NTSTATUS UnhookDriverObject(PDRIVER_HOOK_RECORD DriverRecord)
{
KIRQL irql;
PHASH_ITEM h = NULL;
NTSTATUS status = STATUS_UNSUCCESSFUL;
DEBUG_ENTER_FUNCTION("DriverRecord=0x%p", DriverRecord);
KeAcquireSpinLock(&_driverTableLock, &irql);
h = HashTableDelete(_driverTable, DriverRecord->DriverObject);
if (h != NULL) {
KeReleaseSpinLock(&_driverTableLock, irql);
if (DriverRecord->MonitoringEnabled) {
_UnhookDriverObject(DriverRecord);
DriverRecord->MonitoringEnabled = FALSE;
}
KeAcquireSpinLock(&DriverRecord->SelectedDevicesLock, &irql);
HashTableClear(DriverRecord->SelectedDevices, TRUE);
KeReleaseSpinLock(&DriverRecord->SelectedDevicesLock, irql);
_InvalidateDriverHookRecord(DriverRecord);
DriverHookRecordDereference(DriverRecord);
status = STATUS_SUCCESS;
} else {
KeReleaseSpinLock(&_driverTableLock, irql);
status = STATUS_NOT_FOUND;
ASSERT(FALSE);
}
DEBUG_EXIT_FUNCTION("0x%x", status);
return status;
}
static VOID _DeviceHookRecordFree(PDEVICE_HOOK_RECORD Record)
{
DEBUG_ENTER_FUNCTION("Record=0x%p", Record);
DriverHookRecordDereference(Record->DriverRecord);
HeapMemoryFree(Record->DeviceName.Buffer);
HeapMemoryFree(Record);
DEBUG_EXIT_FUNCTION_VOID();
return;
}
NTSTATUS HookDriverObject(PDRIVER_OBJECT DriverObject, PDRIVER_MONITOR_SETTINGS MonitorSettings, PDRIVER_HOOK_RECORD *DriverRecord)
{
KIRQL irql;
PDRIVER_HOOK_RECORD record = NULL;
PDEVICE_HOOK_RECORD *existingDevices = NULL;
ULONG existingDeviceCount = 0;
NTSTATUS status = STATUS_UNSUCCESSFUL;
DEBUG_ENTER_FUNCTION("DriverObject=0x%p; MonitorSettings=%u; DriverRecord=0x%p", DriverObject, MonitorSettings, DriverRecord);
status = _DriverHookRecordCreate(DriverObject, MonitorSettings, FALSE, &record);
if (NT_SUCCESS(status)) {
status = _CreateRecordsForExistingDevices(record, &existingDevices, &existingDeviceCount);
if (NT_SUCCESS(status)) {
KeAcquireSpinLock(&_driverTableLock, &irql);
if (HashTableGet(_driverTable, DriverObject) == NULL) {
KIRQL irql2;
ULONG i = 0;
DriverHookRecordReference(record);
HashTableInsert(_driverTable, &record->HashItem, DriverObject);
KeAcquireSpinLock(&record->SelectedDevicesLock, &irql2);
for (i = 0; i < existingDeviceCount; ++i) {
PDEVICE_HOOK_RECORD deviceRecord = existingDevices[i];
DeviceHookRecordReference(deviceRecord);
HashTableInsert(record->SelectedDevices, &deviceRecord->HashItem, deviceRecord->DeviceObject);
}
KeReleaseSpinLock(&record->SelectedDevicesLock, irql2);
KeReleaseSpinLock(&_driverTableLock, irql);
_MakeDriverHookRecordValid(record);
if (record->MonitoringEnabled)
_HookDriverObject(DriverObject, record);
DriverHookRecordReference(record);
*DriverRecord = record;
} else {
KeReleaseSpinLock(&_driverTableLock, irql);
status = STATUS_ALREADY_REGISTERED;
}
_FreeDeviceHookRecordArray(existingDevices, existingDeviceCount);
}
DriverHookRecordDereference(record);
}
DEBUG_EXIT_FUNCTION("0x%x, *DriverRecord=0x%p", status, *DriverRecord);
return status;
}
static VOID _DriverFreeFunction(PHASH_ITEM HashItem)
{
PDRIVER_HOOK_RECORD r = CONTAINING_RECORD(HashItem, DRIVER_HOOK_RECORD, HashItem);
DEBUG_ENTER_FUNCTION("HashItem=0x%p", HashItem);
if (r->MonitoringEnabled) {
_UnhookDriverObject(r);
r->MonitoringEnabled = FALSE;
}
HashTableClear(r->SelectedDevices, TRUE);
DriverHookRecordDereference(r);
DEBUG_EXIT_FUNCTION_VOID();
return;
}