Kernel driver dynamic unload on vista 32bit

OSR_Community_User · January 29, 2011, 5:36pm

I’m writing some code based on dynamic driver load docs found online. I have a kernel driver dynamically load another kernel DLL at runtime using ZwSetSystemInformation(SystemLoadImage…). The kernel DLL imports a few common code from the kernel driver using loadtime link (def file). My problem is that ZwSetSystemInformation(SystemUnloadImage…) doesnot work to unload the kernel DLL when kernel driver’s exit routine is called. SystemUnloadImage returns success but the kernel DLL is still in memory. Is there anything that can prevent the kernel DLL from being unloaded? Kernel driver is the only user of this kernel DLL, who’s module referenceCount is 1.

Thanks in advance!

mm1 · January 29, 2011, 5:49pm

Let me make sure that I have this straight:

your DRIVER manually loads your DLL
your DRIVER imports from your DLL
your DLL also imports from your DRIVER

If that’s correct, that’s pretty complicated - why does your DLL import from
your DRIVER?

Does your DLL contain DllInitialize and DLLUnload?
Is your DLL and export only DLL - i. e. doesn’t create any devices, et.
c.?

mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@msn.com
Sent: Saturday, January 29, 2011 5:36 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Kernel driver dynamic unload on vista 32bit

I’m writing some code based on dynamic driver load docs found online. I have
a kernel driver dynamically load another kernel DLL at runtime using
ZwSetSystemInformation(SystemLoadImage…). The kernel DLL imports a few
common code from the kernel driver using loadtime link (def file). My
problem is that ZwSetSystemInformation(SystemUnloadImage…) doesnot work to
unload the kernel DLL when kernel driver’s exit routine is called.
SystemUnloadImage returns success but the kernel DLL is still in memory. Is
there anything that can prevent the kernel DLL from being unloaded? Kernel
driver is the only user of this kernel DLL, who’s module referenceCount is
1.

Thanks in advance!

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Bill_Wandel · January 29, 2011, 5:54pm

Why are you not using ZwLoadDrive/ZwUnloadDriver?

Bill Wandel

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@msn.com
Sent: Saturday, January 29, 2011 5:36 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Kernel driver dynamic unload on vista 32bit

I’m writing some code based on dynamic driver load docs found online. I have
a kernel driver dynamically load another kernel DLL at runtime using
ZwSetSystemInformation(SystemLoadImage…). The kernel DLL imports a few
common code from the kernel driver using loadtime link (def file). My
problem is that ZwSetSystemInformation(SystemUnloadImage…) doesnot work to
unload the kernel DLL when kernel driver’s exit routine is called.
SystemUnloadImage returns success but the kernel DLL is still in memory. Is
there anything that can prevent the kernel DLL from being unloaded? Kernel
driver is the only user of this kernel DLL, who’s module referenceCount is
1.

Thanks in advance!

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Don_Burn_1 · January 29, 2011, 6:20pm

Be aware that the ZwSetSystemInformation stuff documented on the web is
wrong for most versions of Windows. They changed the SystemLoadImage to
two different calls starting around XP, and you probably want the one
that is undocumented.

As was asked why not use ZwLoadDriver/ZwUnloadDriver as long as you do
not mind the driver entry routine being called.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“xxxxx@msn.com” wrote in message
news:xxxxx@ntdev:

> I’m writing some code based on dynamic driver load docs found online. I have a kernel driver dynamically load another kernel DLL at runtime using ZwSetSystemInformation(SystemLoadImage…). The kernel DLL imports a few common code from the kernel driver using loadtime link (def file). My problem is that ZwSetSystemInformation(SystemUnloadImage…) doesnot work to unload the kernel DLL when kernel driver’s exit routine is called. SystemUnloadImage returns success but the kernel DLL is still in memory. Is there anything that can prevent the kernel DLL from being unloaded? Kernel driver is the only user of this kernel DLL, who’s module referenceCount is 1.
>
> Thanks in advance!

OSR_Community_User · January 30, 2011, 5:02am

Thanks to everyone for replying my questions.

The kernel DLL is very simple. It imports a global data structure from kernel driver and override a few functions pointers in this structure based on runtime info.

Kernel driver:

struct A
{
funcPtrA
funcPtrB
} table // imported by kernel DLL (loadtime link)

Kernel DLL:

void entry() // runtime getProcAddr by kernel driver
{
table.funcPtrA = localFuncA;
table.funcPtrB = localFuncB;
}

localFuncA(){…}
localFuncB(){…}

The kernel DLL is not really a “driver” so I’d not involve other things like registry for my experiment. The DLL does not create device, etc. It just provides functions for kernel driver when needed (why it’s using dynamic load). No DllInitialize and DLLUnload is implemented. But it has an empty entry function.

Don, could you offer more info about ZwSetSystemInformation? For example, how can I find the correct usage of ZwSetSystemInformation? Thanks!