让XueTr卸载不了我们的驱动

先上代码溜溜:

#include <ntddk.h>void testUnload(IN PDRIVER_OBJECT DriverObject){}NTSTATUS testDefaultHandler(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp){  Irp->IoStatus.Status = STATUS_NOT_SUPPORTED;  Irp->IoStatus.Information = 0;  IoCompleteRequest(Irp, IO_NO_INCREMENT);  return Irp->IoStatus.Status;}NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING  RegistryPath){  ULONG i;  for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++)    DriverObject->MajorFunction[i] = testDefaultHandler;    DriverObject->DriverUnload = testUnload;  return STATUS_SUCCESS;}

<font color="Green"><br/>#include <ntddk.h><br/>void testUnload(IN PDRIVER_OBJECT DriverObject)<br/>{<br/>}<br/><br/>NTSTATUS testDefaultHandler(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)<br/>{<br/> Irp->IoStatus.Status = STATUS_NOT_SUPPORTED;<br/> Irp->IoStatus.Information = 0;<br/> IoCompleteRequest(Irp, IO_NO_INCREMENT);<br/> return Irp->IoStatus.Status;<br/>}<br/><br/>NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)<br/>{<br/> ULONG i;<br/><br/> for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++)<br/> DriverObject->MajorFunction[i] = testDefaultHandler;<br/> <br/> DriverObject->DriverUnload = testUnload;<br/><br/> return STATUS_SUCCESS;<br/>}</font>
驱动卸载时，函数调用如下：

kd> kpChildEBP RetAddr  ee5deb30 805b1bde nt!IopDeleteDriveree5deb4c 80523bf1 nt!ObpRemoveObjectRoutine+0xe0ee5deb70 804f5778 nt!ObfDereferenceObject+0x5fee5dec14 8057a83d nt!IopUnloadDriver+0x28aee5dec24 8053e6d8 nt!NtUnloadDriver+0xfee5dec24 80500231 nt!KiFastCallEntry+0xf8ee5deca0 804f55df nt!ZwUnloadDriver+0x11ee5ded48 8057a83d nt!IopUnloadDriver+0xf1ee5ded58 8053e6d8 nt!NtUnloadDriver+0xf

<font color="Green"><br/>kd> kp<br/>ChildEBP RetAddr <br/>ee5deb30 805b1bde nt!IopDeleteDriver<br/>ee5deb4c 80523bf1 nt!ObpRemoveObjectRoutine+0xe0<br/>ee5deb70 804f5778 nt!ObfDereferenceObject+0x5f<br/>ee5dec14 8057a83d nt!IopUnloadDriver+0x28a<br/>ee5dec24 8053e6d8 nt!NtUnloadDriver+0xf<br/>ee5dec24 80500231 nt!KiFastCallEntry+0xf8<br/>ee5deca0 804f55df nt!ZwUnloadDriver+0x11<br/>ee5ded48 8057a83d nt!IopUnloadDriver+0xf1<br/>ee5ded58 8053e6d8 nt!NtUnloadDriver+0xf</font><br/>

在nt!IopDeleteDriver中，有如下的判断代码（WRK，/base/ntos/io/iomgr/objsup.c 787行）：

    if (driverObject->DriverSection != NULL) {        //        // Make sure any DPC's that may be running inside the driver have completed        //        KeFlushQueuedDpcs ();        MmUnloadSystemImage( driverObject->DriverSection );        PpDriverObjectDereferenceComplete(driverObject);    }

<font color="Green"><br/> if (driverObject->DriverSection != NULL) {<br/> //<br/> // Make sure any DPC's that may be running inside the driver have completed<br/> //<br/> KeFlushQueuedDpcs ();<br/><br/> MmUnloadSystemImage( driverObject->DriverSection );<br/><br/> PpDriverObjectDereferenceComplete(driverObject);<br/> }</font><br/>
如果driverObject->DriverSection不为空的话，就会调用MmUnloadSystemImage把驱动映象从内核中卸掉
如果driverObject->DriverSection为空的话呢？
那当然就不会把把驱动映象从内核中卸掉了，驱动仍然在内核中，该干嘛干嘛
所以我们只要在驱动的DriverUnload函数里面添加一句代码就行：

#include <ntddk.h>void testUnload(IN PDRIVER_OBJECT DriverObject){  DriverObject->DriverSection=NULL;}NTSTATUS testDefaultHandler(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp){  Irp->IoStatus.Status = STATUS_NOT_SUPPORTED;  Irp->IoStatus.Information = 0;  IoCompleteRequest(Irp, IO_NO_INCREMENT);  return Irp->IoStatus.Status;}NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING  RegistryPath){  ULONG i;  for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++)    DriverObject->MajorFunction[i] = testDefaultHandler;    DriverObject->DriverUnload = testUnload;  return STATUS_SUCCESS;}

<font color="Green"><br/>#include <ntddk.h><br/>void testUnload(IN PDRIVER_OBJECT DriverObject)<br/>{<br/> DriverObject->DriverSection=NULL;<br/>}<br/><br/>NTSTATUS testDefaultHandler(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)<br/>{<br/> Irp->IoStatus.Status = STATUS_NOT_SUPPORTED;<br/> Irp->IoStatus.Information = 0;<br/> IoCompleteRequest(Irp, IO_NO_INCREMENT);<br/> return Irp->IoStatus.Status;<br/>}<br/><br/>NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)<br/>{<br/> ULONG i;<br/><br/> for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++)<br/> DriverObject->MajorFunction[i] = testDefaultHandler;<br/> <br/> DriverObject->DriverUnload = testUnload;<br/><br/> return STATUS_SUCCESS;<br/>}<br/></font><br/>
卸载函数时，函数调用如下:

kd> kp   ChildEBP RetAddr     ee5deb30 805b1bde nt!IopDeleteDriver   ee5deb4c 80523bf1 nt!ObpRemoveObjectRoutine+0xe0   ee5deb70 804f5778 nt!ObfDereferenceObject+0x5f   ee5dec14 8057a83d nt!IopUnloadDriver+0x28a   ee5dec24 8053e6d8 nt!NtUnloadDriver+0xf   ee5dec24 80500231 nt!KiFastCallEntry+0xf8   ee5deca0 804f55df nt!ZwUnloadDriver+0x11   ee5ded48 8057a83d nt!IopUnloadDriver+0xf1   ee5ded58 8053e6d8 nt!NtUnloadDriver+0xf 

<font color="Green"><br/>kd> kp <br/> ChildEBP RetAddr <br/> ee5deb30 805b1bde nt!IopDeleteDriver <br/> ee5deb4c 80523bf1 nt!ObpRemoveObjectRoutine+0xe0 <br/> ee5deb70 804f5778 nt!ObfDereferenceObject+0x5f <br/> ee5dec14 8057a83d nt!IopUnloadDriver+0x28a <br/> ee5dec24 8053e6d8 nt!NtUnloadDriver+0xf <br/> ee5dec24 80500231 nt!KiFastCallEntry+0xf8 <br/> ee5deca0 804f55df nt!ZwUnloadDriver+0x11 <br/> ee5ded48 8057a83d nt!IopUnloadDriver+0xf1 <br/> ee5ded58 8053e6d8 nt!NtUnloadDriver+0xf <br/></font><br/>
在nt!IopDeleteDriver中，有如下的判断代码（WRK，/base/ntos/io/iomgr/objsup.c 787行）：

if (driverObject->DriverSection != NULL) {           //          // Make sure any DPC's that may be running inside the driver have completed           //           KeFlushQueuedDpcs ();           MmUnloadSystemImage( driverObject->DriverSection );          PpDriverObjectDereferenceComplete(driverObject);      }  如果driverObject->DriverSection不为空的话，就会调用MmUnloadSystemImage把驱动映象从内核中卸掉 ,如果driverObject->DriverSection为空的话呢？ 那当然就不会把把驱动映象从内核中卸掉了，驱动仍然在内核中，该干嘛干嘛 ,所以我们只要在驱动的DriverUnload函数里面添加一句代码就行： 

void testUnload(IN PDRIVER_OBJECT DriverObject)   {     DriverObject->DriverSection=NULL;   }  NTSTATUS testDefaultHandler(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)   {     Irp->IoStatus.Status = STATUS_NOT_SUPPORTED;     Irp->IoStatus.Information = 0;     IoCompleteRequest(Irp, IO_NO_INCREMENT);     return Irp->IoStatus.Status;   }  NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING  RegistryPath)   {     ULONG i;     for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++)       DriverObject->MajorFunction[i] = testDefaultHandler;       DriverObject->DriverUnload = testUnload;       return STATUS_SUCCESS;   } 
 

用InstDrv.exe加载编译后的驱动，依次点击安装、启动、停止、卸载，然后用XueTr测试一下，发现虽然能显示test.sys的存在，但菜单里面“卸载驱动(危险)”已经变灰，无法点击了。虽然是自己在做题时根据MJ的语录翻的WRK，不知道上面这文章会不会是火星或抄袭了…还请大家指正。。