[RTL] Implement LdrpRecordUnloadEvent

dll/ntdll/include/ntdllp.h

@@ -158,6 +158,9 @@ LdrpFetchAddressOfEntryPoint(PVOID ImageBase);
 VOID NTAPI
 LdrpFreeUnicodeString(PUNICODE_STRING String);
 
+VOID NTAPI
+LdrpRecordUnloadEvent(_In_ PLDR_DATA_TABLE_ENTRY LdrEntry);
+
 VOID NTAPI
 LdrpGetShimEngineInterface(VOID);
 

dll/ntdll/ldr/ldrapi.c

@@ -1449,8 +1449,7 @@ LdrUnloadDll(IN PVOID BaseAddress)
         /* Get the current entry */
         LdrEntry = CONTAINING_RECORD(NextEntry, LDR_DATA_TABLE_ENTRY, HashLinks);
 
-        /* FIXME: Log the Unload Event */
-        //LdrpRecordUnloadEvent(LdrEntry);
+        LdrpRecordUnloadEvent(LdrEntry);
 
         /* Set the entry and clear it from the list */
         CurrentEntry = LdrEntry;

sdk/lib/rtl/trace.c

@@ -11,6 +11,7 @@
 #include <debug.h>
 
 static RTL_UNLOAD_EVENT_TRACE RtlpUnloadEventTrace[RTL_UNLOAD_EVENT_TRACE_NUMBER];
+static UINT RtlpUnloadEventTraceIndex = 0;
 
 /* FUNCTIONS ******************************************************************/
 
@@ -22,10 +23,45 @@ RtlGetUnloadEventTrace(VOID)
     return RtlpUnloadEventTrace;
 }
 
+VOID
+NTAPI
+LdrpRecordUnloadEvent(_In_ PLDR_DATA_TABLE_ENTRY LdrEntry)
+{
+    PIMAGE_NT_HEADERS NtHeaders;
+    UINT Sequence = RtlpUnloadEventTraceIndex++;
+    UINT Index = Sequence % RTL_UNLOAD_EVENT_TRACE_NUMBER;
+    USHORT StringLen;
+
+    DPRINT("LdrpRecordUnloadEvent(%wZ, %p - %p)\n", &LdrEntry->BaseDllName, LdrEntry->DllBase,
+        (ULONG_PTR)LdrEntry->DllBase + LdrEntry->SizeOfImage);
+
+    RtlpUnloadEventTrace[Index].BaseAddress = LdrEntry->DllBase;
+    RtlpUnloadEventTrace[Index].SizeOfImage = LdrEntry->SizeOfImage;
+    RtlpUnloadEventTrace[Index].Sequence = Sequence;
+
+    NtHeaders = RtlImageNtHeader(LdrEntry->DllBase);
+
+    if (NtHeaders)
+    {
+        RtlpUnloadEventTrace[Index].TimeDateStamp = NtHeaders->FileHeader.TimeDateStamp;
+        RtlpUnloadEventTrace[Index].CheckSum = NtHeaders->OptionalHeader.CheckSum;
+    }
+    else
+    {
+        RtlpUnloadEventTrace[Index].TimeDateStamp = 0;
+        RtlpUnloadEventTrace[Index].CheckSum = 0;
+    }
+
+    StringLen = min(LdrEntry->BaseDllName.Length / sizeof(WCHAR), RTL_NUMBER_OF(RtlpUnloadEventTrace[Index].ImageName));
+    RtlCopyMemory(RtlpUnloadEventTrace[Index].ImageName, LdrEntry->BaseDllName.Buffer, StringLen * sizeof(WCHAR));
+    if (StringLen < RTL_NUMBER_OF(RtlpUnloadEventTrace[Index].ImageName))
+        RtlpUnloadEventTrace[Index].ImageName[StringLen] = 0;
+}
+
 BOOLEAN
 NTAPI
-RtlTraceDatabaseAdd(IN PRTL_TRACE_DATABASE Database, 
-                    IN ULONG Count, 
+RtlTraceDatabaseAdd(IN PRTL_TRACE_DATABASE Database,
+                    IN ULONG Count,
                     IN PVOID *Trace,
                     OUT OPTIONAL PRTL_TRACE_BLOCK *TraceBlock)
 {
@@ -35,10 +71,10 @@ RtlTraceDatabaseAdd(IN PRTL_TRACE_DATABASE Database,
 
 PRTL_TRACE_DATABASE
 NTAPI
-RtlTraceDatabaseCreate(IN ULONG Buckets, 
-                       IN OPTIONAL SIZE_T MaximumSize, 
-                       IN ULONG Flags, 
-                       IN ULONG Tag, 
+RtlTraceDatabaseCreate(IN ULONG Buckets,
+                       IN OPTIONAL SIZE_T MaximumSize,
+                       IN ULONG Flags,
+                       IN ULONG Tag,
                        IN OPTIONAL RTL_TRACE_HASH_FUNCTION HashFunction)
 {
     UNIMPLEMENTED;
@@ -55,7 +91,7 @@ RtlTraceDatabaseDestroy(IN PRTL_TRACE_DATABASE Database)
 
 BOOLEAN
 NTAPI
-RtlTraceDatabaseEnumerate(IN PRTL_TRACE_DATABASE Database, 
+RtlTraceDatabaseEnumerate(IN PRTL_TRACE_DATABASE Database,
                           IN PRTL_TRACE_ENUMERATE TraceEnumerate,
                           IN OUT PRTL_TRACE_BLOCK *TraceBlock)
 {
@@ -66,7 +102,7 @@ RtlTraceDatabaseEnumerate(IN PRTL_TRACE_DATABASE Database,
 
 BOOLEAN
 NTAPI
-RtlTraceDatabaseFind(IN PRTL_TRACE_DATABASE Database, 
+RtlTraceDatabaseFind(IN PRTL_TRACE_DATABASE Database,
                      IN ULONG Count,
                      IN PVOID *Trace,
                      OUT OPTIONAL PRTL_TRACE_BLOCK *TraceBlock)