diff --git a/dll/ntdll/include/ntdllp.h b/dll/ntdll/include/ntdllp.h index 2fe0d778279..2ec4f44d778 100644 --- a/dll/ntdll/include/ntdllp.h +++ b/dll/ntdll/include/ntdllp.h @@ -158,6 +158,9 @@ LdrpFetchAddressOfEntryPoint(PVOID ImageBase); VOID NTAPI LdrpFreeUnicodeString(PUNICODE_STRING String); +VOID NTAPI +LdrpRecordUnloadEvent(_In_ PLDR_DATA_TABLE_ENTRY LdrEntry); + VOID NTAPI LdrpGetShimEngineInterface(VOID); diff --git a/dll/ntdll/ldr/ldrapi.c b/dll/ntdll/ldr/ldrapi.c index e7fdfec0725..8c968160f30 100644 --- a/dll/ntdll/ldr/ldrapi.c +++ b/dll/ntdll/ldr/ldrapi.c @@ -1449,8 +1449,7 @@ LdrUnloadDll(IN PVOID BaseAddress) /* Get the current entry */ LdrEntry = CONTAINING_RECORD(NextEntry, LDR_DATA_TABLE_ENTRY, HashLinks); - /* FIXME: Log the Unload Event */ - //LdrpRecordUnloadEvent(LdrEntry); + LdrpRecordUnloadEvent(LdrEntry); /* Set the entry and clear it from the list */ CurrentEntry = LdrEntry; diff --git a/sdk/lib/rtl/trace.c b/sdk/lib/rtl/trace.c index f0bf4578a01..489bf5be2bf 100644 --- a/sdk/lib/rtl/trace.c +++ b/sdk/lib/rtl/trace.c @@ -11,6 +11,7 @@ #include static RTL_UNLOAD_EVENT_TRACE RtlpUnloadEventTrace[RTL_UNLOAD_EVENT_TRACE_NUMBER]; +static UINT RtlpUnloadEventTraceIndex = 0; /* FUNCTIONS ******************************************************************/ @@ -22,10 +23,45 @@ RtlGetUnloadEventTrace(VOID) return RtlpUnloadEventTrace; } +VOID +NTAPI +LdrpRecordUnloadEvent(_In_ PLDR_DATA_TABLE_ENTRY LdrEntry) +{ + PIMAGE_NT_HEADERS NtHeaders; + UINT Sequence = RtlpUnloadEventTraceIndex++; + UINT Index = Sequence % RTL_UNLOAD_EVENT_TRACE_NUMBER; + USHORT StringLen; + + DPRINT("LdrpRecordUnloadEvent(%wZ, %p - %p)\n", &LdrEntry->BaseDllName, LdrEntry->DllBase, + (ULONG_PTR)LdrEntry->DllBase + LdrEntry->SizeOfImage); + + RtlpUnloadEventTrace[Index].BaseAddress = LdrEntry->DllBase; + RtlpUnloadEventTrace[Index].SizeOfImage = LdrEntry->SizeOfImage; + RtlpUnloadEventTrace[Index].Sequence = Sequence; + + NtHeaders = RtlImageNtHeader(LdrEntry->DllBase); + + if (NtHeaders) + { + RtlpUnloadEventTrace[Index].TimeDateStamp = NtHeaders->FileHeader.TimeDateStamp; + RtlpUnloadEventTrace[Index].CheckSum = NtHeaders->OptionalHeader.CheckSum; + } + else + { + RtlpUnloadEventTrace[Index].TimeDateStamp = 0; + RtlpUnloadEventTrace[Index].CheckSum = 0; + } + + StringLen = min(LdrEntry->BaseDllName.Length / sizeof(WCHAR), RTL_NUMBER_OF(RtlpUnloadEventTrace[Index].ImageName)); + RtlCopyMemory(RtlpUnloadEventTrace[Index].ImageName, LdrEntry->BaseDllName.Buffer, StringLen * sizeof(WCHAR)); + if (StringLen < RTL_NUMBER_OF(RtlpUnloadEventTrace[Index].ImageName)) + RtlpUnloadEventTrace[Index].ImageName[StringLen] = 0; +} + BOOLEAN NTAPI -RtlTraceDatabaseAdd(IN PRTL_TRACE_DATABASE Database, - IN ULONG Count, +RtlTraceDatabaseAdd(IN PRTL_TRACE_DATABASE Database, + IN ULONG Count, IN PVOID *Trace, OUT OPTIONAL PRTL_TRACE_BLOCK *TraceBlock) { @@ -35,10 +71,10 @@ RtlTraceDatabaseAdd(IN PRTL_TRACE_DATABASE Database, PRTL_TRACE_DATABASE NTAPI -RtlTraceDatabaseCreate(IN ULONG Buckets, - IN OPTIONAL SIZE_T MaximumSize, - IN ULONG Flags, - IN ULONG Tag, +RtlTraceDatabaseCreate(IN ULONG Buckets, + IN OPTIONAL SIZE_T MaximumSize, + IN ULONG Flags, + IN ULONG Tag, IN OPTIONAL RTL_TRACE_HASH_FUNCTION HashFunction) { UNIMPLEMENTED; @@ -55,7 +91,7 @@ RtlTraceDatabaseDestroy(IN PRTL_TRACE_DATABASE Database) BOOLEAN NTAPI -RtlTraceDatabaseEnumerate(IN PRTL_TRACE_DATABASE Database, +RtlTraceDatabaseEnumerate(IN PRTL_TRACE_DATABASE Database, IN PRTL_TRACE_ENUMERATE TraceEnumerate, IN OUT PRTL_TRACE_BLOCK *TraceBlock) { @@ -66,7 +102,7 @@ RtlTraceDatabaseEnumerate(IN PRTL_TRACE_DATABASE Database, BOOLEAN NTAPI -RtlTraceDatabaseFind(IN PRTL_TRACE_DATABASE Database, +RtlTraceDatabaseFind(IN PRTL_TRACE_DATABASE Database, IN ULONG Count, IN PVOID *Trace, OUT OPTIONAL PRTL_TRACE_BLOCK *TraceBlock)