How to unload DLL itself correctly?

Question

I make a DLL injection to a process after ntdll.dll loading. Then, in DllMain (DLL_PROCESS_ATTACH event case) I call LdrRegisterDllNotification and wait when the specific DLL will be loaded (e.g. statistic.dll) which functions I want to hook. If statistic.dll wasn't loaded I need to unload injected DLL from the process.

The main question is: How to unload injected DLL correctly?

I wanted to implement it via different thread which will check (after some time) statistic.dll library in the process (or specific flag which I can set after the statistic.dll loading) and unload injected DLL if it wasn't loaded. But as I know, we can't create a thread in DllMain.

"as I know, we can't create a thread in DllMain" - yes, you can. Just don't have DllMain wait on the thread, or make the thread wait on Dllmain. That is what is problematic, not the act of creating a thread. — Remy Lebeau
you can create own thread and at the end of it must call FreeLibraryAndExitThread — RbMm
Thanks guys. I had doubt about creating a thread and wanted to listen alternative opinion about consequences of that. I implemented unloading dll itself via FreeLibraryAndExitThread and it works fine. — slinkin

GuidedHacking GuidedHacking · Accepted Answer · 2020-04-17T22:06:00

To unload your DLL use FreeLibraryAndExitThread, make sure you have disconnected any hooks and cleaned up anything that might cause a problem first.

How to unload DLL itself correctly?

1 Answers