Sergey Kovalev

@kaboreka the wmimon is out-dated with it's hardcoded CLSIDs and indexes. Use _apimon_ instead.

@tklengyel I guess so.

From [MSDN](https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_file_object): ``` FileName A UNICODE_STRING structure whose Buffer member points to a read-only Unicode string that holds the name of the file opened on the volume. If the volume...

More logs: ``` 1648826018.636646 [USERHOOK] [5344:244:notepad.exe] Perform hooking for DLL '\Windows\SysWOW64\kernel32.dll' at 0x74f60000 --PTLookup: lookup addr = 0x0000000074f60000 --PTLookup: npt = 0x0000000000000000 npm = 0 --PTLookup: pt = 0x0000000074180000 --PTLookup:...

@icedevml thanks a lot. Though I understand this. As I've noted _drakvuf_ detects and traps the DLL.

Thanks! I have updated the instruction to reproduce the error.

@icedevml yes. You are right. This is not a big deal to me at the time. I've just noticed that interesting fact.

Look at `plugins/socketmon`. Especially at function: ```c++ static void register_module_trap( drakvuf_t drakvuf, drakvuf_trap_t* trap, const char* module_name, const char* function_name, event_response_t(*hook_cb)( drakvuf_t drakvuf, drakvuf_trap_info_t* info ) ) { struct module_trap_context_t...

@ultrapikachu see [PR](https://github.com/tklengyel/drakvuf/pull/590/)

@icedevml thank you for comments.