NtUnloadDriver

Prototype

NTSTATUS NtUnloadDriver(
  PUNICODE_STRING DriverServiceName
);

Arguments

Syscall IDs by Windows version

Syscall stub

4C 8B D1            mov r10, rcx
B8 D9 01 00 00      mov eax, 0x1D9
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

NtUnloadDriver is the counterpart of NtLoadDriver. Given an NT path to a service key, it asks the I/O manager to call the driver's `DriverUnload` routine and remove its `DRIVER_OBJECT` from `\Driver`. The driver image is unmapped from kernel address space and the corresponding `MmUnloadedDrivers` slot is filled (the kernel keeps a small ring buffer of the last ~50 unloaded driver names — `!drvobj /unloaded` in WinDbg). NtUnloadDriver requires the caller token to hold `SeLoadDriverPrivilege`, which Administrators have by default but is rarely held by service accounts.

Common malware usage

The defining call in **BYOVD (Bring Your Own Vulnerable Driver) cleanup**. The classic kill chain is: 1) drop a signed-but-vulnerable driver from a hardcoded list (RTCore64, gdrv, mhyprot2, kArmor, etc.); 2) NtLoadDriver to create the service and load it; 3) IOCTL into the driver to disable EDR callbacks, terminate-protected processes, write to MSRs or arbitrary kernel memory; 4) NtUnloadDriver to remove the driver from the live system and reduce forensic footprint. Families: EDRKillShifter (RansomHub affiliate tooling), Spyboy's Terminator, AvosLocker's BYOVD module, KillAV variants, BlackByte's RTCore64 abuse, Lazarus's FudModule rootkit loader. The unload itself is *required* — leaving the vulnerable driver loaded is a loud detection signal for kernel-image enumeration.

Detection opportunities

Critical: most public BYOVD telemetry focuses on the *load* side (`Microsoft-Windows-Kernel-PnP` event 400, Sysmon Event ID 6) — the *unload* side has historically been under-instrumented. Detection relies on correlation: Sysmon Event 6 logs the prior load, then absence of the driver image in subsequent `Get-WindowsDriver` / `driverquery` / kernel-callback enumeration is the only delta. `Microsoft-Windows-Kernel-PnP` event 410 fires on service stop. Microsoft Defender vulnerable-driver blocklist (`DriverSiPolicy.p7b`) prevents the load entirely on enabled systems — when present, the BYOVD path fails at NtLoadDriver and NtUnloadDriver is never reached. ELAM and HVCI also bite the load, not the unload.

Direct syscall examples

; Direct syscall stub for NtUnloadDriver (SSN 0x1D9 on Win11 24H2)
NtUnloadDriver PROC
    mov  r10, rcx          ; DriverServiceName
    mov  eax, 1D9h         ; SSN — verify per-build
    syscall
    ret
NtUnloadDriver ENDP

// Final stage of a BYOVD chain: tear down the vulnerable driver and its service key.
#include <windows.h>
#include <winternl.h>

typedef NTSTATUS (NTAPI *pNtUnloadDriver)(PUNICODE_STRING);

BOOL BYOVDCleanup(PCWSTR ntServicePath /* L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Vuln" */) {
    UNICODE_STRING us;
    RtlInitUnicodeString(&us, ntServicePath);

    pNtUnloadDriver fn = (pNtUnloadDriver)GetProcAddress(
        GetModuleHandleA("ntdll.dll"), "NtUnloadDriver");
    NTSTATUS s = fn(&us);

    // Best practice: also delete the service-key and the .sys on disk to slim forensics.
    // (omitted) RegDeleteTreeW + DeleteFileW
    return s >= 0;
}

// Cargo: ntapi = "0.4", widestring = "1"
use ntapi::ntioapi::NtUnloadDriver;
use ntapi::ntrtl::RtlInitUnicodeString;
use winapi::shared::ntdef::UNICODE_STRING;
use widestring::U16CString;

unsafe fn unload(svc_nt_path: &str) -> i32 {
    let w = U16CString::from_str(svc_nt_path).unwrap();
    let mut us: UNICODE_STRING = std::mem::zeroed();
    RtlInitUnicodeString(&mut us, w.as_ptr());
    NtUnloadDriver(&mut us)
}

MITRE ATT&CK mappings

• T1562.001Impair Defenses: Disable or Modify Toolsmitre ↗
• T1068Exploitation for Privilege Escalationmitre ↗
• T1070Indicator Removalmitre ↗