Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Way to detect driver unload

Sergey_PisarevSergey_Pisarev Member - All Emails Posts: 141
Hello !

We can track driver loading with PsSetLoadImageNotifyRoutine or IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION.

Is there a way to detect driver unloading ?

Comments

  • Gabriel_BerceaGabriel_Bercea Member - All Emails Posts: 464
    I think the short answer would be no.
    You could do it by pulling ( async from an worker thread for example) the
    system modules information and check if you target driver is still there
    but I am not aware of any other way ( callback related ) to do this.

    PS:
    The acquire for section sync only tells you a section is created for a
    particular file. It does not guarantee that the driver/dll/exe/file would
    be loaded to run or not.


    Cheers,
    Gabriel

    On Wed, Sep 12, 2018 at 8:27 AM xxxxx@gmail.com <
    xxxxx@lists.osr.com> wrote:

    > Hello !
    >
    > We can track driver loading with PsSetLoadImageNotifyRoutine or
    > IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION.
    >
    > Is there a way to detect driver unloading ?
    >
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > Visit the list online at: <
    > http://www.osronline.com/showlists.cfm?list=ntdev>;
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >


    --
    Bercea. G.

    Cheers,
    Gabriel

  • Sergey_PisarevSergey_Pisarev Member - All Emails Posts: 141
    Thank you Gabriel !
    Unfortunately polling isn’t good enough for me :-(

    > On 12 Sep 2018, at 11:33, xxxxx@gmail.com wrote:
    >
    > I think the short answer would be no.
    > You could do it by pulling ( async from an worker thread for example) the system modules information and check if you target driver is still there but I am not aware of any other way ( callback related ) to do this.
    >
    > PS:
    > The acquire for section sync only tells you a section is created for a particular file. It does not guarantee that the driver/dll/exe/file would be loaded to run or not.
    >
    >
    > Cheers,
    > Gabriel
    >
    >> On Wed, Sep 12, 2018 at 8:27 AM xxxxx@gmail.com wrote:
    >> Hello !
    >>
    >> We can track driver loading with PsSetLoadImageNotifyRoutine or IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION.
    >>
    >> Is there a way to detect driver unloading ?
    >>
    >>
    >> ---
    >> NTDEV is sponsored by OSR
    >>
    >> Visit the list online at:
    >>
    >> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
    >> Details at
    >>
    >> To unsubscribe, visit the List Server section of OSR Online at
    >
    >
    > --
    > Bercea. G.
    > --- NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at
  • Melania_RomanoMelania_Romano Member Posts: 1
    You can patch NtUnloadDriver (NTOSKRNL) but this will trigger Kernel Patch Protection on 64-bit environments; the only way around the 64-bit compatibility issue would be bypassing Kernel Patch Protection (which would be very dumb) or leveraging the hyper-visor (which is an awful lot of work for just this task).

    You can patch NtUnloadDriver (NTDLL) and service management routines exported by SECHOST.DLL in user-mode to monitor the activity on a per-process basis, but this is also a bad idea, just as patching of the Windows kernel is.

    All in all, there is no documented, stable and secure way to do what you're after yet, *as far as I know*... as long as your requirement is a callback for the operation. And even if you did go down the unethical route for the implementation, it likely would not be robust.

    If you're going to do what is already suggested above, you can monitor driver loading on Windows 10 environments via the SeRegisterImageVerificationCallback kernel-mode callback. It's undocumented however used by a Windows Defender driver and part of Early-Launch Anti-Malware (ELAM); it can be freely used if you can figure out how to use it. It's up to you.

    If you'd be kind to tell us why you need to monitor driver unload operations, there may be a much better opportunity at hand here... so please do let us know if possible!
  • anton_bassovanton_bassov Member Posts: 4,812
    IIRC, drivers are different from the "regular" executables/DLLS in a sense that they are not backed up by their on-disk .sys file images when loaded. Even if they have pageable code, this code is backed up by the pagefile, rather than the image one. In other words, a loaded driver is unrelated to its underlying section. This is why you can delete a.sys file while its driver is still loaded , which is impossible either with a "regular" executable image or with a .sys file that is mapped into memory as a "regular" one.


    Once image-related callbacks rely upon monitoring executable sections, the above implies that detecting driver unload by any "supported" means is impossible....



    Anton Bassov
  • Doron_HolanDoron_Holan Member - All Emails Posts: 10,373
    Drivers have been backed by their own file, and not the page file, since win10.

    d

    Bent from my phone

    ________________________________
    From: 30141574400n behalf of
    Sent: Monday, September 17, 2018 9:08 AM
    To: Windows System Software Devs Interest List
    Subject: RE:[ntdev] Way to detect driver unload

    IIRC, drivers are different from the "regular" executables/DLLS in a sense that they are not backed up by their on-disk .sys file images when loaded. Even if they have pageable code, this code is backed up by the pagefile, rather than the image one. In other words, a loaded driver is unrelated to its underlying section. This is why you can delete a.sys file while its driver is still loaded , which is impossible either with a "regular" executable image or with a .sys file that is mapped into memory as a "regular" one.


    Once image-related callbacks rely upon monitoring executable sections, the above implies that detecting driver unload by any "supported" means is impossible....



    Anton Bassov

    ---
    NTDEV is sponsored by OSR

    Visit the list online at:

    MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
    Details at

    To unsubscribe, visit the List Server section of OSR Online at
  • anton_bassovanton_bassov Member Posts: 4,812
    Doron,

    > Drivers have been backed by their own file, and not the page file, since win10.

    The very first question that gets into my head at this point is "How can you update a driver that does not register Unload() routine, and, hence, cannot be unloaded?" If I got it right, your statement implies that you are unable to delete driver's.sys file (at least if it has a pageable code section) until the driver in question is unloaded. Did I get it right? If I did, how can one update/uninstall drivers under these circumstances?


    Anton Bassov
  • Sergey_PisarevSergey_Pisarev Member - All Emails Posts: 141
    Thank you Melania !
    I thought about ntunloaddriver patching but still hoped for some easier way. But since my driver is hypervisor I guess I go with intercepting unloaddriver.
  • Doron_HolanDoron_Holan Member - All Emails Posts: 10,373
    For the developer copy/replace scenario you now have to unload the driver where before you could get away with the foot while loaded. For true servicing we attempt to unload the driver first. If that fail, we always have rebooted. On the reboot, the file copy is done early in boot.

    d

    Bent from my phone

    ________________________________
    From: 20316477300n behalf of
    Sent: Monday, September 17, 2018 4:27 PM
    To: Windows System Software Devs Interest List
    Subject: RE:[ntdev] Way to detect driver unload

    Doron,

    > Drivers have been backed by their own file, and not the page file, since win10.

    The very first question that gets into my head at this point is "How can you update a driver that does not register Unload() routine, and, hence, cannot be unloaded?" If I got it right, your statement implies that you are unable to delete driver's.sys file (at least if it has a pageable code section) until the driver in question is unloaded. Did I get it right? If I did, how can one update/uninstall drivers under these circumstances?


    Anton Bassov

    ---
    NTDEV is sponsored by OSR

    Visit the list online at:

    MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
    Details at

    To unsubscribe, visit the List Server section of OSR Online at
  • Tim_RobertsTim_Roberts Member - All Emails Posts: 12,667
    xxxxx@hotmail.com wrote:
    >
    >> Drivers have been backed by their own file, and not the page file, since win10.
    > The very first question that gets into my head at this point is "How can you update a driver that does not register Unload() routine, and, hence, cannot be unloaded?" If I got it right, your statement implies that you are unable to delete driver's.sys file (at least if it has a pageable code section) until the driver in question is unloaded. Did I get it right? If I did, how can one update/uninstall drivers under these circumstances?

        erase   mydriver.was
        rename   mydriver.sys   mydriver.was
        copy   \new\copy\mydriver.sys   .
        reboot

    Are you saying you have not encountered this annoyance yet?  It's one of
    the main reasons I still do virtually all of my driver debugging on
    Windows 8.1.
    --
    Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Mauro_LeggieriMauro_Leggieri Member Posts: 54

    It is an idea, not a solution: MAAAYYYY BE you can track the FILE_OBJECT that loads a file a check when an IRP_CLOSE reaches to the object.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!