Hi,
Good day! I’m very new to windows driver development and I just want to know if there is any way to detect unloading of drivers. I have tried reading through windows driver documentation but haven’t found any function for that.
Thanks,
Brex
Hi,
Good day! I’m very new to windows driver development and I just want to know if there is any way to detect unloading of drivers. I have tried reading through windows driver documentation but haven’t found any function for that.
Thanks,
Brex
On Nov 19, 2017, at 11:08 PM, xxxxx@gmail.com wrote:
Good day! I’m very new to windows driver development and I just want to know if there is any way to detect unloading of drivers. I have tried reading through windows driver documentation but haven’t found any function for that.
Detect from where? There is a kernel debugger command to break on module unloads (sx e ud). A driver always gets a DriverUnload call before it is unloaded (and without that callback, it cannot BE unloaded).
—
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Thanks for your response. I want to detect it from the driver I am creating. I haven’t found any function in the documentation but maybe I just miss something. For now, I am trying to search for “event” that happens during an unloading of another driver but so far has no luck.
does this help?
https://msdn.microsoft.com/en-us/library/windows/hardware/ff559957(v=vs.85).aspx
2017-11-20 16:14 GMT+08:00 xxxxx@gmail.com :
> Thanks for your response. I want to detect it from the driver I am
> creating. I haven’t found any function in the documentation but maybe I
> just miss something. For now, I am trying to search for “event” that
> happens during an unloading of another driver but so far has no luck.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:></http:>
Thank you for that. Unfortunately, I already used that for driver load detection. It did not work on the unloading part.
Here is “alternative” way of addressing your need. The following is purely
“hacking” way of your goal. I haven’t done this before, but I think you
might take a try. This hack might not work.
Thank you. I’ll try that one.