Login/Register
Is it possible to unload a kernel driver without a reboot?
Asked Answered
Solved windows-7servicekerneldriverreboot
A

4

9

I'm playing about with one of the kernel driver examples in the Win7 DDK. I can modify compile and build my *.sys file. I can install it too with its INF (using device manager or devcon) or using the Service control manager directly. When I make the next change though and generate an updated *.sys file I seem to get a conflict between this new file and my now stopped driver (I've tried using Servcie Control Manager 'stop' and 'delete service' etc). If I reboot, I can install the new driver and run it fine. Similarly, if I choose uninstall in Device Manager, Windows prompts me to reboot.

So, how can one easily test incremental modifications to a kernal driver easily? Thanks

Aggappe answered 30/1, 2011 at 17:36 Comment(1)
In general, yes, this is possible, at least when you install the driver via API functions. Not sure if it's possible with drivers installed using INF file.Trustless
L
5

Looking at the Setup API logs might be a good place to start: http://msdn.microsoft.com/en-us/library/ff550887%28v=VS.85%29.aspx

If devcon prompts for a reboot, you could look at the code in the DDK, debug why it's asking and dig into the issue that way as well.

Lennielenno answered 30/1, 2011 at 23:35 Comment(0)
D
5

Yes. sc stop <driver name> should stop your driver. If your driver is associated with a particular PnP devnode, it should be unloaded after the devnode is removed.

Destalinization answered 30/1, 2011 at 18:39 Comment(2)
@Larry: Its not associated and yet it doesnt - its just a simple set of IOTCRL's.Aggappe
Silly question: did you set the driver unload entrypoint in your driver's dispatch?Destalinization
L
5

Looking at the Setup API logs might be a good place to start: http://msdn.microsoft.com/en-us/library/ff550887%28v=VS.85%29.aspx

If devcon prompts for a reboot, you could look at the code in the DDK, debug why it's asking and dig into the issue that way as well.

Lennielenno answered 30/1, 2011 at 23:35 Comment(0)
C
3

If you want to be able to unload your driver you have to set up a function which basically executes each time the driver is unloaded - most likely you will put code which frees allocated buffers and any other resource which might be "alive" during the lifecycle of the of the driver. Here is an example code:

VOID  Unload(IN  PDRIVER_OBJECT  pDriverObject) { 
                 //do whatever you like here
                //this deletes the device
        IoDeleteDevice( pDriverObject->DeviceObject);


    return;
}

NTSTATUS  DriverEntry(IN  PDRIVER_OBJECT  pDriverObject,  IN  PUNICODE_STRING  regPath) { 


    //initialize your driver and the major function array 

//set the unload function 
    pDriverObject->DriverUnload  =  &Unload; 
}
Chill answered 14/2, 2011 at 4:11 Comment(0)
L
1

Try compiling, signing, and loading this code:

#include <ntddk.h>     
VOID OnUnload( IN PDRIVER_OBJECT driverObjectA ) {
    DbgPrint("Unload\n");
}
NTSTATUS DriverEntry( PDRIVER_OBJECT driverObjectA, PUNICODE_STRING RegistryPath ){
    DbgPrint("DriverEntry\n"); 
    driverObjectA->DriverUnload = OnUnload;
return STATUS_SUCCESS;
}

Then download DebugView, unzip it, run it as administrator, and then "Capture Kernel" under the "Capture" menu item. Download, unzip, and run the OSR Driver Loader, register the driver, the "Start Service". You will observe a "DriverEntry" log message in DbgView. Now in the the OSR Driver loader, "Stop Service" and observe an Unload message. Hopefully that gets you going.

Lavalley answered 6/1, 2014 at 15:3 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.