I know we can detect load library using **PsSetLoadImageNotifyRoutine ** but, how to detect unload of image notification. is there any way for it??
Please note that a FreeLibrary() call does not necessarily unload the target library right on the spot. What it does is decrementing a refcount on the library in question. If this refcount is still non-zero, the library remains loaded. To make it even more “exciting”, the executable code
(i.e. TEXT section) of the library may be loaded into many processes, but every process is going to have its own copy of its DATA section, for the understandable reasons.
Therefore, your question does not seem to have an easy answer. Another questionpoint is why you want to get notified about the library unload in the KM, in the first place…
Anton Bassov