3

is it possible to get a notification(s) in my program, when any process in the system loads a particular DLL or all DLL load events(i can filter out)? Like how process explorer does get notification from all processess. I can use process explorer for this purpose, but i want to take an action(show a popup) in case of a particular DLL load event.

Im also looking for any open source program that can do this job for me.

Thank you very much in advance.

rplusg
  • 3,418
  • 6
  • 34
  • 49
  • See this answer [C# equivalent of DllMain in C (WinAPI)](http://stackoverflow.com/questions/8206736/c-sharp-equivalent-of-dllmain-in-c-winapi) – lsalamon Oct 14 '15 at 18:39
  • @lsalamon You can use `DllMain` to know when *that specific* DLL gets loaded in a process, but it will not help you know when an arbitrary DLL gets loaded in an arbitrary process, neither of which you control, which I think is what @rplusg is looking for. – Chris Schmich Oct 14 '15 at 18:45

2 Answers2

2

Yes, you can get image (.dll, .exe) load events through Windows' ETW (Event Tracing for Windows) facility. ETW is a fast, low-overhead logging mechanism and most of the Windows kernel is instrumented to emit events.

ETW has the concept of a "provider" that emits sets of events. For example, there's a CLR provider for the .NET runtime, a kernel provider for memory manager/driver/image/file system/user events, an IIS provider for HTTP/network events, or even custom providers that 3rd parties write.

You will want to enable EVENT_TRACE_FLAG_IMAGE_LOAD on the ETW kernel provider in order to get Image_Load events. For managed code, you can use the AssemblyLoad or ModuleLoad events with the CLR ETW provider.

You can produce and consume ETW events from both native and managed code. It's somewhat difficult to work with, but there's a wealth of data available once you start collecting it. Vance Morrison created a short walkthrough on consuming ETW events via C# and created the TraceEvent library.

Also, see my previous SO posts here and here for more on ETW.

Alternatively, you can use WMI (Windows Management Instrumentation) to get these events, although you'll have to poll for them. Polling WMI should still be less resource intensive than constantly enumerating all modules in all processes in the system.

If you go the WMI route, look at the Win32_ModuleLoadTrace and Win32_Process types. The .NET framework has a reasonable WMI API.

Community
  • 1
  • 1
Chris Schmich
  • 29,128
  • 5
  • 77
  • 94
0

Could you use something such as the example shown here: https://msdn.microsoft.com/en-us/library/27688t9c(v=vs.90).aspx and iterate over the ProcessModuleCollection to list the DLL's loaded for each process, record these and monitor for changes? Probably resource intensive though.

Jonathan Hall
  • 75,165
  • 16
  • 143
  • 189
Gavzooka
  • 57
  • 1
  • 9
  • yes, enumerating thru all loaded DLLs is resource intensive and doing it too many times isn't an option. Thanks for suggestion though. – rplusg Oct 14 '15 at 17:41
  • The may help here: http://stackoverflow.com/questions/6503013/how-to-get-notification-of-dll-loads-happening-in-my-software-inside-my-own-pro Looks like the hotpatch to LoadLibrary option is the one you want but rather complex looking at it. – Gavzooka Oct 14 '15 at 17:58