Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Development
  New Posts New Posts RSS Feed - How LdrRegisterDllNotification really works?
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

How LdrRegisterDllNotification really works?

 Post Reply Post Reply
Author
Message
genuine View Drop Down
Newbie
Newbie
Avatar

Joined: 11 November 2009
Location: jp
Status: Offline
Points: 7
Post Options Post Options   Thanks (0) Thanks(0)   Quote genuine Quote  Post ReplyReply Direct Link To This Post Topic: How LdrRegisterDllNotification really works?
    Posted: 11 August 2016 at 4:00pm
Hey all,

I recently ran across the API LdrRegisterDllNotification and thought it was an interesting API to test.
So the context in which im testing is to see what notifications I can receive one I've registered my callback.

My PoC consists of a DLL that registers for the notifications and is injected into arbitrary processA.exe
Using a tool like ProcessHacker, I unload an arbitrary dllA.dll from ProcessA.exe (that my notification dll resides in). I was assuming this would cause a DLL Unload Event to occur as the DLL has now been unmapped from the process, but this is not the case. 

So I tested another way by creating a ProcessA.exe that manually loads (LoadLibrary) the notification dll, then I unload a DLL from that Process, still nothing.

Is there some caveat here I am not aware of? Can this be done from a DLL or does it have to be registered from a Process?
thanks,

gen
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 11.06
Copyright ©2001-2016 Web Wiz Ltd.