Maybe you can use this little utility for identifying the open file: https://docs.microsoft.com/en-us/sysinternals/downloads/handle.
On Thu, Aug 2, 2018 at 1:08 PM, A <alecclar...@gmail.com> wrote: > Yeah I am using HAVE_LIBCRYPTO. With the same rules and scanning processes > instead of a directory, the lib can be unloaded. My guess is some handle to > a file is being left open > > On Thursday, August 2, 2018 at 6:32:54 AM UTC-4, Víctor Manuel Álvarez > García wrote: >> >> That's really weird, I don't see a reason for the PE module to be >> preventing the DLL from unloading. Are you compiling the YARA DLL with >> HAVE_LIBCRYPTO? >> >> On Tue, Jul 31, 2018 at 8:16 PM, Alec Clark <alecc...@gmail.com> wrote: >> >>> I have a C++ exe that loads a dll using LoadLibrary which has the Yara >>> lib code and some handling for the data Yara produces. Once all of the Yara >>> clean up code is called and execution has finished, FreeLibrary is called. >>> >>> With any Windows supported module, the library is successfully unloaded. >>> With the PE module import and any one PE rule types being using the library >>> cannot be unloaded, FreeLibrary doesn't report a failure or set the last >>> error... ProcessHacker still says the library is loaded and the library >>> file cannot be deleted because it is in use by my process. >>> >>> The executable code doesn't hold on to any files and calls all of the >>> Yara clean up functions mentioned in the documentation. The provided yara.c >>> code was used as an example to make sure nothing was missed. >>> >>> Compiled w/ VS2015 32bit and 64bit >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "YARA" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to yara-project...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to yara-project+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to yara-project+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
