Way to detect driver unload

Hello !

We can track driver loading with PsSetLoadImageNotifyRoutine or IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION.

Is there a way to detect driver unloading ?

I think the short answer would be no.
You could do it by pulling ( async from an worker thread for example) the
system modules information and check if you target driver is still there
but I am not aware of any other way ( callback related ) to do this.

PS:
The acquire for section sync only tells you a section is created for a
particular file. It does not guarantee that the driver/dll/exe/file would
be loaded to run or not.

Cheers,
Gabriel

On Wed, Sep 12, 2018 at 8:27 AM xxxxx@gmail.com <
xxxxx@lists.osr.com> wrote:

Hello !

We can track driver loading with PsSetLoadImageNotifyRoutine or
IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION.

Is there a way to detect driver unloading ?


NTDEV is sponsored by OSR

Visit the list online at: <
http://www.osronline.com/showlists.cfm?list=ntdev\>

MONTHLY seminars on crash dump analysis, WDF, Windows internals and
software drivers!
Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
>


Bercea. G.</http:>

Thank you Gabriel !
Unfortunately polling isn’t good enough for me :frowning:

On 12 Sep 2018, at 11:33, xxxxx@gmail.com wrote:
>
> I think the short answer would be no.
> You could do it by pulling ( async from an worker thread for example) the system modules information and check if you target driver is still there but I am not aware of any other way ( callback related ) to do this.
>
> PS:
> The acquire for section sync only tells you a section is created for a particular file. It does not guarantee that the driver/dll/exe/file would be loaded to run or not.
>
>
> Cheers,
> Gabriel
>
>> On Wed, Sep 12, 2018 at 8:27 AM xxxxx@gmail.com wrote:
>> Hello !
>>
>> We can track driver loading with PsSetLoadImageNotifyRoutine or IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION.
>>
>> Is there a way to detect driver unloading ?
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list online at: http:
>>
>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
>> Details at http:
>>
>> To unsubscribe, visit the List Server section of OSR Online at http:
>
>
> –
> Bercea. G.
> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at</http:></http:></http:>

You can patch NtUnloadDriver (NTOSKRNL) but this will trigger Kernel Patch Protection on 64-bit environments; the only way around the 64-bit compatibility issue would be bypassing Kernel Patch Protection (which would be very dumb) or leveraging the hyper-visor (which is an awful lot of work for just this task).

You can patch NtUnloadDriver (NTDLL) and service management routines exported by SECHOST.DLL in user-mode to monitor the activity on a per-process basis, but this is also a bad idea, just as patching of the Windows kernel is.

All in all, there is no documented, stable and secure way to do what you’re after yet, *as far as I know*… as long as your requirement is a callback for the operation. And even if you did go down the unethical route for the implementation, it likely would not be robust.

If you’re going to do what is already suggested above, you can monitor driver loading on Windows 10 environments via the SeRegisterImageVerificationCallback kernel-mode callback. It’s undocumented however used by a Windows Defender driver and part of Early-Launch Anti-Malware (ELAM); it can be freely used if you can figure out how to use it. It’s up to you.

If you’d be kind to tell us why you need to monitor driver unload operations, there may be a much better opportunity at hand here… so please do let us know if possible!

IIRC, drivers are different from the “regular” executables/DLLS in a sense that they are not backed up by their on-disk .sys file images when loaded. Even if they have pageable code, this code is backed up by the pagefile, rather than the image one. In other words, a loaded driver is unrelated to its underlying section. This is why you can delete a.sys file while its driver is still loaded , which is impossible either with a “regular” executable image or with a .sys file that is mapped into memory as a “regular” one.

Once image-related callbacks rely upon monitoring executable sections, the above implies that detecting driver unload by any “supported” means is impossible…

Anton Bassov

Drivers have been backed by their own file, and not the page file, since win10.

d

Bent from my phone


From: 30141574400n behalf of
Sent: Monday, September 17, 2018 9:08 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Way to detect driver unload

IIRC, drivers are different from the “regular” executables/DLLS in a sense that they are not backed up by their on-disk .sys file images when loaded. Even if they have pageable code, this code is backed up by the pagefile, rather than the image one. In other words, a loaded driver is unrelated to its underlying section. This is why you can delete a.sys file while its driver is still loaded , which is impossible either with a “regular” executable image or with a .sys file that is mapped into memory as a “regular” one.

Once image-related callbacks rely upon monitoring executable sections, the above implies that detecting driver unload by any “supported” means is impossible…

Anton Bassov


NTDEV is sponsored by OSR

Visit the list online at: https:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at https:

To unsubscribe, visit the List Server section of OSR Online at https:</https:></https:></https:>

Doron,

Drivers have been backed by their own file, and not the page file, since win10.

The very first question that gets into my head at this point is “How can you update a driver that does not register Unload() routine, and, hence, cannot be unloaded?” If I got it right, your statement implies that you are unable to delete driver’s.sys file (at least if it has a pageable code section) until the driver in question is unloaded. Did I get it right? If I did, how can one update/uninstall drivers under these circumstances?

Anton Bassov

Thank you Melania !
I thought about ntunloaddriver patching but still hoped for some easier way. But since my driver is hypervisor I guess I go with intercepting unloaddriver.

For the developer copy/replace scenario you now have to unload the driver where before you could get away with the foot while loaded. For true servicing we attempt to unload the driver first. If that fail, we always have rebooted. On the reboot, the file copy is done early in boot.

d

Bent from my phone


From: 20316477300n behalf of
Sent: Monday, September 17, 2018 4:27 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Way to detect driver unload

Doron,

Drivers have been backed by their own file, and not the page file, since win10.

The very first question that gets into my head at this point is “How can you update a driver that does not register Unload() routine, and, hence, cannot be unloaded?” If I got it right, your statement implies that you are unable to delete driver’s.sys file (at least if it has a pageable code section) until the driver in question is unloaded. Did I get it right? If I did, how can one update/uninstall drivers under these circumstances?

Anton Bassov


NTDEV is sponsored by OSR

Visit the list online at: https:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at https:

To unsubscribe, visit the List Server section of OSR Online at https:</https:></https:></https:>

xxxxx@hotmail.com wrote:

> Drivers have been backed by their own file, and not the page file, since win10.
The very first question that gets into my head at this point is “How can you update a driver that does not register Unload() routine, and, hence, cannot be unloaded?” If I got it right, your statement implies that you are unable to delete driver’s.sys file (at least if it has a pageable code section) until the driver in question is unloaded. Did I get it right? If I did, how can one update/uninstall drivers under these circumstances?

    erase   mydriver.was
    rename   mydriver.sys   mydriver.was
    copy   \new\copy\mydriver.sys   .
    reboot

Are you saying you have not encountered this annoyance yet?  It’s one of
the main reasons I still do virtually all of my driver debugging on
Windows 8.1.

Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

It is an idea, not a solution: MAAAYYYY BE you can track the FILE_OBJECT that loads a file a check when an IRP_CLOSE reaches to the object.