How LdrRegisterDllNotification really works?
Joined: 11 November 2009
Posted: 11 August 2016 at 4:00pm
I recently ran across the API LdrRegisterDllNotification and thought it was an interesting API to test.
So the context in which im testing is to see what notifications I can receive one I've registered my callback.
My PoC consists of a DLL that registers for the notifications and is injected into arbitrary processA.exe
Using a tool like ProcessHacker, I unload an arbitrary dllA.dll from ProcessA.exe (that my notification dll resides in). I was assuming this would cause a DLL Unload Event to occur as the DLL has now been unmapped from the process, but this is not the case.
So I tested another way by creating a ProcessA.exe that manually loads (LoadLibrary) the notification dll, then I unload a DLL from that Process, still nothing.
Is there some caveat here I am not aware of? Can this be done from a DLL or does it have to be registered from a Process?
|Forum Jump||Forum Permissions
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot delete your posts in this forum
You cannot edit your posts in this forum
You cannot create polls in this forum
You cannot vote in polls in this forum