When is loadmainmodule_notify called?

[Brendan Dolan-Gavitt]

Hi,

We've recently been looking at the CFI code and attempting to re-implement it under PANDA so we can look for exploits in our Malrec dataset (https://giantpanda.gtisc.gatech.edu/malrec/dataset/). However, we have found a callback that doesn't seem to be implemented in DECAF but is used in the system_cfi plugin: loadmainmodule_notify.

When is this callback triggered? Is it a) when the process is first seen in the process list, or b) when the main module (the .exe) is first seen in the module list?

Thanks,

Brendan