none
PE header from kernel ? RRS feed

  • Question

  • How can i access ( read ) PE header of an executable from kernel space ( WDM driver ) ?

    Tuesday, November 3, 2015 2:52 PM

Answers

  • Yes, at the time a notify routine set by PsSetLoadImageNotifyRoutine is called, the PE header is valid, and pointed to by ImageBase. 

    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Tuesday, November 3, 2015 3:36 PM