首页
社区
课程
招聘
[转帖]远程卸载DLL代码
发表于: 2008-8-11 07:47 10920

[转帖]远程卸载DLL代码

2008-8-11 07:47
10920
BOOL UnLoadModules( LPCTSTR processname , LPCTSTR modulename) 
{ 
HANDLE hModuleSnap = INVALID_HANDLE_VALUE; 
MODULEENTRY32 me32; 
HANDLE hpro;
DWORD modulebase;
DWORD pid=GetProcessIdByName(processname);

hpro= OpenProcess
   (
   PROCESS_ALL_ACCESS,
   TRUE,
   pid
       );

hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, pid ); 
if( hModuleSnap == INVALID_HANDLE_VALUE ) 
{ 
   
    return( FALSE ); 
}

me32.dwSize = sizeof( MODULEENTRY32 ); 

if( !Module32First( hModuleSnap, &me32 ) ) 
{ 

    CloseHandle( hModuleSnap );
    return( FALSE ); 
}

do 
{ 
printf( "\n\n     MODULE NAME:     %s",             me32.szModule ); 
    printf( "\n     executable     = %s",             me32.szExePath ); 
    printf( "\n     process ID     = 0x%08X",         me32.th32ProcessID ); 
    printf( "\n     ref count (g) =     0x%04X",     me32.GlblcntUsage ); 
    printf( "\n     ref count (p) =     0x%04X",     me32.ProccntUsage ); 
    printf( "\n     base address   = 0x%08X", (DWORD) me32.modBaseAddr ); 
    printf( "\n     base size      = %d",             me32.modBaseSize );


if(!strcmpi(me32.szModule, modulename))
{
modulebase=(DWORD)me32.modBaseAddr;
printf("module :%s found at :%x\n",modulename,modulebase);
break;

}

} while( Module32Next( hModuleSnap, &me32 ) );

ZwUnmapViewOfSection(hpro,(DWORD)modulebase);
CloseHandle( hModuleSnap ); 
return( TRUE ); 
}

DWORD GetProcessIdByName(LPCTSTR name)
{

PROCESSENTRY32 prostruct;
    DWORD id = 0;
    HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
    prostruct.dwSize = sizeof(PROCESSENTRY32);

if(!Process32First(hSnapshot,&prostruct))
    return 0;

do

{
   prostruct.dwSize = sizeof(PROCESSENTRY32);
        if(!Process32Next(hSnapshot,&prostruct))
           break;

   if(strcmp(prostruct.szExeFile,name) == 0)

   {
    id = prostruct.th32ProcessID;
    break;
   }

}while(TRUE);

CloseHandle(hSnapshot);
return id;
}

ZwUnmapViewOfSection这个NTDLL中的函数的地址自己用GetProcAddress就可以得到引用了


[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 7
支持
分享
最新回复 (8)
雪    币: 321
活跃值: (271)
能力值: ( LV13,RANK:1050 )
在线值:
发帖
回帖
粉丝
2
学习123456
2008-8-11 09:02
0
雪    币: 427
活跃值: (412)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
//少女式卸载,1参数为PID,2参数为dll名称

int UnInjectDll(ULONG dwProcessId,CString DllName)
{

const DWORD dwThreadSize = 4096;
     Quanxian->EnablePriv();   //提升权限的,这个函数你自己写吧,贴出来占地方
//以下为创建远程线程做准备
// 取得LoadLibraryA函数的地址,我们将以它作为远程线程函数启动
HMODULE hModule=::GetModuleHandle("kernel32.dll");
LPTHREAD_START_ROUTINE pfnStartRoutine = (LPTHREAD_START_ROUTINE)::GetProcAddress(hModule, "GetModuleHandleA");
LPTHREAD_START_ROUTINE pfnFreeRoutine = (LPTHREAD_START_ROUTINE)::GetProcAddress(hModule, "FreeLibrary");
char DllPath[MAX_PATH];
memset(DllPath, 0, MAX_PATH);
int nSel = m_modulelist.GetSelectionMark();
m_modulelist.GetItemText(nSel, 0, DllPath, MAX_PATH);
// 在目标进程中申请空间,存放字符串szDllName,作为远程线程的参数
int cbSize = (strlen(DllPath) + 1);
//以上为创建远程线程做准备

HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
if(NULL != hProcess)
{  
   DWORD dwHandle;
   LPVOID lpRemoteDllName = ::VirtualAllocEx(hProcess, NULL, cbSize, MEM_COMMIT, PAGE_READWRITE);
   ::WriteProcessMemory(hProcess, lpRemoteDllName, DllPath, cbSize, NULL);   
   // 启动远程线程,并立刻运行
   HANDLE hRemoteThread = ::CreateRemoteThread(hProcess, NULL, 0, pfnStartRoutine, lpRemoteDllName, 0, NULL);
   if(hRemoteThread == NULL)
   {
    CloseHandle(hProcess);
    return FALSE;
   }
   // 等待目标线程运行结束,即LoadLibraryA函数返回
   ::WaitForSingleObject(hRemoteThread, INFINITE);   
   GetExitCodeThread( hRemoteThread, &dwHandle );
   // 释放目标进程中申请的空间
  
   VirtualFreeEx( hProcess, lpRemoteDllName, cbSize, MEM_RELEASE|MEM_DECOMMIT);
  
   ::CloseHandle(hRemoteThread);
  
   hRemoteThread = CreateRemoteThread( hProcess, NULL, 0,
    (LPTHREAD_START_ROUTINE)pfnFreeRoutine, (LPVOID)dwHandle, 0, &dwProcessId );
   // 等待FreeLibrary卸载完毕
   WaitForSingleObject( hRemoteThread, INFINITE );
   CloseHandle( hRemoteThread );
   CloseHandle(hProcess);
   m_modulelist.DeleteItem(nSel);
}
     return 0;

}

//少妇式卸载

typedef DWORD (_stdcall *XXXNtUnmapViewOfSection)( HANDLE hProcess, PVOID Address);

void UnloadNtdll()
{
PVOID   NtdllAddress;
HANDLE   hProcess;
XXXNtUnmapViewOfSection NtUnmapViewOfSection;
HWND   hWindow;
BOOL   bRet = TRUE;

hWindow = FindWindow( NULL, "你要找的名称");

hProcess = OpenProcess( PROCESS_VM_OPERATION, FALSE, PID号);

NtUnmapViewOfSection = (XXXNtUnmapViewOfSection)GetProcAddress( GetModuleHandle("你要卸载的dll文件"), "NtUnmapViewOfSection" );

NtdllAddress = (PVOID)NtUnmapViewOfSection;

NtUnmapViewOfSection( hProcess, NtdllAddress);

CloseHandle( hProcess );

PostMessage( hWindow, WM_MOUSEMOVE, 0 , 0);

}
2008-8-11 23:02
0
雪    币: 1946
活跃值: (248)
能力值: (RANK:330 )
在线值:
发帖
回帖
粉丝
4
还是少妇好用
2008-8-12 22:37
0
雪    币: 208
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
  都不好用...太长了.有没两三句搞定的.
2008-8-13 16:14
0
雪    币: 367
活跃值: (20)
能力值: ( LV5,RANK:70 )
在线值:
发帖
回帖
粉丝
6
写成子函数,那就只有一句了
2008-8-13 16:32
0
雪    币: 296
活跃值: (89)
能力值: ( LV15,RANK:340 )
在线值:
发帖
回帖
粉丝
7
其实就是用NtUnmapViewOfSection()卸载处理目标进程DLL的基址,所以精简一下,写成函数是这样:

// 输入参数:dwProcessId = 目标进程ID,dwBaseAddr = DLL基址
function UnmapViewOfModule(dwProcessId: DWORD; dwBaseAddr: DWORD): DWORD;
var
  hModule, hProcess: THandle;
  NtUnmapViewOfSection: function (ProcessHandle: DWORD; BaseAddress: Pointer): DWORD; stdcall;
begin
  hModule := GetModuleHandle('ntdll.dll');
  if (hModule = 0) then
    hModule := LoadLibrary('ntdll.dll');
  @NtUnmapViewOfSection := GetProcAddress( hModule, 'NtUnmapViewOfSection');

  hProcess := OpenProcess( PROCESS_ALL_ACCESS, TRUE, dwProcessId );
  Result := NtUnmapViewOfSection( hProcess, Pointer(dwBaseAddr) );
  CloseHandle( hProcess );
  FreeLibrary(hModule);
end;

设置一下 dwBaseAddr  就行了,调用起来也就两句话:
tmpModule := LoadLibrary('ntdll.dll');     // 卸载目标进程的ntdll.dll
UnmapViewOfModule(<目标进程ID>, tmpModule);  // 效果是直接杀死目标进程
2008-8-13 21:49
0
雪    币: 581
活跃值: (149)
能力值: ( LV12,RANK:600 )
在线值:
发帖
回帖
粉丝
8
MS就是从我那里转的
http://hi.baidu.com/sysnap/blog/item/c535d30f1802e12f6159f31f.html

呵呵。。。其实这只是RING3的。。。不过现在是用MM系列来卸载DLL了
2008-8-14 09:36
0
雪    币: 91
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
9
哎,为什么不把来源讲讲,莫非LZ就是,
http://hi.baidu.com/antirootkit/blog
2008-8-16 15:55
0
游客
登录 | 注册 方可回帖
返回
//