Yeah I am using HAVE_LIBCRYPTO. With the same rules and scanning processes instead of a directory, the lib can be unloaded. My guess is some handle to a file is being left open
On Thursday, August 2, 2018 at 6:32:54 AM UTC-4, Víctor Manuel Álvarez García wrote: > > That's really weird, I don't see a reason for the PE module to be > preventing the DLL from unloading. Are you compiling the YARA DLL with > HAVE_LIBCRYPTO? > > On Tue, Jul 31, 2018 at 8:16 PM, Alec Clark <[email protected] > <javascript:>> wrote: > >> I have a C++ exe that loads a dll using LoadLibrary which has the Yara >> lib code and some handling for the data Yara produces. Once all of the Yara >> clean up code is called and execution has finished, FreeLibrary is called. >> >> With any Windows supported module, the library is successfully unloaded. >> With the PE module import and any one PE rule types being using the library >> cannot be unloaded, FreeLibrary doesn't report a failure or set the last >> error... ProcessHacker still says the library is loaded and the library >> file cannot be deleted because it is in use by my process. >> >> The executable code doesn't hold on to any files and calls all of the >> Yara clean up functions mentioned in the documentation. The provided yara.c >> code was used as an example to make sure nothing was missed. >> >> Compiled w/ VS2015 32bit and 64bit >> >> -- >> You received this message because you are subscribed to the Google Groups >> "YARA" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
