KernelMode.info

Hi,

I am trying to get my driver working however although everything appears to be ok the target driver does not unload, although everything initiates in windbg. The target driver is loaded/spawned when a target program is run, the driver exports to temp and uses sc to load, it has a certificate.

I test sign my driver and install it to system32 via the below inf and then load it with "net start protect". My driver is loaded before the target driver loads therefore should block loading but this doesn't happen, when i "sc query target" it is still running, the target driver doesnt seem to have an unload function as its NON_STOPPABLE, NON_PAUSABLE however this shouldn't cause problems i don't think.

Please can you review the code and provide any feedback. Test machine Win 7 x64 SP1.

Thanks.

If the target driver has no defined Unload procedure it can't be unloaded by simple NtUnloadDriver. You need to patch it driver object or patch target driver entry point to return inside the ImageLoad notify callback.

Any example you can recommend? Thing is though is works sometimes, regardless of NtUnLoadDriver this also blocks the load procedure so should work still.

three downloads, one person helped. go leech elsewhere please.

kerpow wrote:Thing is though is works sometimes, regardless of NtUnLoadDriver this also blocks the load procedure so should work still.

What is that target driver?

Set image notify callback, on load event get and patch driver entry point (from ImageInfo->ImageBase) with unsuccessful return value, this will 100% block any driver loading even without using filtering API.

why would Name.Info be empty even with a test driver that has an unload function? Is there some error I am missing?

the code was solved with a direct call to the filename so that Name was no longer empty, simple code mistake. This code is not aimed at AV or Anti-Rootkits it is aimed at a target that loads a driver from usermode via service control manager, the usermode target does not do any tricks to detect the loading of a filter driver or callback registration and does not check itself if its driver is unloaded so this trick to unload the driver will work perfectly for the target in question.