D
DioIPS

Image Load

PsSetLoadImageNotifyRoutine

Monitor DLL and executable image loading in real-time.

Overview

The image load callback fires whenever a PE image (EXE, DLL, SYS) is mapped into a process. This provides visibility into what modules are being loaded and can detect DLL injection.

Captured Information

  • Process — PID and name of the loading process
  • Image path — Full path to the loaded image
  • Image base — Base address where image is mapped
  • Image size — Size of the mapped image
  • Flags — System image, kernel image flags

Detection Use Cases

DLL Injection

Detect when unexpected DLLs are loaded into processes, especially from unusual locations like Temp folders.

Reflective Loading

While reflective loading bypasses this callback, the initial loader DLL is still detected.

Suspicious Modules

Alert on known malicious DLL names or DLLs loaded from non-standard paths.

Driver Loading

Monitor kernel driver (.sys) loading with the kernel image flag.

UI Features

  • Image tab — View all image load events
  • Path filter — Focus on specific directories
  • Process filter — See images loaded by specific process
  • DLL name filter — Search for specific DLL names

IPS Rule Examples

Image: *\Temp\*.dll | Action: Alert
Image: *\AppData\*.dll | Process: notepad.exe | Action: Alert
Image: amsi.dll | Action: Log