unload drivers

[Darkside]

currently i'm coding a tool which shows all the running drivers. i want to make a option that the user can unload a running driver from memory.
the api ZwUnloadDriver can do that. (http://msdn.microsoft.com/en-us/library/ff567117).

however i can't get it working. do you see something wrong?

Code Select Expand


UNICODE_STRING struct
    Leng dw ?
MaximumLength dw ?
Buffer dd ?
UNICODE_STRING ends


.data
uni         UNICODE_STRING <>
WSTR    drivername,"\\REGISTRY\\MACHINE\\SYSTEM\\CURRENTCONTROLSET\\SERVICES\\test",0

.code
start:
invoke RtlInitUnicodeString, Addr uni, Addr drivername
invoke ZwUnloadDriver, Addr uni
.if eax != STATUS_SUCCESS
invoke ExitProcess, 0
.endif


[dedndave]

ZwUnloadDriver is to be called from a kernel-mode driver
in user mode, you want to use NtUnloadDriver

http://msdn.microsoft.com/en-us/library/windows/hardware/ff567122%28v=vs.85%29.aspx

Calling a ZwXxx routine from user mode is not supported;
instead, native applications (applications that bypass the Microsoft
Win32 subsystem) should call the NtXxx equivalent of the ZwXxx routine.

[fearless]

Note that a file system filter driver cannot safely be unloaded from a running system. Thus a filter should only use ZwUnloadDriver for debugging purposes. It should not call this routine in a retail version of the filter.

Might be that it cant be unloaded.What does the call to zwunloaddriver return? or it could be that the defined WSTR and call to RtlInitUnicodeString is not applicable or not working as expected.

[dedndave]

when the string is statically pre-defined, i would probably initialize the counted string structure myself
for dynamic strings, i might use the RtlInitUnicodeString function   :P

[Darkside]

it does not make sence if i use Zw or Nt, the return value is C0000061 for both.
the unicode string seems to work correcly.

[Adamanteus]

That is variosly priveleged operation - requires ring 0 code.

[dedndave]

from nterr.h

Code Select Expand

#define NT_STATUS_PRIVILEGE_NOT_HELD 0xC0000000 | 0x0061

perhaps you do not have admin privileges - perhaps admin privilege is not enough

[Darkside]

well, the driver is loaded without any admin privileges.
when i tried to unload WITH (and without) admin privileges the error C0000061 is returned.
::)

[Darkside]

found that we need SE_DEBUG_NAME priviliges to get it working.

i found this source which is working for windows xp, but not for windows 7.

http://pastebin.com/9EU710yt
http://exelab.ru/f/index.php?action=vthread&forum=6&topic=11246
so maybe someone knows whats wrong?

[dedndave]

is it the same error code ?

[Darkside]

yes. But in windows xp it is working fine...

[dedndave]

each version of windows adds a layer in the registry - and a layer of security

when they came out with Vista, for example, they introduced UAC, WHQL driver signing, etc

but, others have found solutions for what you are doing - they're just likely to be in some flavor of C
by knowing that, you should be able to refine your search terms and come up with some answers

you might try google'ing "NT_STATUS_PRIVILEGE_NOT_HELD Windows 7"
or windows 8 - try replacing the named error with 0xC0000061, and so on

you could also add "NtUnloadDriver" to help narrow the search

[dedndave]

by the way - the permissions that are required to install a driver are going to be different from removing one   :P
you can probably work around either by modifying group policies - but that's not a good all-round solution

[Darkside]

yes i searched a lot for a solution. also used the terms you posted for example.
i found 1 solution, which is using AdjustTokenPrivileges like in the source mentioned earlier.

http://pastebin.com/9EU710yt

this source is working for windows xp 32 bit and windows 7 32 bit, but not for windows 7 64 bit. same error as always, even with its added privilige.

[Blackmasm]

Is your app 32bit?
I don't think 32bit process can have privelege over 64bit process or driver, adjusted token or not.
I'm afraid I can't find the reference now, it was on MSDN or I dreamt it.