PsSetLoadImageNotifyRoutine can't monitor some drivers

Forum for discussion about kernel-mode development.

PsSetLoadImageNotifyRoutine can't monitor some drivers

Postby pboy0922 » Sat Jul 30, 2016 3:18 pm

hi,I have write a driver ,this driver use PsSetLoadImageNotifyRoutine in DriverEntry,I want to monitor all the drivers which are loaded after my driver,then I let my driver start very early when the system boot,but I find a problem,my LoadImageNotifyRoutine can only monitor little driver during the system boot,can you help me ? :D
pboy0922
 
Posts: 12
Joined: Tue Jun 09, 2015 3:54 am
Reputation point: 0

Re: PsSetLoadImageNotifyRoutine can't monitor some drivers

Postby EP_X0FF » Sun Jul 31, 2016 6:01 pm

Set your driver at startup as SERVICE_BOOT_START and give it low order group.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4727
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 554

Re: PsSetLoadImageNotifyRoutine can't monitor some drivers

Postby pboy0922 » Tue Aug 16, 2016 10:57 am

EP_X0FF wrote:Set your driver at startup as SERVICE_BOOT_START and give it low order group.

hi,EP_X0FF,I have set my driver at startup as SERVICE_BOOT_START,and its starting order number is 4th in all drivers on windows xp, the target driver's order number is 5th which I want to monitor. The target driver is also startup as SERVICE_BOOT_START. Then I found that,my driver can't monitor anyone driver which startup as SERVICE_BOOT_START. Do you know why?
pboy0922
 
Posts: 12
Joined: Tue Jun 09, 2015 3:54 am
Reputation point: 0

Re: PsSetLoadImageNotifyRoutine can't monitor some drivers

Postby EP_X0FF » Tue Aug 16, 2016 2:54 pm

And how do you monitor them?
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4727
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 554

Re: PsSetLoadImageNotifyRoutine can't monitor some drivers

Postby Vrtule » Wed Aug 17, 2016 12:18 pm

I suspect that Windows maps all boot-start drivers into memory at once. Then, it initializes them (not sure if one by one or in parallel). So, your driver cannot see how other boot-start driver load since they are already loaded and ony their DriverEntry needs to be called.
User avatar
Vrtule
 
Posts: 376
Joined: Sat Mar 13, 2010 9:14 pm
Location: Czech Republic
Reputation point: 84

Re: PsSetLoadImageNotifyRoutine can't monitor some drivers

Postby pboy0922 » Thu Aug 25, 2016 7:38 am

EP_X0FF wrote:And how do you monitor them?

The "monitor" means that I can catch it in my LoadImageNotifyRoutine when the target driver is loading.
pboy0922
 
Posts: 12
Joined: Tue Jun 09, 2015 3:54 am
Reputation point: 0

Re: PsSetLoadImageNotifyRoutine can't monitor some drivers

Postby pboy0922 » Thu Aug 25, 2016 7:47 am

Vrtule wrote:I suspect that Windows maps all boot-start drivers into memory at once. Then, it initializes them (not sure if one by one or in parallel). So, your driver cannot see how other boot-start driver load since they are already loaded and ony their DriverEntry needs to be called.

yeah,I think also like you,maybe windows call the DriverEntrys of the boot-start driver step one by one,maybe call the next DriverEntry when the pre DriverEntry has not return. Or , this PsSetLoadImageNotifyRoutine function only effect after the boot-start driver all loads. :shock:
pboy0922
 
Posts: 12
Joined: Tue Jun 09, 2015 3:54 am
Reputation point: 0

Re: PsSetLoadImageNotifyRoutine can't monitor some drivers

Postby 0xf0f » Wed Mar 15, 2017 12:01 pm

this only apply for post operation as others say boot entry sys not valid here.
0xf0f
 
Posts: 5
Joined: Mon Mar 13, 2017 7:17 am
Reputation point: 0


Return to Kernel-Mode Development

Who is online

Users browsing this forum: No registered users and 2 guests