currently i'm coding a tool which shows all the running drivers. i want to make a option that the user can unload a running driver from memory.
the api ZwUnloadDriver can do that. (http://msdn.microsoft.com/en-us/library/ff567117).
however i can't get it working. do you see something wrong?
UNICODE_STRING struct
Leng dw ?
MaximumLength dw ?
Buffer dd ?
UNICODE_STRING ends
.data
uni UNICODE_STRING <>
WSTR drivername,"\\REGISTRY\\MACHINE\\SYSTEM\\CURRENTCONTROLSET\\SERVICES\\test",0
.code
start:
invoke RtlInitUnicodeString, Addr uni, Addr drivername
invoke ZwUnloadDriver, Addr uni
.if eax != STATUS_SUCCESS
invoke ExitProcess, 0
.endif
ZwUnloadDriver is to be called from a kernel-mode driver
in user mode, you want to use NtUnloadDriver
http://msdn.microsoft.com/en-us/library/windows/hardware/ff567122%28v=vs.85%29.aspx (http://msdn.microsoft.com/en-us/library/windows/hardware/ff567122%28v=vs.85%29.aspx)
QuoteCalling a ZwXxx routine from user mode is not supported;
instead, native applications (applications that bypass the Microsoft
Win32 subsystem) should call the NtXxx equivalent of the ZwXxx routine.
QuoteNote that a file system filter driver cannot safely be unloaded from a running system. Thus a filter should only use ZwUnloadDriver for debugging purposes. It should not call this routine in a retail version of the filter.
Might be that it cant be unloaded.What does the call to zwunloaddriver return? or it could be that the defined WSTR and call to RtlInitUnicodeString is not applicable or not working as expected.
when the string is statically pre-defined, i would probably initialize the counted string structure myself
for dynamic strings, i might use the RtlInitUnicodeString function :P
it does not make sence if i use Zw or Nt, the return value is C0000061 for both.
the unicode string seems to work correcly.
That is variosly priveleged operation - requires ring 0 code.
from nterr.h
#define NT_STATUS_PRIVILEGE_NOT_HELD 0xC0000000 | 0x0061
perhaps you do not have admin privileges - perhaps admin privilege is not enough
well, the driver is loaded without any admin privileges.
when i tried to unload WITH (and without) admin privileges the error C0000061 is returned.
::)
found that we need SE_DEBUG_NAME priviliges to get it working.
i found this source which is working for windows xp, but not for windows 7.
http://pastebin.com/9EU710yt
http://exelab.ru/f/index.php?action=vthread&forum=6&topic=11246
so maybe someone knows whats wrong?
is it the same error code ?
yes. But in windows xp it is working fine...
each version of windows adds a layer in the registry - and a layer of security
when they came out with Vista, for example, they introduced UAC, WHQL driver signing, etc
but, others have found solutions for what you are doing - they're just likely to be in some flavor of C
by knowing that, you should be able to refine your search terms and come up with some answers
you might try google'ing "NT_STATUS_PRIVILEGE_NOT_HELD Windows 7"
or windows 8 - try replacing the named error with 0xC0000061, and so on
you could also add "NtUnloadDriver" to help narrow the search
by the way - the permissions that are required to install a driver are going to be different from removing one :P
you can probably work around either by modifying group policies - but that's not a good all-round solution
yes i searched a lot for a solution. also used the terms you posted for example.
i found 1 solution, which is using AdjustTokenPrivileges like in the source mentioned earlier.
http://pastebin.com/9EU710yt
this source is working for windows xp 32 bit and windows 7 32 bit, but not for windows 7 64 bit. same error as always, even with its added privilige.
Is your app 32bit?
I don't think 32bit process can have privelege over 64bit process or driver, adjusted token or not.
I'm afraid I can't find the reference now, it was on MSDN or I dreamt it.