注意 : 此方法会触发 PG
代码参考 1
typedef struct _driverdata
{
LIST_ENTRY listentry;
ULONG unknown1;
ULONG unknown2;
ULONG unknown3;
ULONG unknown4;
ULONG unknown5;
ULONG unknown6;
ULONG unknown7;
UNICODE_STRING path;
UNICODE_STRING name;
}driverdata;
VOID xiezai1(PDRIVER_OBJECT qudongduixiang)
{
KdPrint(("驱动卸载\n"));
}
NTSTATUS DriverEntry(PDRIVER_OBJECT qudongduixiang, PUNICODE_STRING zhucebiao)
{
KdPrint(("驱动入口开始\n"));
driverdata*driverdata1 = NULL;
driverdata1 = *(driverdata**)((ULONG)qudongduixiang + 20);
if (driverdata1!=NULL)
{
*(ULONG*)driverdata1->listentry.Blink = (ULONG)driverdata1->listentry.Flink;
driverdata1->listentry.Flink->Blink = driverdata1->listentry.Blink;
}
qudongduixiang->DriverUnload = xiezai1;
return STATUS_SUCCESS;
}
代码参考 2
#include "ntddk.h"
HANDLE hThread;
VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
DbgPrint("驱动卸载成功\n");
}
VOID ThreadRun(
PVOID StartContext)
{
LARGE_INTEGER times;
PDRIVER_OBJECT pDriverObject;
times.QuadPart = -30 * 1000 * 1000; //等待3秒 单位是纳秒
KeDelayExecutionThread(KernelMode, FALSE, ×);
pDriverObject=(PDRIVER_OBJECT)StartContext;
//修改模块信息
pDriverObject->DriverSize = 0;
pDriverObject->DriverSection = NULL;
pDriverObject->DriverExtension = NULL;
pDriverObject->DriverStart = NULL;
pDriverObject->DriverInit = NULL;
pDriverObject->FastIoDispatch = NULL;
pDriverObject->DriverStartIo = NULL;
ZwClose(hThread);
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pReg)
{
PLIST_ENTRY pModuleList;
pModuleList = pDriverObject->DriverSection;
//前一个模块的Flink=本模块的Flink
pModuleList->Blink->Flink = pModuleList->Flink;
//前一个模块的Blink=本模块的Blink
pModuleList->Flink->Blink = pModuleList->Blink;
PsCreateSystemThread(&hThread,GENERIC_ALL,NULL,NULL,NULL, ThreadRun, pDriverObject);
return 0;
}