- This topic has 1 reply, 2 voices, and was last updated 16 years, 11 months ago by
.
-
Posts
-
Good day. Sorry for my English 🙁
I create thread by PsCreateSystemThread:
HANDLE hThread;
void Func(PVOID a)
{
LARGE_INTEGER delay;
delay.QuadPart = SEC(1);
while(!KeDelayExecutionThread(KernelMode,0,&delay))
DbgPrint(">> thread message");
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegistryPath)
{
pDriverObject->DriverUnload = DriverUnload;
return PsCreateSystemThread(&hThread,THREAD_ALL_ACCESS,0,NtCurrentProcess(),0,Func,0);
}After there I want to run ZwUnloadDriver. Function DriverUnload must terminate thread… function PsTerminateSystemThread terminationg only current thread. function ZwTerminateThread is in ntdll, but not in ntoskrnl.
I would create an event and waited on this event (probably besides few other objects) in the thread routine instead of the KeDelayExecutionThread. Once I need to unload driver I would signal that event so the thread routine left waiting and called PsTerminateSystemThread. At the same time DriverUnload can wait for the thread to exit by waiting on the thread object.
Alternatively (less modifications in your code but not that nice) you can create some global variable and check its state in your Func:
void Func(PVOID a)
{
LARGE_INTEGER delay;
delay.QuadPart = SEC(1);
while(!KeDelayExecutionThread(KernelMode,0,&delay))
{
DbgPrint(">> thread message");
if(g_bLeaveThread)
break;
}
PsTerminateSystemThread();
}
In DriverUnload set the g_bLeaveThread to non-zero value and wait for the thread to exit (KeWaitForSingleObject on the thread object).
- You must be logged in to reply to this topic.