I have used PsSetLoadImageNotifyRoutine to set a callback routine.
Now in that routine i want to unload the image being loaded. This works fine
(read seems to work fine) with .exe files but i tried this with a .dll file
and nothing happens.
I am using the following methods while trying to unload the image.
ZwOpenProcess(…)
ZwUnmapViewOfSection(…)
I am using the following code below… Before this piece of code there is
some form of scanning performed, and if it matches the criteria i am doing
the stuff below.
void LSNotifyOnImageLoad(IN PUNICODE_STRING pFillImageName, IN HANDLE
hProcessId, PIMAGE_INFO pImageInfo)
{
…
…
…
InitializeObjectAttributes(&obAttr, 0,0,0,0);
ClientId.UniqueThread = 0;
ClientId.UniqueProcess = hProcessId;
status = ZwOpenProcess(&hUnload, PROCESS_ALL_ACCESS, &obAttr,
&ClientId);
if(status == STATUS_SUCCESS/* && hUnload != 0*/)
{
DebugPrint(“\nUnloading module\n”);
status = ZwUnmapViewOfSection(hUnload, pImageInfo->ImageBase);
switch(status)
{
case STATUS_SUCCESS:
DebugPrint(“\nSuccess\n”);
break;
case STATUS_INVALID_PARAMETER:
DebugPrint(“\nSTATUS_INVALID_PARAMETER\n”);
break;
default:
DebugPrint(“\nUNKNOWN\n”);
}
DebugPrint(“\nClosing handle\n”);
ZwClose(hUnload);
}
}
The issue is that the call to ZwUnmapViewOfSection(hUnload,
pImageInfo->ImageBase) gets stuck (never returns).
Thanks for any help and sugestions are appreciated.