DriverLoader icon indicating copy to clipboard operation
DriverLoader copied to clipboard
verified publisher icon GitMirar

how to unload?

Open lqqqc opened this issue 1 year ago • 0 comments

how to unload this driver? NtUnloadDriver() can't

LSTATUS UnloadDriver(CONST LPSTR aService) {
	LSTATUS ret{ -1 };
	HMODULE hNtdll{ 0 };
	LPSTR aDriverKey{ 0 };
	LSTATUS l{ 0 };
	UNICODE_STRING uDriver{ 0 };
	ANSI_STRING asDriverKey{ 0 };
	_NtUnloadDriver NtUnloadDriver = nullptr;

	hNtdll = GetModuleHandleA("Ntdll.dll");
	if (hNtdll == 0) {
		goto CLEANUP;
	}

	NtUnloadDriver = (_NtUnloadDriver)GetProcAddress(hNtdll, "NtUnloadDriver");
	if (NtUnloadDriver == nullptr) {
		goto CLEANUP;
	}

	aDriverKey = (LPSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, MAX_PATH);
	if (aDriverKey == NULL) {
		goto CLEANUP;
	}

	_snprintf_s(aDriverKey, MAX_PATH, MAX_PATH, "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\%s", aService);
	RtlInitAnsiString(&asDriverKey, aDriverKey);
	l = RtlAnsiStringToUnicodeString(&uDriver, &asDriverKey, TRUE);
	if (l) {
		goto CLEANUP;
	}

	ret = NtUnloadDriver(&uDriver);

CLEANUP:
	if (uDriver.Length != 0) {
		RtlFreeUnicodeString(&uDriver);
	}

	if (aDriverKey)
		HeapFree(GetProcessHeap(), NULL, aDriverKey);

	return ret;
}

lqqqc avatar Dec 10 '24 02:12 lqqqc