIZE_T              Size;
    IMAGE_INFO          ImageInfo;
    struct _FILE_OBJECT *FileObject;
} IMAGE_INFO_EX, *PIMAGE_INFO_EX;

The Size field specifies the size, in bytes, of the IMAGE_INFO_EX structure. The FileObject field contains a pointer to the file object of the backing file for the image. The driver can take a reference to this object or use it for other operations.

Requirements

Version

Available in Windows 2000 and later versions of Windows.

Header
Ntddk.h (include Ntddk.h)

Library
Contained in Ntoskrnl.lib.

IRQL

PASSIVE_LEVEL

See also

PsGetCurrentProcessId
PsRemoveLoadImageNotifyRoutine
PsSetCreateProcessNotifyRoutine
PsSetCreateThreadNotifyRoutine

 

 

Send comments about this topic to Microsoft

Build date: 4/2/2012

Did you find this helpful?
(1500 characters remaining)