swwwolf/PsCallImageNotifyRoutines.c

## PsCallImageNotifyRoutines.c
NTSTATUS
MmLoadSystemImage(IN PUNICODE_STRING ImageFileName,
                  IN PUNICODE_STRING NamePrefix OPTIONAL,
                  IN PUNICODE_STRING LoadedBaseName OPTIONAL,
                  IN ULONG LoadFlags,
                  OUT PVOID *ImageHandle,
                  OUT PVOID *ImageBaseAddress) {
// ...
        if ( PsImageNotifyEnabled ) {
            IMAGE_INFO ImageInfo;

            ImageInfo.Properties = 0;
            ImageInfo.ImageAddressingMode = IMAGE_ADDRESSING_MODE_32BIT;
            ImageInfo.SystemModeImage = TRUE;
            ImageInfo.ImageSize = DataTableEntry->SizeOfImage;
            ImageInfo.ImageBase = *ImageBaseAddress;
            ImageInfo.ImageSelector = 0;
            ImageInfo.ImageSectionNumber = 0;

            PsCallImageNotifyRoutines(ImageFileName, (HANDLE)NULL, &ImageInfo);
        }
// ...
}

PsCallImageNotifyRoutines(IN PUNICODE_STRING FullImageName,
                          IN HANDLE ProcessId,
                          IN PIMAGE_INFO ImageInfo) {
    ULONG i;
    PEX_CALLBACK_ROUTINE_BLOCK CallBack;
    PLOAD_IMAGE_NOTIFY_ROUTINE Rtn;

    PAGED_CODE();

    if ( PsImageNotifyEnabled ) {
        for ( i=0; i < PSP_MAX_LOAD_IMAGE_NOTIFY; i++ ) {
            CallBack = ExReferenceCallBackBlock(&PspLoadImageNotifyRoutine[i]);
            if ( CallBack != NULL ) {
                Rtn = (PLOAD_IMAGE_NOTIFY_ROUTINE)ExGetCallBackBlockRoutine(CallBack);
                Rtn(FullImageName, ProcessId, ImageInfo);
                ExDereferenceCallBackBlock(&PspLoadImageNotifyRoutine[i], CallBack);
            }
        }
    }
}
	NTSTATUS
	MmLoadSystemImage(IN PUNICODE_STRING ImageFileName,
	IN PUNICODE_STRING NamePrefix OPTIONAL,
	IN PUNICODE_STRING LoadedBaseName OPTIONAL,
	IN ULONG LoadFlags,
	OUT PVOID *ImageHandle,
	OUT PVOID *ImageBaseAddress) {
	// ...
	if ( PsImageNotifyEnabled ) {
	IMAGE_INFO ImageInfo;

	ImageInfo.Properties = 0;
	ImageInfo.ImageAddressingMode = IMAGE_ADDRESSING_MODE_32BIT;
	ImageInfo.SystemModeImage = TRUE;
	ImageInfo.ImageSize = DataTableEntry->SizeOfImage;
	ImageInfo.ImageBase = *ImageBaseAddress;
	ImageInfo.ImageSelector = 0;
	ImageInfo.ImageSectionNumber = 0;

	PsCallImageNotifyRoutines(ImageFileName, (HANDLE)NULL, &ImageInfo);
	}
	// ...
	}

	PsCallImageNotifyRoutines(IN PUNICODE_STRING FullImageName,
	IN HANDLE ProcessId,
	IN PIMAGE_INFO ImageInfo) {
	ULONG i;
	PEX_CALLBACK_ROUTINE_BLOCK CallBack;
	PLOAD_IMAGE_NOTIFY_ROUTINE Rtn;

	PAGED_CODE();

	if ( PsImageNotifyEnabled ) {
	for ( i=0; i < PSP_MAX_LOAD_IMAGE_NOTIFY; i++ ) {
	CallBack = ExReferenceCallBackBlock(&PspLoadImageNotifyRoutine[i]);
	if ( CallBack != NULL ) {
	Rtn = (PLOAD_IMAGE_NOTIFY_ROUTINE)ExGetCallBackBlockRoutine(CallBack);
	Rtn(FullImageName, ProcessId, ImageInfo);
	ExDereferenceCallBackBlock(&PspLoadImageNotifyRoutine[i], CallBack);
	}
	}
	}
	}