StoppingDeviceDriver

 

#include <ntddk.h>

#include <stdio.h>

NTSYSAPI NTSTATUS NTAPI ZwLoadDriver(PUNICODE_STRING DriverServiceName);

typedef struct

{

unsigned int *ServiceTableBase;

unsigned int *ServiceCounterTableBase;

unsigned int NumberOfServices;

unsigned char *ParamTableBase;

} sdt;

__declspec(dllimport) sdt KeServiceDescriptorTable;

typedef NTSTATUS (NTAPI *qtype)(PUNICODE_STRING);

qtype OldZwLoadDriver;

NTSTATUS NewZwLoadDriver(PUNICODE_STRING DriverServiceName)

{

long status;

DbgPrint("NewZwLoadDriver %S",DriverServiceName->Buffer);

//status = OldZwLoadDriver(DriverServiceName);

//return status;

return STATUS_ACCESS_DENIED;

}

long no;

VOID DriverUnload(PDRIVER_OBJECT DriverObject)

{

DbgPrint("Driver Unloading");

_asm cli

KeServiceDescriptorTable.ServiceTableBase[no]=(unsigned int)OldZwLoadDriver;

_asm sti

}

NTSTATUS DriverEntry(PDRIVER_OBJECT driverObject, PUNICODE_STRING RegistryPath)

{

char *p;

driverObject->DriverUnload = DriverUnload;

DbgPrint("Vijay Driver");

p = (char *)ZwLoadDriver;

p = p + 1;

no = *(long *)p;

OldZwLoadDriver = (qtype)KeServiceDescriptorTable. ServiceTableBase [no];

_asm cli

KeServiceDescriptorTable.ServiceTableBase[no]=(unsigned int)NewZwLoadDriver;

_asm sti

return(STATUS_SUCCESS);

}

 

NewZwLoadDriver \Registry\Machine\System\CurrentControlSet\Services\sonal3

 

The LoadDriver method gets called each time a driver is to be loaded. It is passed a Unicode string that gives us the fullpath name in the registry. All that we do is return error and the driver does not get loaded.