A method is provided for a kernel driver in an operating system to detect loading of images into memory and unloading of the images from memory. The method includes registering a callback routine for load-image notifications, receiving a load-image notification for an image and recording loading of the image, storing original code at or about an entry point of the image, and patching redirect stub code over the original code at or about the entry point. The method also includes receiving, from the redirect stub code, a redirected call to or about the entry point to execute a routine in the image. The redirected call identifies a driver object representing the image. The method further includes, based on the driver object, providing a mechanism to intercept unloading of the image and recording the unloading of the image.