Question for Win32 experts: does anybody know how a DLL receives thread notifications? Is there any way to make an EXE get the same thing directly (even if it's undocumented)? It's a little weird for me because DLLs are loaded in user-mode -- why can't an EXE request the same notifications?
DllMain gets called with a reason code. The OS loader calls it by enumerating the loaded DLLs. It won't call anything in the EXE because that's how it was coded, and there's nothing the EXE can do about the loader specifically short of patching OS code.
I'm wondering what happens before all this -- how is the OS loader even notified about the new thread? Is it the thread entrypoint itself that tells the OS loader about the new thread's creation (and destruction)?
Both the loader and thread management are part of the OS. It's an implementation detail, but I'd expect CreateThread to do it - perhaps by delegating to the loader, perhaps by navigating the loader's list of loaded modules, whatever.
The thing about CreateThread doing it is that then a thread created in a different matter (CreateRemoteThread from another process, RtlCreateUserThread, etc.) would cause a missed notification. I feel like it has to be the entrypoint, but not sure...
