I'm trying to make an exe profiler and now want to trace/log all Dlls that load/use in an exe by hooking LdrLoadDll in kernel-mode driver (I created the user-mode in the past).
My problem is in 64bit version of windows, because in 64bit I can't use SSDT hooking and I can't find any alternative solution for this.
In 64Bit there are kernel-mode callbacks like: PsSetCreateProcessNotifyRoutine (Alternative to hooking CreateProcess) but I can't find any solution for this case. Now my question is: Is there a kernel-mode callback for LdrLoadDll? Or do I have to find a solution for 64bit kernel hooking?
You can use PsSetLoadImageNotifyRoutine to register a driver-supplied callback. Your callback will be called when a driver image or user image (DLL, EXE) is mapped into virtual memory.
Windows calls this callback at PASSIVE_LEVEL.