Subclass host EXE's HWND then unload DLL?

In a DLL (plugin extension for an EXE) I write the following WNDPROC to the
EXE's address space. Its purpose is simply to turn <WM_SYSCOMMAND, SC_CLOSE>
into <WM_SYSCOMMAND, SC_MINIMIZE> (make the app hard to exit).

#pragma code_seg(".inject")
LRESULT CALLBACK MyWindowProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM
lParam)
{
    static WNDPROC LocalOldWndProc = NULL;
    static BOOL bNeedInit = TRUE;
    // CWP = CallWindowProc()
    static LRESULT (WINAPI *CWP)(WNDPROC, HWND, UINT, WPARAM, LPARAM);

    if ( bNeedInit )
    {
        LocalOldWndProc = OldWndProc;
        HMODULE hUser32 = GetModuleHandle("user32.dll");
        (FARPROC&) CWP = GetProcAddress(hUser32, "CallWindowProcA");
        bNeedInit = FALSE;
    }

    if ( uMsg == WM_SYSCOMMAND && (wParam & 0xFFF0) == SC_CLOSE )
        wParam = SC_MINIMIZE;

    return CWP(LocalOldWndProc, hwnd, uMsg, wParam, lParam);
}
#pragma code_seg()
#pragma comment(linker, "/SECTION:.inject,R")

#define INJECT_SIZE 0x74 // from DUMPBIN.EXE

I inject the code as follows:

BYTE *NewWndProc = (BYTE*) VirtualAlloc(NULL, INJECT_SIZE, MEM_COMMIT,
PAGE_EXECUTE_READWRITE);
BYTE *p = (BYTE*) MyWindowProc, *q = NewWndProc;
for ( INT i=0; i<INJECT_SIZE; i++ ) *q++ = *p++; // inject new wndproc
OldWndProc = (WNDPROC) SetWindowLong(hWndAppFrame, GWL_WNDPROC, (LONG)
NewWndProc);
SendMessage(hWndAppFrame, WM_NULL, 0, 0); // make it initialize

The point of the new WNDPROC's initialization routine is to remove any future
reference to memory locations in the DLL.

It all works fine but the DLL can't be unloaded (I'd like to unload it, leaving
the subclassing in place). If the DLL unloads (just before app shutdown or at
my request) there are two GPF's in module_unknown and one in kernel32.dll
(apparently in DuplicateHandle() (?).

Am I missing something fundamental here, something that would make the crash
expected?

Thanks.
--
 - Vince