How to unload Windows Kernel Mode Driver from the inside?

4
votes

I'm writing a Windows kernel driver and i'm trying to implement the following.

Suppose the driver has been called from user mode via DeviceIoControl function with a specific IOCTL code. How can driver unload itself in this situation? In other words, how to achieve the same behavior as running net stop command?

More precisely, what should i write when implementing DispatchDeviceControl callback

NTSTATUS IoctlDeviceControl(PDEVICE_OBJECT pDeviceObject, PIRP pIrp) {
    // some code...

    switch (ioctlCode) {
        case IOCTL_MY_UNLOAD:  <---
        ...
    }

    return Status;
}
1
windowskerneldriverwindows-kernel
Try using IoDeleteDevice(), but this functionality highly depends upon type of your driver. If you have a usermode app, you can use WIN32 apis to stop the service similar to net stop, but done programatically. - Rohan

1 Answers

4
votes

You can use ZwUnloadDriver Kernel function!

Documentation:

The ZwUnloadDriver routine unloads a driver from the system. Use this routine with extreme caution. (See the following Remarks section.)

C/C++ Definition:

NTSTATUS ZwUnloadDriver(
  _In_  PUNICODE_STRING DriverServiceName
);

MSDN Source:

http://msdn.microsoft.com/en-us/library/windows/hardware/ff567117(v=vs.85).aspx