DLL 加载通知 [英] DLL load notification

问题描述

当系统中的任何进程加载特定 DLL 或所有 DLL 加载事件(我可以过滤掉)时，是否可以在我的程序中获得通知?就像进程资源管理器如何从所有进程获取通知一样.我可以为此目的使用进程资源管理器，但我想在发生特定 DLL 加载事件时采取措施(显示弹出窗口).

我也在寻找可以为我完成这项工作的任何开源程序.

在此先非常感谢您.

解决方案

是的，您可以通过 Windows 的 ETW(Windows 事件跟踪)工具.ETW 是一种快速、低开销的日志记录机制，大多数 Windows 内核都经过检测以发出事件.

ETW 具有发出事件集的提供者"的概念.例如，有一个用于 .NET 运行时的 CLR 提供程序、一个用于内存管理器/驱动程序/图像/文件系统/用户事件的内核提供程序、一个用于 HTTP/网络事件的 IIS 提供程序，甚至是第三方编写的自定义提供程序.

您需要启用 EVENT_TRACE_FLAG_IMAGE_LOAD 在 ETW 内核提供程序上，以获得 Image_Load 事件.对于托管代码，您可以使用 AssemblyLoad 或 ModuleLoad 事件与 CLR ETW 提供程序.

您可以从本机和托管代码生成和使用 ETW 事件.使用起来有些困难，但是一旦您开始收集数据，就会有大量数据可用.Vance Morrison 创建了一个 通过 C# 使用 ETW 事件的简短演练 并创建了 TraceEvent 库.

另外，请参阅我之前的 SO 帖子此处和此处了解有关 ETW 的更多信息.

或者，您可以使用 WMI (Windows Management Instrumentation) 来获取这些事件，尽管您必须轮询它们.轮询 WMI 仍应比不断枚举系统中所有进程中的所有模块占用更少的资源.

如果您走 WMI 路线，请查看 Win32_ModuleLoadTrace 和 Win32_Process 类型..NET 框架有一个合理的WMI API.

is it possible to get a notification(s) in my program, when any process in the system loads a particular DLL or all DLL load events(i can filter out)? Like how process explorer does get notification from all processess. I can use process explorer for this purpose, but i want to take an action(show a popup) in case of a particular DLL load event.

Im also looking for any open source program that can do this job for me.

Thank you very much in advance.

解决方案

Yes, you can get image (.dll, .exe) load events through Windows' ETW (Event Tracing for Windows) facility. ETW is a fast, low-overhead logging mechanism and most of the Windows kernel is instrumented to emit events.

ETW has the concept of a "provider" that emits sets of events. For example, there's a CLR provider for the .NET runtime, a kernel provider for memory manager/driver/image/file system/user events, an IIS provider for HTTP/network events, or even custom providers that 3rd parties write.

You will want to enable EVENT_TRACE_FLAG_IMAGE_LOAD on the ETW kernel provider in order to get Image_Load events. For managed code, you can use the AssemblyLoad or ModuleLoad events with the CLR ETW provider.

You can produce and consume ETW events from both native and managed code. It's somewhat difficult to work with, but there's a wealth of data available once you start collecting it. Vance Morrison created a short walkthrough on consuming ETW events via C# and created the TraceEvent library.

Also, see my previous SO posts here and here for more on ETW.

Alternatively, you can use WMI (Windows Management Instrumentation) to get these events, although you'll have to poll for them. Polling WMI should still be less resource intensive than constantly enumerating all modules in all processes in the system.

If you go the WMI route, look at the Win32_ModuleLoadTrace and Win32_Process types. The .NET framework has a reasonable WMI API.

这篇关于DLL 加载通知的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！