Drivers don’t unload if there is a leaked reference to DeviceObject or
DriverObject. Apart from IoCreateDevice there are several functions that
take reference to DriverObject and DeviceObject; and if you don’t follow
the guidelines of using those functions, you end up leaking the
reference. Here is how you debug this:
The technique suggested below works for all objects. I’m just going to
illustrate for DeviceObject.
-
Put a breakpoint right after the driver calls IoCreateDevice. Get the
Deviceobject address. -
Find the object header by doing !object <object_address>:
kd> !object 81a578c0
Object: 81a578c0 Type: (81bd0e70) Device
ObjectHeader: 81a578a8
HandleCount: 0 PointerCount: 3
Directory Object: e1001208 Name: Serial0
The first variable in the ObjectHeader is the reference count (aka
Pointer Count).
3. Put a write breakpoint on the pointer count like this:
kd> ba w4 <objectheader_address> “k;g”
4. Hit go, watch the debugger spit out a log.
5. Look for the mismatched reference/dereference pair (ie a missing
deref). Note that ObReferenceObject is implemented as a macro inside the
kernel.
-Eliyas
—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com</objectheader_address></object_address>