能力值:
( LV2,RANK:10 )
|
-
-
3 楼
//少女式卸载,1参数为PID,2参数为dll名称
int UnInjectDll(ULONG dwProcessId,CString DllName)
{
const DWORD dwThreadSize = 4096;
Quanxian->EnablePriv(); //提升权限的,这个函数你自己写吧,贴出来占地方
//以下为创建远程线程做准备
// 取得LoadLibraryA函数的地址,我们将以它作为远程线程函数启动
HMODULE hModule=::GetModuleHandle("kernel32.dll");
LPTHREAD_START_ROUTINE pfnStartRoutine = (LPTHREAD_START_ROUTINE)::GetProcAddress(hModule, "GetModuleHandleA");
LPTHREAD_START_ROUTINE pfnFreeRoutine = (LPTHREAD_START_ROUTINE)::GetProcAddress(hModule, "FreeLibrary");
char DllPath[MAX_PATH];
memset(DllPath, 0, MAX_PATH);
int nSel = m_modulelist.GetSelectionMark();
m_modulelist.GetItemText(nSel, 0, DllPath, MAX_PATH);
// 在目标进程中申请空间,存放字符串szDllName,作为远程线程的参数
int cbSize = (strlen(DllPath) + 1);
//以上为创建远程线程做准备
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
if(NULL != hProcess)
{
DWORD dwHandle;
LPVOID lpRemoteDllName = ::VirtualAllocEx(hProcess, NULL, cbSize, MEM_COMMIT, PAGE_READWRITE);
::WriteProcessMemory(hProcess, lpRemoteDllName, DllPath, cbSize, NULL);
// 启动远程线程,并立刻运行
HANDLE hRemoteThread = ::CreateRemoteThread(hProcess, NULL, 0, pfnStartRoutine, lpRemoteDllName, 0, NULL);
if(hRemoteThread == NULL)
{
CloseHandle(hProcess);
return FALSE;
}
// 等待目标线程运行结束,即LoadLibraryA函数返回
::WaitForSingleObject(hRemoteThread, INFINITE);
GetExitCodeThread( hRemoteThread, &dwHandle );
// 释放目标进程中申请的空间
VirtualFreeEx( hProcess, lpRemoteDllName, cbSize, MEM_RELEASE|MEM_DECOMMIT);
::CloseHandle(hRemoteThread);
hRemoteThread = CreateRemoteThread( hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE)pfnFreeRoutine, (LPVOID)dwHandle, 0, &dwProcessId );
// 等待FreeLibrary卸载完毕
WaitForSingleObject( hRemoteThread, INFINITE );
CloseHandle( hRemoteThread );
CloseHandle(hProcess);
m_modulelist.DeleteItem(nSel);
}
return 0;
}
//少妇式卸载
typedef DWORD (_stdcall *XXXNtUnmapViewOfSection)( HANDLE hProcess, PVOID Address);
void UnloadNtdll()
{
PVOID NtdllAddress;
HANDLE hProcess;
XXXNtUnmapViewOfSection NtUnmapViewOfSection;
HWND hWindow;
BOOL bRet = TRUE;
hWindow = FindWindow( NULL, "你要找的名称");
hProcess = OpenProcess( PROCESS_VM_OPERATION, FALSE, PID号);
NtUnmapViewOfSection = (XXXNtUnmapViewOfSection)GetProcAddress( GetModuleHandle("你要卸载的dll文件"), "NtUnmapViewOfSection" );
NtdllAddress = (PVOID)NtUnmapViewOfSection;
NtUnmapViewOfSection( hProcess, NtdllAddress);
CloseHandle( hProcess );
PostMessage( hWindow, WM_MOUSEMOVE, 0 , 0);
}
|
能力值:
( LV2,RANK:10 )
|
-
-
5 楼
都不好用...太长了.有没两三句搞定的.
|
能力值:
( LV5,RANK:70 )
|
-
-
6 楼
写成子函数,那就只有一句了
|
能力值:
( LV15,RANK:340 )
|
-
-
7 楼
其实就是用NtUnmapViewOfSection()卸载处理目标进程DLL的基址,所以精简一下,写成函数是这样:
// 输入参数:dwProcessId = 目标进程ID,dwBaseAddr = DLL基址
function UnmapViewOfModule(dwProcessId: DWORD; dwBaseAddr: DWORD): DWORD;
var
hModule, hProcess: THandle;
NtUnmapViewOfSection: function (ProcessHandle: DWORD; BaseAddress: Pointer): DWORD; stdcall;
begin
hModule := GetModuleHandle('ntdll.dll');
if (hModule = 0) then
hModule := LoadLibrary('ntdll.dll');
@NtUnmapViewOfSection := GetProcAddress( hModule, 'NtUnmapViewOfSection');
hProcess := OpenProcess( PROCESS_ALL_ACCESS, TRUE, dwProcessId );
Result := NtUnmapViewOfSection( hProcess, Pointer(dwBaseAddr) );
CloseHandle( hProcess );
FreeLibrary(hModule);
end;
设置一下 dwBaseAddr 就行了,调用起来也就两句话:
tmpModule := LoadLibrary('ntdll.dll'); // 卸载目标进程的ntdll.dll
UnmapViewOfModule(<目标进程ID>, tmpModule); // 效果是直接杀死目标进程
|
能力值:
( LV12,RANK:600 )
|
-
-
8 楼
MS就是从我那里转的
http://hi.baidu.com/sysnap/blog/item/c535d30f1802e12f6159f31f.html
呵呵。。。其实这只是RING3的。。。不过现在是用MM系列来卸载DLL了
|
能力值:
( LV2,RANK:10 )
|
-
-
9 楼
哎,为什么不把来源讲讲,莫非LZ就是,
http://hi.baidu.com/antirootkit/blog
|