Is there a proper technique (i.e. PatchGuard legit) for hooking driver load/unload in Windows 7+?
Hello,
PsSetLoadImageNotifyRoutine lets you register a callback that is invoked whenever a PE image (including driver ones) is mapped to memory. So, you get notified when a driver image is mapped to the kernel memory, however, you don't get information about creation of its DRIVER_OBJECT etc.
To monitor unload of a specific driver, you can try to modify the DriverUnload field of its DRIVER_OBJECT structure. Of course, you must not do it in case this field is NULL (that would make the driver unloadable even if it do not wish so). I am not sure whether the DriverUnload field is protected by Patchguard.
