0x04 Reference count of DLL
Reference count or load count of the DLL is the number of times the DLL is loaded into the process. Each time the DLL is loaded (through LoadLibrary) into the process its reference count is incremented by 1 and it is decremented by 1, each time the DLL is freed (through FreeLibrary) from the process. When the reference count reaches 0, the DLL is completely removed from the process.
When you want to unload the DLL completely from the process, you have to invoke FreeLibrary as many times the DLL is loaded. In this case we need to know the reference count of DLL to completely remove it from the process. But there are no Windows APIs which provides information about reference count of DLL.
I was writing a program to free the spyware DLLs from the windows process such as explorer.exe using DLL injection. So I needed to know the load count of DLL to completely kick it off from the process. When I did not find any information on the internet, I decided to get into the internals of the windows to find it out myself.
After couple of hours of research I found that the load count is indeed stored in PEB ( Process environment block) of the process. One of the member of PEB is PEB_LDR_DATA structure which points to the linked list of loaded modules into that process. Each node of this linked list represented by the LDR_MODULE structure which contains complete information about that DLL. One of the field of this structure is called LoadCount which is nothing but the reference count of that DLL in that process.
So finally I have found the solution to this problem. For complete information on this read the ‘Finding DLL Reference count’ article.
Using this technique I have improved my RemoteDLL program to free the DLL from any remote process using just one click.Well, that makes it a day, watch out this space for more stuffs….!