Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Development
  New Posts New Posts RSS Feed - How LdrRegisterDllNotification really works?
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

How LdrRegisterDllNotification really works?

 Post Reply Post Reply
genuine View Drop Down

Joined: 11 November 2009
Location: jp
Status: Offline
Points: 7
Post Options Post Options   Thanks (0) Thanks(0)   Quote genuine Quote  Post ReplyReply Direct Link To This Post Topic: How LdrRegisterDllNotification really works?
    Posted: 11 August 2016 at 4:00pm
Hey all,

I recently ran across the API LdrRegisterDllNotification and thought it was an interesting API to test.
So the context in which im testing is to see what notifications I can receive one I've registered my callback.

My PoC consists of a DLL that registers for the notifications and is injected into arbitrary processA.exe
Using a tool like ProcessHacker, I unload an arbitrary dllA.dll from ProcessA.exe (that my notification dll resides in). I was assuming this would cause a DLL Unload Event to occur as the DLL has now been unmapped from the process, but this is not the case. 

So I tested another way by creating a ProcessA.exe that manually loads (LoadLibrary) the notification dll, then I unload a DLL from that Process, still nothing.

Is there some caveat here I am not aware of? Can this be done from a DLL or does it have to be registered from a Process?

Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 11.06
Copyright ©2001-2016 Web Wiz Ltd.