1

I'm trying to make an exe profiler and now want to trace/log all Dlls that load/use in an exe by hooking LdrLoadDll in kernel-mode driver (I created the user-mode in the past). My problem is in 64bit version of windows, because in 64bit I can't use SSDT hooking and I can't find any alternative solution for this.

In 64Bit there are kernel-mode callbacks like: PsSetCreateProcessNotifyRoutine (Alternative to hooking CreateProcess) but I can't find any solution for this case. Now my question is: Is there a kernel-mode callback for LdrLoadDll? Or do I have to find a solution for 64bit kernel hooking?

Peter O.
  • 32,158
  • 14
  • 82
  • 96
Kamran
  • 387
  • 1
  • 3
  • 19

1 Answers1

1

You can use PsSetLoadImageNotifyRoutine to register a driver-supplied callback. Your callback will be called when a driver image or user image (DLL, EXE) is mapped into virtual memory.

Windows calls this callback at PASSIVE_LEVEL.

QuangNHb
  • 304
  • 2
  • 9