Making Windows legacy driver non-stoppable programmatically

Question

I am working on WinDRBD: https://github.com/LINBIT/windrbd

This driver is stoppable (so sc stop windrbd works). However at some points (when there are DRBD devices configured) I want to prevent the user from stopping the driver.

The driver is linked with

/DRIVER /SUBSYSTEM:WINDOWS /NODEFAULTLIB /ENTRY:DriverEntry

and AddDevice is not set (while DriverUnload is set and does the right thing (TM)).

What I am looking for is some kernel API call which sets and resets the STOPPABLE flag of the driver. I tried to reference the root device / driver object (via ObReferenceObjectByPointer()) which does not prevent the driver from being stopped. I also tried to have an open file handle to the root device object (which prevents the driver from being unloaded, it gets stuck in STOP_PENDING), but then the root device object cannot be opened any more (which is needed to bring the remaining resources down).

Is there a way to control the STOPPABLE flag programmatically? Thanks and best wishes, Johannes

Answer 1

After some experiments, I found that the setting the AddDevice member of the DriverExtension of the driver object (which is a parameter to the DriverEntry function) to a non-NULL value prevents the driver from being unloaded. Setting this member back to NULL allows the user to unload the driver via sc stop again.

So to prevent the driver from being unloaded, do

theDriverObject->DriverExtension->AddDevice = theAddDeviceFunction;

to make it unloadable again, do

theDriverObject->DriverExtension->AddDevice = NULL;

(where theAddDeviceFunction might be a function that just returns an error value as in:

NTSTATUS theAddDeviceFunction(
         PDRIVER_OBJECT DriverObject,
         PDEVICE_OBJECT PhysicalDeviceObject)
{
    return STATUS_NO_SUCH_DEVICE;
}

)

Note that by doing so the value of the STOPPABLE flag printed by a sc query becomes meaningless .. it might say NOT STOPPABLE when the driver can be unloaded and vice versa.