-
-
[分享]卸载注入进程的dll
-
发表于:
2017-4-27 19:57
3361
-
dll 卸载原理:
1.调用FreeLibrary() 函数
2.创建远程线程CreateRemoteThread()即可,
与dll通过远程线程注入方法类似;
代码:
//find process
DWORD FindProcess(LPCTSTR szPrcessName)
{
DWORD dwPid = 0;
PROCESSENTRY32 pe;
//快照中包含、系统所有进程和线程
HANDLE hFile = CreateToolhelp32Snapshot(TH32CS_SNAPALL,NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
printf("CreateToolhelp32Snapshot () failed %d \n",GetLastError());
return 0;
}
//获取第一个进程句柄
if (Process32First(hFile, &pe))
{
do
{ //notepad.exe
if (_tcsicmp(pe.szExeFile, szPrcessName)==0)
{
dwPid = pe.th32ProcessID;
break;
}
} while (Process32Next(hFile, &pe));
}
CloseHandle(hFile);
return dwPid;
}
//createremotethread() 运行FreeLibrary()
BOOL EnjectionDll(DWORD dwPid)
{
int flag = 0;
//创建置顶pid的进程所有模块快照
HANDLE hFile = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,dwPid);
MODULEENTRY32 me = {sizeof(me),};
HANDLE hProcess,hThread;
HMODULE hModule;
LPTHREAD_START_ROUTINE pThreadProc;
if (Module32First(hFile,&me))
{
do { //模块名称 //模块路径
if ( !_tcsicmp((LPCTSTR)me.szModule, DEF_DLL_NAME) || !_tcsicmp((LPCTSTR)me.szExePath, DEF_DLL_NAME))
{
flag = true;
break;
}
} while (Module32Next(hFile, &me));
}
if (!flag)
{
CloseHandle(hFile);
return false;
}
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
if (!hProcess)
{
printf("Openprocess failed %d \n",GetLastError());
return false;
}
hModule = GetModuleHandle("kernel32.dll");
pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(hModule,"FreeLibrary");
//此处必须是内存中的模块基址
hThread = CreateRemoteThread(hProcess,NULL,0,pThreadProc,me.modBaseAddr,0,NULL);
WaitForSingleObject(hThread,INFINITE);
CloseHandle(hThread);
CloseHandle(hFile);
CloseHandle(hProcess);
return true;
}
注意点:理解原理,
参考:《逆向工程和核心原理》24章
源码见附件:
[课程]FART 脱壳王!加量不加价!FART作者讲授!
