最初由 skyXnet 发布
不带卸载DLL模块吗??
希望能写个卸载DLL模块的程序共享一下. 谢谢!
因为现在很多病毒都采用注入DLL方式来保护自己.
........
bool WINAPI FreeDll(DWORD dwProcessId, PCSTR pszDllEject)
{
HANDLE hToken,hProcess;
TOKEN_PRIVILEGES tp;
char *pSEDEBUG="SeDebugPrivilege";
hProcess=GetCurrentProcess();
OpenProcessToken(hProcess,TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken);
LookupPrivilegeValue(NULL,pSEDEBUG,&tp.Privileges[0].Luid);
tp.PrivilegeCount=1;
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken,FALSE,&tp,NULL,NULL,NULL);
BOOL bRtn = FALSE;
HANDLE hthSnapshot = NULL;
HANDLE hProcess = NULL, hThread = NULL;
__try {
hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId);
if (hthSnapshot == NULL) return FALSE;
// Get the HMODULE of the desired library
MODULEENTRY32 me = { sizeof(me) };
BOOL bFound = FALSE;
BOOL bMoreMods = Module32First(hthSnapshot, &me);
for (; bMoreMods; bMoreMods = Module32Next(hthSnapshot, &me)) {
bFound = (stricmp(me.szModule, pszDllEject) == 0) ||
(stricmp(me.szExePath, pszDllEject) == 0);
if (bFound) break;
}
if (!bFound) return FALSE;
// Get a handle for the target process.
hProcess = OpenProcess(
PROCESS_QUERY_INFORMATION | // Required by Alpha
PROCESS_CREATE_THREAD |
PROCESS_VM_OPERATION, // For CreateRemoteThread
FALSE, dwProcessId);
if (hProcess == NULL) return FALSE;
// Get the real address of FreeLibrary in Kernel32.dll
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle("Kernel32"), "FreeLibrary");
if (pfnThreadRtn == NULL) return FALSE;
// Create a remote thread that calls FreeLibraryA(HANDLE)
hThread = CreateRemoteThread(hProcess, NULL, 0,
pfnThreadRtn, me.modBaseAddr, 0, NULL);
if (hThread == NULL) return FALSE;
// Wait for the remote thread to terminate
///WaitForSingleObject(hThread, INFINITE);
bRtn = TRUE; // Everything executed successfully
}
__finally { // Now we can clean everything up
if (hthSnapshot != NULL)
CloseHandle(hthSnapshot);
if (hThread != NULL)
CloseHandle(hThread);
if (hProcess != NULL)
CloseHandle(hProcess);
}
return bRtn;
}