That is, if a 32bit DLL was loaded by
CreateRemoteThread(), the DLL would be unloaded silently without
DLL_PROCESS_DETACH invocation sent to
DLLMain() of the DLL. There are indeed 2 weird issues, one is silent unloading, the other is no
This occurs on WOW64 environment of Windows 2008 Server R2 only. Windows 2012 and 2016 don’t have this issue, while x64 environment of 2008 also doesn’t have the issue.
To fix it, we can make the DLL depend on another DLL. The 2nd DLL can receive all notification callbacks of
DLLMain(). This way can fix the callback issue. And by adding an extra
LoadLibrary() call of 2nd DLL in 1st DLL’s
DLL_PROCESS_ATTACH notification, we can keep the 2nd DLL in memory even if 1st DLL unloaded silently.