small fixes

driver/callbacks.c

@@ -457,6 +457,13 @@ UnregisterCallbacksOnProcessTermination()
 {
 	DEBUG_LOG( "Process closed, unregistering callbacks" );
 	KeAcquireGuardedMutex( &configuration.mutex );
+
+	if ( configuration.registration_handle == NULL )
+	{
+		KeReleaseGuardedMutex( &configuration.mutex );
+		return;
+	}
+
 	ObUnRegisterCallbacks( configuration.registration_handle );
 	configuration.registration_handle = NULL;
 	KeReleaseGuardedMutex( &configuration.mutex );

driver/driver.c

@@ -76,9 +76,11 @@ PROCESS_CONFIG process_config = { 0 };
 */
 
 STATIC
-VOID 
+BOOLEAN 
 FreeAllApcContextStructures()
 {
+	BOOLEAN flag = TRUE;
+
 	KeAcquireGuardedMutex( &driver_config.lock );
 
 	for ( INT index = 0; index < MAXIMUM_APC_CONTEXTS; index++ )
@@ -87,12 +89,21 @@ FreeAllApcContextStructures()
 
 		if ( entry[ index ] != NULL )
 		{
+			PAPC_CONTEXT_HEADER context = entry[ index ];
+
+			if ( context->count > 0 )
+			{
+				flag = FALSE;
+				goto unlock;
+			}
+
 			ExFreePoolWithTag( entry, POOL_TAG_APC );
 		}
 	}
 
 unlock:
 	KeReleaseGuardedMutex( &driver_config.lock );
+	return flag;
 }
 
 /*
@@ -591,10 +602,6 @@ InitialiseProcessConfigOnProcessLaunch(
 	if ( !NT_SUCCESS( status ) )
 		return status;
 
-	/*
-	* acquire the mutex here to prevent a race condition if an unknown party trys 
-	* to fuzz our IOCTL codes whilst the target process launches.
-	*/
 	KeAcquireGuardedMutex( &process_config.lock );
 
 	process_config.protected_process_eprocess = eprocess;
@@ -631,7 +638,14 @@ DriverUnload(
 {
 	//PsSetCreateProcessNotifyRoutine( ProcessCreateNotifyRoutine, TRUE );
 	//QueryActiveApcContextsForCompletion();
-	//FreeAllApcContextStructures();
+
+	/* dont unload while we have active APC operations */
+	while ( !FreeAllApcContextStructures() )
+		YieldProcessor();
+
+	/* This is safe to call even if the callbacks have already been disabled */
+	UnregisterCallbacksOnProcessTermination();
+
 	CleanupDriverConfigOnUnload();
 	IoDeleteDevice( DriverObject->DeviceObject );
 }

driver/ioctl.c

@@ -356,6 +356,8 @@ DeviceClose(
 	* For now its fine, but this will need to be moved to our process load callbacks
 	* since right now anyone can open a handle to our driver and then close it lol
 	*/
+
+	/* we also lose reports here, so sohuld pass em into the irp before freeing */
 	FreeGlobalReportQueueObjects();
 	ClearProcessConfigOnProcessTermination();
 	UnregisterCallbacksOnProcessTermination();

user/km/driver.h

@@ -46,6 +46,17 @@ namespace kernelmode
 		VOID NotifyDriverOnProcessTermination();
 		//VOID GetKernelStructureOffsets();
 
+		template <typename T>
+		VOID ReportTypeFromReportQueue( CONST PVOID Buffer, PSIZE_T Offset, CONST PVOID Report )
+		{
+			Report = ( T* )(
+				( UINT64 )Buffer + sizeof( global::report_structures::REPORT_QUEUE_HEADER ) + *Offset );
+
+			this->report_interface->ReportViolation( ( T* )Report );
+
+			*Offset += sizeof( T );
+		}
+
 	public:
 
 		Driver(LPCWSTR DriverName, std::shared_ptr<global::Client> ReportInterface );
@@ -65,17 +76,6 @@ namespace kernelmode
 		VOID VerifyProcessLoadedModuleExecutableRegions();
 		VOID SendClientHardwareInformation();
 		BOOLEAN InitiateApcOperation( INT OperationId );
-
-		template <typename T>
-		VOID ReportTypeFromReportQueue(CONST PVOID Buffer, PSIZE_T Offset, PVOID Report)
-		{
-			Report = ( T* )(
-				( UINT64 )Buffer + sizeof( global::report_structures::REPORT_QUEUE_HEADER ) + *Offset );
-
-			this->report_interface->ReportViolation( (T*)Report );
-
-			*Offset += sizeof( T );
-		}
 	};
 
 	struct DRIVER_INITIATION_INFORMATION