Developer Forum

Hi,

I am using PSSetLoadImageNotifyRoutine() function to
notify the loading of an image from in kernel mode. After
getting the notification, the kernel mode sets a event
object, In User mode, the program waits for the event
object to be signaled. After the event object is signaled,
the user mode program uses DeviceIOControl() function to
get the information about Loaded image. The loaded image
name comes as a PUNICODE_STRING in the kernel mode call
back function. When I use the same data type in the user
mode program, I am able to get only the address value of
the loaded image. How can I get the name of the loaded
image in the user mode?

Hi,

I am using PSSetLoadImageNotifyRoutine() function to
notify the loading of an image from in kernel mode. After
getting the notification, the kernel mode sets a event
object, In User mode, the program waits for the event
object to be signaled. After the event object is signaled,
the user mode program uses DeviceIOControl() function to
get the information about Loaded image. The loaded image
name comes as a PUNICODE_STRING in the kernel mode call
back function. When I use the same data type in the user
mode program, I am able to get only the address value of
the loaded image. How can I get the name of the loaded
image in the user mode?

Copy the buffer for the UNICODE_STRING into the buffer for the IOCTL for
Length. Something like, the following where p is the pointer to the buffer.

PWCHAR p;
PUICODE_STRING s;

RtlCopyMemory(p, s->Buffer, s-Length);
p[s->Length] = L'\0';

obviously return the length+1 in the information field. Your user space
program will then have a NULL terminated wide character string to access.


--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply