Detect when a Module (DLL) is unloaded

Question

Is there a way to progammatically detect when a module - specifically a DLL - has been unloaded from a process?

I don\'t have the DLL source, so I can\'t change it\'

Answer 1

Maybe a less bad way then Necrolis's would be to use Microsoft Research's Detours package to hook the dll's entry point to watch for DLL_PROCESS_DETACH notifications.

You can find the entry point given an HMODULE (as returned by LoadLibrary) using this function:

#include 
#include 


PVOID GetAddressOfEntryPoint(HMODULE hmod)
{
    PIMAGE_DOS_HEADER pidh = (PIMAGE_DOS_HEADER)hmod;
    PIMAGE_NT_HEADERS pinth = (PIMAGE_NT_HEADERS)((PBYTE)hmod + pidh->e_lfanew);
    PVOID pvEntry = (PBYTE)hmod + pinth->OptionalHeader.AddressOfEntryPoint;

    return pvEntry;
}

Your entrypoint replacement could take direct action or increment a counter that you check for in your main loop or where it's important to you. (And should almost certainly call the original entrypoint.)

UPDATE: Thanks to @LeoDavidson for pointing this out in the comments below. Detours 4.0 is now licensed using the liberal MIT License.

I hope this helps.