0

I'm very new to windows development specially in the field of driver creation. I want to create a driver that will be notified whenever another driver(s) (Any type of driver but preferably not device driver) has been unloaded. So far (I maybe mistaken) I haven't found any callback function that will allow me to implement that.

Here are my questions:

1.) There's a function that will allow me to detect driver load (PsSetLoadImageNotifyRoutine/Ex). Someone told me that maybe I could get the driver object of another driver and set my function in the driver unload from there but I haven't found any function to do that. Is there a function to directly get notification when a driver is being unloaded? If not, is there a function for getting the driver object?

2.) Since I haven't found any function for the first "way" of doing that. Now I am trying to accomplish this using "events". When I ran ".eventlog" in WinDbg, it showed the "Module unloaded" message. Now my question is, is there a way to listen to this event in a driver using C? I can only see tools being used to consume those events. If there is none, can I just read the ".eventlog" file and process it? If so, what should be the name of ".eventlog" file?

Brex
  • 3
  • 3
  • Do you really need to know when the driver is unloaded, or do you need to know when a PnP device controlled by the driver is removed? For the latter case, you could install a filter driver to monitor the PnP IRPs going to the device. – Ian Abbott Nov 28 '17 at 11:27
  • Hi! Yes I really need to know when the driver is unloaded. Also I forgot to mention that the target driver is necessarily a device driver. It could be a filter driver or any type of driver. – Brex Nov 28 '17 at 11:35

0 Answers0