PsSetLoadImageNotifyRoutine.C

#include <ntddk.h>

VOID MY_PLOAD_IMAGE_NOTIFY_ROUTINE(__in_opt PUNICODE_STRING  FullImageName, __in HANDLE  ProcessId, __in PIMAGE_INFO  ImageInfo)
{
    NTSTATUS r;
    int n,len;
    wchar_t sysname[] = L"sys.sys";
    UNICODE_STRING u1,u2;
    int b = 0;
    HANDLE hcp;

    hcp = PsGetCurrentProcessId();//如果是驱动模块，ProcessId总为0，这可能是错误的。

    //其实这里也可以把进程给结束了。

    len = wcslen(sysname) * sizeof(wchar_t);
    n = (FullImageName->Length - len)/sizeof(wchar_t);

    //如果加载的驱动是：sys.sys，就调用ZwUnmapViewOfSection

    RtlInitUnicodeString(&u1,sysname);
    RtlInitUnicodeString(&u2,&FullImageName->Buffer[n]);
    b = RtlEqualUnicodeString(&u1,&u2,1);
    if (b)
    {
        //Note  If the call to this function occurs in user mode, you should use the name "NtUnmapViewOfSection" instead of "ZwUnmapViewOfSection".
        r = ZwUnmapViewOfSection(ProcessId,ImageInfo->ImageBase); //得到的结论是不能卸载驱动，断言只能卸载dll.
        if (r == STATUS_ACCESS_DENIED )
        {
            DbgPrint("The caller does not have access rights to the process object or to the base virtual address of the view.");
        }

        //RtlZeroMemory(ImageInfo->ImageBase,ImageInfo->ImageSize);//这个蓝屏，难道要锁定内存。

        //更深入的函数有：IopDeleteDriver等。
    }

    //如果阻止驱动加载呢？难道必须用hook?
}

DRIVER_UNLOAD Unload;
VOID Unload(__in PDRIVER_OBJECT DriverObject)
{
    PsRemoveLoadImageNotifyRoutine(MY_PLOAD_IMAGE_NOTIFY_ROUTINE);
}

DRIVER_INITIALIZE DriverEntry;
NTSTATUS DriverEntry( __in struct _DRIVER_OBJECT  * DriverObject, __in PUNICODE_STRING  RegistryPath)
{
    NTSTATUS status = STATUS_UNSUCCESSFUL;

    KdBreakPoint();//#define KdBreakPoint() DbgBreakPoint()

    DriverObject->DriverUnload = Unload;

    status = PsSetLoadImageNotifyRoutine(MY_PLOAD_IMAGE_NOTIFY_ROUTINE);

    return status;
}
//made 2013.02.07