-
Notifications
You must be signed in to change notification settings - Fork 3
/
Xander.LdrMonitor.pas
51 lines (40 loc) · 1.65 KB
/
Xander.LdrMonitor.pas
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
unit Xander.LdrMonitor;
{$I Default.inc}
interface
type
PCUNICODE_STRING = ^UNICODE_STRING;
UNICODE_STRING = packed record
Length: Word;
MaximumLength: Word;
Buffer: PWideChar;
end;
TUnicodeString = UNICODE_STRING;
PUnicodeString = ^TUnicodeString;
type
NotificationReasonEnum = (LDR_DLL_NOTIFICATION_REASON_LOADED = 1, LDR_DLL_NOTIFICATION_REASON_UNLOADED = 2);
TNotificationReason = NotificationReasonEnum;
PLDR_DLL_LOADED_NOTIFICATION_DATA = ^LDR_DLL_LOADED_NOTIFICATION_DATA;
LDR_DLL_LOADED_NOTIFICATION_DATA = record
Flags: LongWord;
FullDllName: PUnicodeString;
BaseDllName: PUnicodeString;
DllBase: Pointer;
SizeOfImage: LongWord;
end;
TLdrDLLLoadedNotificationData = LDR_DLL_LOADED_NOTIFICATION_DATA;
PLdrDLLLoadedNotificationData = ^TLdrDLLLoadedNotificationData;
PLdrDLLUnloadedNotificationData = ^TLdrDLLUnloadedNotificationData;
TLdrDLLUnloadedNotificationData = TLdrDLLLoadedNotificationData;
PLDR_DLL_NOTIFICATION_DATA = ^LDR_DLL_NOTIFICATION_DATA;
LDR_DLL_NOTIFICATION_DATA = record
case Integer of
0: (Loaded: TLdrDLLLoadedNotificationData);
1: (Unloaded: TLdrDLLUnloadedNotificationData);
end;
TLdrDllNotificationData = LDR_DLL_NOTIFICATION_DATA;
PLdrDllNotificationData = ^TLdrDllNotificationData;
type
TLdrRegisterDllNotification = function(Flags: LongWord; NotificationFunction: Pointer; Context: Pointer; Cookie: Pointer): LongWord; stdcall;
function LdrRegisterDllNotification(Flags: LongWord; NotificationFunction: Pointer; Context: Pointer; Cookie: Pointer): LongWord; stdcall; external 'ntdll.dll' name 'LdrRegisterDllNotification' delayed;
implementation
end.