[NTDLL_VISTA:LDR] Implement DLL Notification (#6795)

Implement DLL Load Notification, an NT6+ feature. https://learn.microsoft.com/en-us/windows/win32/devnotes/dll-load-notification - [RTL] Sync `RTL_STATIC_LIST_HEAD` and `RtlFailFast` from XDK to NDK. - [NTDLL_VISTA] Introduce ntdll_vista_static static library and link both ntdll_vista and ntdll to it. - [NDK][LDR] Add and fix DLL Notification definitions. - [NTDLL_VISTA] Code improvements. - [NTDLL_VISTA:LDR] Implement Dll Notification. - [NTDLL][NTDLL_APITEST] Add Dll Notification API test.
2025-08-06 20:23:01 +00:00 · 2025-03-03 04:13:33 +08:00 · 2025-03-03 04:13:33 +08:00 · ccf1e97aa1
commit ccf1e97aa1
parent 6988b4e2c4
22 changed files with 539 additions and 53 deletions
--- a/sdk/include/ndk/ldrfuncs.h
+++ b/sdk/include/ndk/ldrfuncs.h
@ -147,6 +147,23 @@ LdrEnumerateLoadedModules(
    _In_opt_ PVOID Context
 );

+#if (_WIN32_WINNT >= _WIN32_WINNT_VISTA) || (DLL_EXPORT_VERSION >= _WIN32_WINNT_VISTA)
+
+NTSTATUS
+NTAPI
+LdrRegisterDllNotification(
+    _In_ ULONG Flags,
+    _In_ PLDR_DLL_NOTIFICATION_FUNCTION NotificationFunction,
+    _In_opt_ PVOID Context,
+    _Out_ PVOID* Cookie);
+
+NTSTATUS
+NTAPI
+LdrUnregisterDllNotification(
+    _In_ PVOID Cookie);
+
+#endif /* (_WIN32_WINNT >= _WIN32_WINNT_VISTA) || (DLL_EXPORT_VERSION >= _WIN32_WINNT_VISTA) */
+
 #ifdef NTOS_MODE_USER
 NTSYSAPI
 BOOLEAN
--- a/sdk/include/ndk/ldrtypes.h
+++ b/sdk/include/ndk/ldrtypes.h
@ -37,7 +37,11 @@ Author:
 //
 #define LDRP_STATIC_LINK                        0x00000002
 #define LDRP_IMAGE_DLL                          0x00000004
+#if (NTDDI_VERSION < NTDDI_WIN8)
 #define LDRP_SHIMENG_SUPPRESSED_ENTRY           0x00000008
+#else
+#define LDRP_LOAD_NOTIFICATIONS_SENT            0x00000008
+#endif
 #define LDRP_IMAGE_INTEGRITY_FORCED             0x00000020
 #define LDRP_LOAD_IN_PROGRESS                   0x00001000
 #define LDRP_UNLOAD_IN_PROGRESS                 0x00002000
@ -196,26 +200,39 @@ typedef struct _LDR_ENUM_RESOURCE_INFO
 //
 // DLL Notifications
 //
+#define LDR_DLL_NOTIFICATION_REASON_LOADED   1
+#define LDR_DLL_NOTIFICATION_REASON_UNLOADED 2
+
 typedef struct _LDR_DLL_LOADED_NOTIFICATION_DATA
 {
    ULONG Flags;
-    PUNICODE_STRING FullDllName;
-    PUNICODE_STRING BaseDllName;
+    PCUNICODE_STRING FullDllName;
+    PCUNICODE_STRING BaseDllName;
    PVOID DllBase;
    ULONG SizeOfImage;
 } LDR_DLL_LOADED_NOTIFICATION_DATA, *PLDR_DLL_LOADED_NOTIFICATION_DATA;

-typedef VOID
-(NTAPI *PLDR_DLL_LOADED_NOTIFICATION_CALLBACK)(
-    _In_ BOOLEAN Type,
-    _In_ struct _LDR_DLL_LOADED_NOTIFICATION_DATA *Data
-);
-
-typedef struct _LDR_DLL_LOADED_NOTIFICATION_ENTRY
+typedef struct _LDR_DLL_UNLOADED_NOTIFICATION_DATA
 {
-    LIST_ENTRY NotificationListEntry;
-    PLDR_DLL_LOADED_NOTIFICATION_CALLBACK Callback;
-} LDR_DLL_LOADED_NOTIFICATION_ENTRY, *PLDR_DLL_LOADED_NOTIFICATION_ENTRY;
+    ULONG Flags;
+    PCUNICODE_STRING FullDllName;
+    PCUNICODE_STRING BaseDllName;
+    PVOID DllBase;
+    ULONG SizeOfImage;
+} LDR_DLL_UNLOADED_NOTIFICATION_DATA, *PLDR_DLL_UNLOADED_NOTIFICATION_DATA;
+
+typedef union _LDR_DLL_NOTIFICATION_DATA
+{
+    LDR_DLL_LOADED_NOTIFICATION_DATA Loaded;
+    LDR_DLL_UNLOADED_NOTIFICATION_DATA Unloaded;
+} LDR_DLL_NOTIFICATION_DATA, *PLDR_DLL_NOTIFICATION_DATA;
+typedef const LDR_DLL_NOTIFICATION_DATA *PCLDR_DLL_NOTIFICATION_DATA;
+
+typedef VOID
+(NTAPI *PLDR_DLL_NOTIFICATION_FUNCTION)(
+    _In_ ULONG NotificationReason,
+    _In_ PCLDR_DLL_NOTIFICATION_DATA NotificationData,
+    _In_opt_ PVOID Context);

 //
 // Alternate Resources Support
--- a/sdk/include/ndk/rtlfuncs.h
+++ b/sdk/include/ndk/rtlfuncs.h
@ -39,6 +39,18 @@ extern "C" {
 //
 // List Functions
 //
+
+DECLSPEC_NORETURN
+FORCEINLINE
+VOID
+RtlFailFast(
+    _In_ ULONG Code)
+{
+    __fastfail(Code);
+}
+
+#define RTL_STATIC_LIST_HEAD(x) LIST_ENTRY x = { &x, &x }
+
 FORCEINLINE
 VOID
 InitializeListHead(