/*
* DrvUnload
* Driver unload point
*/
extern "C" void DrvUnload(PDRIVER_OBJECT driver)
{
// Log entry
LOG("Unloading driver");
// Destroy image-load callback
LOG2("Unregistering image-load callback");
PsRemoveLoadImageNotifyRoutine((PLOAD_IMAGE_NOTIFY_ROUTINE)&ImageLoadCallback);
// Destroy process-creation callback
LOG2("Unregistering process-creation callback");
NC_PROCESSCREATE_NOTIFY(ProcessCreateCallback, 1);
// Destroy thread-creation callback
LOG2("Unregistering thread-creation callback");
PsRemoveCreateThreadNotifyRoutine((PCREATE_THREAD_NOTIFY_ROUTINE)&ThreadCreateCallback);
// Unmap memory if need be
CloseLinks();
// Convert devlink string
UNICODE_STRING devLink;
RtlInitUnicodeString(&devLink, devicelink);
// Delete symlink
LOG2("Deleting sym-link to device");
IoDeleteSymbolicLink(&devLink);
// Delete device
LOG2("Deleting device");
IoDeleteDevice(driver->DeviceObject);
// Log exit
LOG("Driver unloaded");
}
VOID
DriverUnload (
PDRIVER_OBJECT DriverObject )
{
NTSTATUS Status;
DbgPrint ( "%s DriverObject=%p\n", __FUNCTION__, DriverObject );
Status = PsRemoveCreateThreadNotifyRoutine ( ThreadNotifyCallback );
if ( ! NT_SUCCESS ( Status ) ) {
DbgPrint ( "%s PsRemoveCreateThreadNotifyRoutine() FAIL=%08x\n", __FUNCTION__, Status );
}
// Step #4 : Uninitialize the lock that protects the g_Tidxxx globals (ExDeleteResourceLite())
ExDeleteResourceLite(&g_TidLock);
}
/* Stops and cleans any tracing if needed */
void stopTracing()
{
KIRQL old_irql = 0;
PAGED_CODE();
/* Raise the IRQL otherwise new thread could be created while cleaning */
old_irql = KeGetCurrentIrql();
if (old_irql < APC_LEVEL) {
KeRaiseIrql (APC_LEVEL, &old_irql);
}
KdPrint( ("Oregano: stopTracing: Got a stop trace command\r\n") );
if (TRUE == is_new_thread_handler_installed) {
PsRemoveCreateThreadNotifyRoutine(newThreadHandler);
is_new_thread_handler_installed = FALSE;
} else {
KdPrint(( "Oregano: stopTracing: Not new thread notifier\r\n" ));
}
if (0 != targetProcessId) {
unsetTrapFlagForAllThreads(targetProcessId);
targetProcessId = 0;
}
if (NULL != targetEProcess) {
ObDereferenceObject( targetEProcess );
targetEProcess = NULL;
}
target_process = NULL;
RtlZeroMemory( loggingRanges, sizeof(loggingRanges) );
/* Set back the Irql */
if (old_irql < APC_LEVEL) {
KeLowerIrql( old_irql );
}
return;
}
void LhBarrierProcessDetach()
{
/*
Description:
Will be called on DLL unload.
*/
ULONG Index;
#ifdef DRIVER
PsRemoveCreateThreadNotifyRoutine(OnThreadDetach);
#endif
RtlDeleteLock(&Unit.TLS.ThreadSafe);
// release thread specific resources
for(Index = 0; Index < MAX_THREAD_COUNT; Index++)
{
if(Unit.TLS.Entries[Index].Entries != NULL)
RtlFreeMemory(Unit.TLS.Entries[Index].Entries);
}
RtlZeroMemory(&Unit, sizeof(Unit));
}
NTSTATUS RemoveCallbackNotify(PVOID InBuffer)
{
NTSTATUS Status = STATUS_SUCCESS;
PREMOVE_CALLBACK Temp = (PREMOVE_CALLBACK)InBuffer;
ULONG_PTR CallbackAddress = Temp->CallbackAddress;
CALLBACK_TYPE CallBackType = Temp->NotifyType;
if (!CallbackAddress ||
!MmIsAddressValid((PVOID)CallbackAddress))
{
return STATUS_UNSUCCESSFUL;
}
DbgPrint("CallBackType: %d\r\n",CallBackType);
switch(CallBackType)
{
case NotifyLoadImage:
{
DbgPrint("Remove NotifyLoadImage\r\n");
Status = PsRemoveLoadImageNotifyRoutine((PLOAD_IMAGE_NOTIFY_ROUTINE)CallbackAddress);
break;
}
case NotifyCmCallBack:
{
LARGE_INTEGER Cookie;
ULONG_PTR Note = Temp->Note;
Cookie.QuadPart = 0;
DbgPrint("Remove NotifyCmCallBack\r\n");
if (WinVersion == WINDOWS_XP)
{
Cookie = XpGetRegisterCallbackCookie(Note);
}
if (WinVersion==WINDOWS_7)
{
Cookie.QuadPart = Note;
}
if (Cookie.LowPart == 0 && Cookie.HighPart == 0)
{
return STATUS_UNSUCCESSFUL;
}
Status = CmUnRegisterCallback(Cookie);
break;
}
case NotifyKeBugCheckReason:
{
PREMOVE_CALLBACK Temp = (PREMOVE_CALLBACK)InBuffer;
ULONG_PTR Note = Temp->Note;
if (Note!=NULL&&MmIsAddressValid((PVOID)Note))
{
KeDeregisterBugCheckReasonCallback((PKBUGCHECK_REASON_CALLBACK_RECORD)Note);
}
break;
}
case NotifyShutdown:
{
LARGE_INTEGER Cookie;
PREMOVE_CALLBACK Temp = (PREMOVE_CALLBACK)InBuffer;
ULONG_PTR Note = Temp->Note;
if (Note!=NULL&&MmIsAddressValid((PVOID)Note))
{
IoUnregisterShutdownNotification((PDEVICE_OBJECT)Note);
}
break;
}
case NotifyCreateThread:
{
NTSTATUS Status = STATUS_SUCCESS;
PREMOVE_CALLBACK Temp = (PREMOVE_CALLBACK)InBuffer;
ULONG_PTR CallbackAddress = Temp->CallbackAddress;
if (!CallbackAddress ||
!MmIsAddressValid((PVOID)CallbackAddress)||!PsRemoveCreateThreadNotifyRoutine)
{
return STATUS_UNSUCCESSFUL;
}
Status = PsRemoveCreateThreadNotifyRoutine((PCREATE_THREAD_NOTIFY_ROUTINE)CallbackAddress);
break;
}
default:
{
Status = STATUS_UNSUCCESSFUL;
}
}
return Status;
}
