Driver Unload Notification

Hi,

Good day! I’m very new to windows driver development and I just want to know if there is any way to detect unloading of drivers. I have tried reading through windows driver documentation but haven’t found any function for that.

Thanks,
Brex

On Nov 19, 2017, at 11:08 PM, xxxxx@gmail.com wrote:

Good day! I’m very new to windows driver development and I just want to know if there is any way to detect unloading of drivers. I have tried reading through windows driver documentation but haven’t found any function for that.

Detect from where? There is a kernel debugger command to break on module unloads (sx e ud). A driver always gets a DriverUnload call before it is unloaded (and without that callback, it cannot BE unloaded).

Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Thanks for your response. I want to detect it from the driver I am creating. I haven’t found any function in the documentation but maybe I just miss something. For now, I am trying to search for “event” that happens during an unloading of another driver but so far has no luck.

does this help?
https://msdn.microsoft.com/en-us/library/windows/hardware/ff559957(v=vs.85).aspx

2017-11-20 16:14 GMT+08:00 xxxxx@gmail.com :

> Thanks for your response. I want to detect it from the driver I am
> creating. I haven’t found any function in the documentation but maybe I
> just miss something. For now, I am trying to search for “event” that
> happens during an unloading of another driver but so far has no luck.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:>

Thank you for that. Unfortunately, I already used that for driver load detection. It did not work on the unloading part.

Here is “alternative” way of addressing your need. The following is purely
“hacking” way of your goal. I haven’t done this before, but I think you
might take a try. This hack might not work.

  1. You are able to detect a driver load event , and therefore you should be
    able to get a pointer to DriverObject
    https:
    .
    2. Hack the driver object by chaining the DriverUnload routine to yours.

    2017-11-20 16:44 GMT+08:00 xxxxx@gmail.com :

    > Thank you for that. Unfortunately, I already used that for driver load
    > detection. It did not work on the unloading part.
    >
    > —
    > NTDEV is sponsored by OSR
    >
    > Visit the list online at: http:> showlists.cfm?list=ntdev>
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at http:
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer&gt;
    ></http:></http:></https:>

Thank you. I’ll try that one.