DLL load notification

Question

is it possible to get a notification(s) in my program, when any process in the system loads a particular DLL or all DLL load events(i can filter out)? Like how process explorer does get notification from all processess. I can use process explorer for this purpose, but i want to take an action(show a popup) in case of a particular DLL load event.

Im also looking for any open source program that can do this job for me.

Thank you very much in advance.

Chris Schmich · Accepted Answer

Yes, you can get image (.dll, .exe) load events through Windows' ETW (Event Tracing for Windows) facility. ETW is a fast, low-overhead logging mechanism and most of the Windows kernel is instrumented to emit events.

ETW has the concept of a "provider" that emits sets of events. For example, there's a CLR provider for the .NET runtime, a kernel provider for memory manager/driver/image/file system/user events, an IIS provider for HTTP/network events, or even custom providers that 3rd parties write.

You will want to enable EVENT_TRACE_FLAG_IMAGE_LOAD on the ETW kernel provider in order to get Image_Load events. For managed code, you can use the AssemblyLoad or ModuleLoad events with the CLR ETW provider.

You can produce and consume ETW events from both native and managed code. It's somewhat difficult to work with, but there's a wealth of data available once you start collecting it. Vance Morrison created a short walkthrough on consuming ETW events via C# and created the TraceEvent library.

Also, see my previous SO posts here and here for more on ETW.

Alternatively, you can use WMI (Windows Management Instrumentation) to get these events, although you'll have to poll for them. Polling WMI should still be less resource intensive than constantly enumerating all modules in all processes in the system.

If you go the WMI route, look at the Win32_ModuleLoadTrace and Win32_Process types. The .NET framework has a reasonable WMI API.

DLL load notification

Answers (2)

Related Questions