[p4r4n0id]

Hi Guys,

Are you familiar with a notify routine for image unload? if not, what r my options?

Thx
p4r4n0id

[EP_X0FF]

Hello,

why you need this?

[maximusdecimer]

Hi p4r4n0id,

You can try hooking LdrUnloadDll in user mode in case you want to get notified about DLL unload. I haven't tried this one.

[Brock]

I'm not aware of any documented kernel callback for when a DLL is unloaded. However, in ring3 I would use the documented LdrRegisterDllNotification (LDR_DLL_NOTIFICATION_REASON_UNLOADED) - main downfall is it's only supported from Vista/Win2k8+ and only affects the calling process, not system-wide solution out of the box.

[p4r4n0id]

Hi Guys,

Thanks for ur replies but I need it in KM.

@EP_X0FF - need it to track loaded and unloaded modules in kernel space. don't want to enumerate every time. hook on zwunmapviewofsection will not help me cause of x64....

Any ideas?

[maximusdecimer]

Hi p4r4n0id,

I think another option is to write file system mini filter with IRP_MJ_CLEANUP trace.

IRP_MJ_CLEANUP
http://msdn.microsoft.com/en-us/library ... 85%29.aspx

FreeLibrary
http://msdn.microsoft.com/en-us/library ... 85%29.aspx

[EP_X0FF]

Hi Guys,

Thanks for ur replies but I need it in KM.

@EP_X0FF - need it to track loaded and unloaded modules in kernel space. don't want to enumerate every time. hook on zwunmapviewofsection will not help me cause of x64....

Any ideas?

Inject your monitoring dlls and inform your driver from LdrRegisterDllNotification handler.

[p4r4n0id]

Getting notificatins from UM is an option but I want from KM only :)

[EP_X0FF]

Getting notificatins from UM is an option but I want from KM only :)

Since Ldr is all about user mode implementation, just using Nt* services for i/o and memory I don't think you can find more simple and stable ways.

[p4r4n0id]

Thx alot ! :)