驱动自杀失败

#include <ntddk.h>

PVOID g_pkThread;

/*
经测试:此代码没有蓝屏,应该蓝屏的.
本想在驱动中自己卸载自己的,测试结果是这样无效.
我想即使是这样,驱动的功能是无效的,即使显示还在运行.

顺便说一下!不注册卸载函数,是无法卸载驱动的,
除非:
1.把驱动模块的内存清零(或者ret c3),但是这样很危险(蓝屏).申请的内容没有清理,内存泄漏.
2.在卸载函数中做手脚.
3.其他.

made by correy
made at 2013.09.05
email:kouleguan at hotmail dot com
homepage:http://correy.webs.com
*/

VOID DriverUnload(PDRIVER_OBJECT DriverObject)
{  
    //正常情况下需要等待线程结束,但是现在在线程中调用此函数.
    //KeWaitForSingleObject(g_pkThread, Executive, KernelMode, FALSE, NULL);
    //ObDereferenceObject(g_pkThread);
}

KSTART_ROUTINE ThreadStart;
VOID ThreadStart(__in PVOID  StartContext)
{
    //KeStallExecutionProcessor(60000000);//停止1分钟是为了查看加载没有,应该相信已经加载了。
    DriverUnload((PDRIVER_OBJECT)StartContext);
    PsTerminateSystemThread(STATUS_SUCCESS);
}

NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
    NTSTATUS status = STATUS_UNSUCCESSFUL;
    HANDLE  ThreadHandle;

    KdBreakPoint();//DbgBreakPoint()
    DriverObject->DriverUnload = DriverUnload;

    status = PsCreateSystemThread(&ThreadHandle, THREAD_ALL_ACCESS, NULL, NULL, NULL, ThreadStart, DriverObject);
    if (status != STATUS_SUCCESS)
    {
        KdPrint(("PsCreateSystemThread return:%d\n", status));
    } else {
        ObReferenceObjectByHandle(ThreadHandle, THREAD_ALL_ACCESS, NULL, KernelMode, &g_pkThread, NULL);
        ZwClose(ThreadHandle);
    }

    return status;
}


/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//下面的办法在2013.11.23实验失败.

#include <ntifs.h>

PVOID g_pkThread;
UNICODE_STRING DriverServiceName  = RTL_CONSTANT_STRING(L"test");
wchar_t buffer[260] = {0};
UNICODE_STRING g_RegistryPath;

KSTART_ROUTINE ThreadStart;
VOID ThreadStart(__in PVOID  StartContext)
{
    NTSTATUS status = STATUS_UNSUCCESSFUL;

    //KeStallExecutionProcessor(60000000);//停止1分钟是为了查看加载没有,应该相信已经加载了。

    //status = ZwUnloadDriver(&DriverServiceName);//c0000034
    status = ZwUnloadDriver(&g_RegistryPath);//c0000010
    if (status != STATUS_SUCCESS) {//C0000034
        KdPrint(("ZwUnloadDriver fail with:0x%x\n", status));
    }

    PsTerminateSystemThread(STATUS_SUCCESS);
}

DRIVER_UNLOAD DriverUnload;
VOID DriverUnload(__in PDRIVER_OBJECT DriverObject)
{  
    KdBreakPoint();  
}

#pragma INITCODE
DRIVER_INITIALIZE DriverEntry;
NTSTATUS DriverEntry(__in struct _DRIVER_OBJECT * DriverObject, __in PUNICODE_STRING RegistryPath)
{
    NTSTATUS status = STATUS_UNSUCCESSFUL;
    HANDLE  ThreadHandle;

    KdBreakPoint();

    //g_RegistryPath = RegistryPath;
    RtlInitEmptyUnicodeString(&g_RegistryPath,buffer,sizeof(buffer));//RtlInitUnicodeString(&us1,wsz1);
    RtlCopyUnicodeString(&g_RegistryPath,RegistryPath);

    DriverObject->DriverUnload = DriverUnload;

    status = PsCreateSystemThread(&ThreadHandle, THREAD_ALL_ACCESS, NULL, NULL, NULL, ThreadStart, DriverObject);
    if (status != STATUS_SUCCESS) {
        KdPrint(("PsCreateSystemThread return:%d\n", status));
    } else {
        ObReferenceObjectByHandle(ThreadHandle, THREAD_ALL_ACCESS, NULL, KernelMode, &g_pkThread, NULL);
        ZwClose(ThreadHandle);
    }

    return status;
}