The Old New Thing: Why you shouldn't allocate usermode memory from PsSetLoadImageNotifyRoutine routine callbacks.

Posted On // Leave a Comment
I'm describing this little story here because back in the days i have
experienced this problem and i couldn't find a solution and reasonable
explanation online. I guess for some of my readers this is quite obvious
however maybe it will help some less experienced people.


The PsSetLoadImageNotifyRoutine routine registers a driver-supplied
callback that is subsequently notified whenever an image is loaded (or
mapped into memory). When the callback is registered the system calls
the load-image notify routine whenever an executable image is mapped
into virtual memory, whether in system space or user space, before the
execution of the image begins. Additionally, the system calls this
routine when a DLL image is mapped into user-space virtual memory. [1]

Appending to MSDN [1](?) the callbacks routines operate at the
PASSIVE_LEVEL IRQL. So what if you want to allocate some r3 memory (for
various purposes) when the new image is being loaded? Assuming that the
ZwAllocateVirtualMemory also runs at PASSIVE_LEVEL everything should be
just fine. However it's not.


Continue reading

0 komentarze: