/* * DrvUnload * Driver unload point */ extern "C" void DrvUnload(PDRIVER_OBJECT driver) { // Log entry LOG("Unloading driver"); // Destroy image-load callback LOG2("Unregistering image-load callback"); PsRemoveLoadImageNotifyRoutine((PLOAD_IMAGE_NOTIFY_ROUTINE)&ImageLoadCallback); // Destroy process-creation callback LOG2("Unregistering process-creation callback"); NC_PROCESSCREATE_NOTIFY(ProcessCreateCallback, 1); // Destroy thread-creation callback LOG2("Unregistering thread-creation callback"); PsRemoveCreateThreadNotifyRoutine((PCREATE_THREAD_NOTIFY_ROUTINE)&ThreadCreateCallback); // Unmap memory if need be CloseLinks(); // Convert devlink string UNICODE_STRING devLink; RtlInitUnicodeString(&devLink, devicelink); // Delete symlink LOG2("Deleting sym-link to device"); IoDeleteSymbolicLink(&devLink); // Delete device LOG2("Deleting device"); IoDeleteDevice(driver->DeviceObject); // Log exit LOG("Driver unloaded"); }
VOID DriverUnload ( PDRIVER_OBJECT DriverObject ) { NTSTATUS Status; DbgPrint ( "%s DriverObject=%p\n", __FUNCTION__, DriverObject ); Status = PsRemoveCreateThreadNotifyRoutine ( ThreadNotifyCallback ); if ( ! NT_SUCCESS ( Status ) ) { DbgPrint ( "%s PsRemoveCreateThreadNotifyRoutine() FAIL=%08x\n", __FUNCTION__, Status ); } // Step #4 : Uninitialize the lock that protects the g_Tidxxx globals (ExDeleteResourceLite()) ExDeleteResourceLite(&g_TidLock); }
/* Stops and cleans any tracing if needed */ void stopTracing() { KIRQL old_irql = 0; PAGED_CODE(); /* Raise the IRQL otherwise new thread could be created while cleaning */ old_irql = KeGetCurrentIrql(); if (old_irql < APC_LEVEL) { KeRaiseIrql (APC_LEVEL, &old_irql); } KdPrint( ("Oregano: stopTracing: Got a stop trace command\r\n") ); if (TRUE == is_new_thread_handler_installed) { PsRemoveCreateThreadNotifyRoutine(newThreadHandler); is_new_thread_handler_installed = FALSE; } else { KdPrint(( "Oregano: stopTracing: Not new thread notifier\r\n" )); } if (0 != targetProcessId) { unsetTrapFlagForAllThreads(targetProcessId); targetProcessId = 0; } if (NULL != targetEProcess) { ObDereferenceObject( targetEProcess ); targetEProcess = NULL; } target_process = NULL; RtlZeroMemory( loggingRanges, sizeof(loggingRanges) ); /* Set back the Irql */ if (old_irql < APC_LEVEL) { KeLowerIrql( old_irql ); } return; }
void LhBarrierProcessDetach() { /* Description: Will be called on DLL unload. */ ULONG Index; #ifdef DRIVER PsRemoveCreateThreadNotifyRoutine(OnThreadDetach); #endif RtlDeleteLock(&Unit.TLS.ThreadSafe); // release thread specific resources for(Index = 0; Index < MAX_THREAD_COUNT; Index++) { if(Unit.TLS.Entries[Index].Entries != NULL) RtlFreeMemory(Unit.TLS.Entries[Index].Entries); } RtlZeroMemory(&Unit, sizeof(Unit)); }
NTSTATUS RemoveCallbackNotify(PVOID InBuffer) { NTSTATUS Status = STATUS_SUCCESS; PREMOVE_CALLBACK Temp = (PREMOVE_CALLBACK)InBuffer; ULONG_PTR CallbackAddress = Temp->CallbackAddress; CALLBACK_TYPE CallBackType = Temp->NotifyType; if (!CallbackAddress || !MmIsAddressValid((PVOID)CallbackAddress)) { return STATUS_UNSUCCESSFUL; } DbgPrint("CallBackType: %d\r\n",CallBackType); switch(CallBackType) { case NotifyLoadImage: { DbgPrint("Remove NotifyLoadImage\r\n"); Status = PsRemoveLoadImageNotifyRoutine((PLOAD_IMAGE_NOTIFY_ROUTINE)CallbackAddress); break; } case NotifyCmCallBack: { LARGE_INTEGER Cookie; ULONG_PTR Note = Temp->Note; Cookie.QuadPart = 0; DbgPrint("Remove NotifyCmCallBack\r\n"); if (WinVersion == WINDOWS_XP) { Cookie = XpGetRegisterCallbackCookie(Note); } if (WinVersion==WINDOWS_7) { Cookie.QuadPart = Note; } if (Cookie.LowPart == 0 && Cookie.HighPart == 0) { return STATUS_UNSUCCESSFUL; } Status = CmUnRegisterCallback(Cookie); break; } case NotifyKeBugCheckReason: { PREMOVE_CALLBACK Temp = (PREMOVE_CALLBACK)InBuffer; ULONG_PTR Note = Temp->Note; if (Note!=NULL&&MmIsAddressValid((PVOID)Note)) { KeDeregisterBugCheckReasonCallback((PKBUGCHECK_REASON_CALLBACK_RECORD)Note); } break; } case NotifyShutdown: { LARGE_INTEGER Cookie; PREMOVE_CALLBACK Temp = (PREMOVE_CALLBACK)InBuffer; ULONG_PTR Note = Temp->Note; if (Note!=NULL&&MmIsAddressValid((PVOID)Note)) { IoUnregisterShutdownNotification((PDEVICE_OBJECT)Note); } break; } case NotifyCreateThread: { NTSTATUS Status = STATUS_SUCCESS; PREMOVE_CALLBACK Temp = (PREMOVE_CALLBACK)InBuffer; ULONG_PTR CallbackAddress = Temp->CallbackAddress; if (!CallbackAddress || !MmIsAddressValid((PVOID)CallbackAddress)||!PsRemoveCreateThreadNotifyRoutine) { return STATUS_UNSUCCESSFUL; } Status = PsRemoveCreateThreadNotifyRoutine((PCREATE_THREAD_NOTIFY_ROUTINE)CallbackAddress); break; } default: { Status = STATUS_UNSUCCESSFUL; } } return Status; }