当一个模块(DLL)被卸载检测 [英] Detect when a Module (DLL) is unloaded
问题描述
有没有一种方法来检测progammatically当一个模块 - 特别是一个DLL - 已经从进程卸载
Is there a way to progammatically detect when a module - specifically a DLL - has been unloaded from a process?
我没有DLL源,所以我不能改变它的DLL入口点。我也可以轮询如果DLL当前加载,因为DLL可以被卸载,然后查询之间的重新加载。
I don't have the DLL source, so I can't change it's DLL entry point. Nor can I poll if the DLL is currently loaded because the DLL may be unloaded and then reloaded between polling.
结果
我最终使用迂回DLL入口点和捕获DLL_PROCESS_DETACH的jimharks解决方案。我发现迂回FreeLibrary则()的工作很好,但必须加code当模块实际卸载或引用计数只是被降低到检测。 Necrolis关于寻找的引用计数的链接是为方便在这样做的方法。
I ended up using jimharks solution of detouring the dll entry point and catching DLL_PROCESS_DETACH. I found detouring FreeLibrary() to work as well but code must be added to detect when the module is actually unloaded or if the reference count is just being decreased. Necrolis' link about finding the reference count was handy for on method of doing so.
我要指出,我与MSDetours没有真正从内存中卸载模块,如果绕道在其中存在的问题。
I should note that I had problems with MSDetours not actually unloading the module from memory if a detour existed within it.
推荐答案
也许不那么坏的方式则Necrolis的是使用的微软研究院的走弯路包挂钩DLL的切入点来监视DLL_PROCESS_DETACH通知。
Maybe a less bad way then Necrolis's would be to use Microsoft Research's Detours package to hook the dll's entry point to watch for DLL_PROCESS_DETACH notifications.
您可以找到给予HMODULE使用此功能(通过调用LoadLibrary返回)的入口点:
You can find the entry point given an HMODULE (as returned by LoadLibrary) using this function:
#include <windows.h>
#include <DelayImp.h>
PVOID GetAddressOfEntryPoint(HMODULE hmod)
{
PIMAGE_DOS_HEADER pidh = (PIMAGE_DOS_HEADER)hmod;
PIMAGE_NT_HEADERS pinth = (PIMAGE_NT_HEADERS)((PBYTE)hmod + pidh->e_lfanew);
PVOID pvEntry = (PBYTE)hmod + pinth->OptionalHeader.AddressOfEntryPoint;
return pvEntry;
}
您的入口点更换可以采取直接行动,或增加您检查您的主循环或者是对你很重要的计数器。 (应该几乎可以肯定调用原来的入口点。)
Your entrypoint replacement could take direct action or increment a counter that you check for in your main loop or where it's important to you. (And should almost certainly call the original entrypoint.)
我希望这有助于。
这篇关于当一个模块(DLL)被卸载检测的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
