首页
社区
课程
招聘
[求助]如何远程卸载DLL?
发表于: 2009-8-18 15:03 4434

[求助]如何远程卸载DLL?

2009-8-18 15:03
4434
我在网上找的如下代码,为什么运行不成功??
会导致目标进程出错退出

function RemoteThread:Integer;
asm
  call @Delta
@Delta:
  pop ebp
  sub ebp,offset @Delta
  //---- get kernel32.dll base
  mov eax,fs:[0]
@FindSEHEnding:
  cmp Dword ptr [eax],$FFFFFFFF
  je @FoundSEHEnding
  mov eax,[eax]
  jmp @FindSEHEnding
@FoundSEHEnding:
  mov eax,[eax+4]
  xor ax,ax
@FindKnlHead:
  sub eax,$10000
  cmp word ptr [eax],$5A4D
  jne @FindKnlHead
  mov ebx,eax  //kernel32 base
  //---- get GetProcAddress address
  mov eax,[eax+$3c]
  add eax,ebx
  mov edx,[eax+$78]
  add edx,ebx  //ExportTable
  mov edi,[edx+$1c]
  add edi,ebx  //APIAddrTable
  mov esi,[edx+$20]
  add esi,ebx  //APINameTable
  //-- Search 'GetProcAddress'
  xor ecx,ecx  //counter
@Find_ocAd:
  mov eax,[esi]
  add eax,ebx
  cmp dword ptr [eax+5],$6441636f  //GetPr'ocAd'dress
  je @Found_ocAd
@Find_ocAd_:
  add ecx,4
  add esi,4
  jmp @Find_ocAd
@Found_ocAd:
  cmp word ptr [eax+$0d],$73  //GetProcAddres's\0'
  jne @Find_ocAd_  //eax: 'GetProcAddress'
  //-- Get GetProcAddress address
  mov esi,edi
  add esi,ecx
  mov esi,[esi]
  add esi,ebx  //GetProcAddress
  //---- Free the Library
  call @StrGetModuleHandle
  db 'GetModuleHandleA',0
@StrGetModuleHandle:
  push ebx
  call esi
  mov edi,eax  //GetModuleHandleA
  call @StrFreeLibrary
  db 'FreeLibrary',0
@StrFreeLibrary:
  push ebx
  call esi
  mov esi,eax  //FreeLibrary
  lea ecx,[ebp+@DLLName]
  push ecx
  call edi  //GetModuleHandle(DLLName)
  push eax
  call esi  //FreeLibrary(GetModuleHandle(DLLName))
  retn
//77E66364  47 65 74 50 72 6F 63 41 64 64 72 65 73 73        GetProcAddress
//B8 00 00 E4 77 BB 00 00 E4 77 8B 40 3C 03 C3 8B 50 78 03 D3 8B 7A 1C 03 FB 8B 72 20 03 F3 33 C9
//8B 06 03 C3 81 78 05 6F 63 41 64 74 08 83 C1 04 83 C6 04 EB EB 66 83 78 0E 73 75 F1 8B C7 03 C1
//8B 00 03 C3

@DLLName: DD 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
  //256字节,用于存放要缷载的DLL名
end;

procedure TForm1.Button6Click(Sender: TObject);
var
i,j:Integer;
    pid,phan,pthread:dword;
    tmpBuf:array[0..256]of char;
    rtnVal:Dword;
    tmpChar:pchar;
    pmem:Pointer;
    mbi:TMemoryBasicInformation;
begin
     hw:=findwindow('TForm1','pmview v0.9 for XP');
      GetWindowThreadProcessId(hw,pid);

      phan:=OpenProcess(PROCESS_ALL_ACCESS,true,pid);

        j:=Length('C:\Program Files\360safe\safemon\safemon.dll');
        tmpChar:=PChar('C:\Program Files\360safe\safemon\safemon.dll');
        VirtualQuery(@RemoteThread,mbi,28);
        VirtualProtect(@RemoteThread,1024,PAGE_EXECUTE_READWRITE,@mbi);
        asm
          pushad
          lea edi,RemoteThread
          add edi,$AB
          mov ecx,64
         @ZeroBuffer:
          mov dword ptr [edi],0
          add edi,4
          dec ecx
          jnz @ZeroBuffer
          lea edi,RemoteThread      
          add edi,$AB
          mov esi,tmpChar
          mov ecx,j
          rep movsb
          popad
        end;     
        pmem:=VirtualAllocEx(phan,nil,1024,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
        WriteProcessMemory(phan,pmem,@RemoteThread,1024,rtnVal);
        pthread:=CreateRemoteThread(phan,nil,0,pmem,nil,0,rtnVal);
            if pthread<>0 then begin
            MessageBox(0,'成功运行远程线程。','信息...',0);
           //Button4Click(Sender);  //refresh the list.
            end else
            MessageBox(0,'创建远程线程失败。','信息...',0);
      VirtualFreeEx(phan,pmem,1024,MEM_DECOMMIT);
      CloseHandle(phan);
end;

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (1)
雪    币: 135
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
我这有几年前写的C语言版本,你拿去看下吧:
BOOL UnloadDll(DWORD dwPid, char *strDllName)
{
        HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,
                FALSE, dwPid);
        if(hProcess == NULL){
                return FALSE;
        }
       
        DWORD dwSize = 0;
        DWORD dwWritten = 0;
        DWORD dwHandle = 0;
       
        dwSize = strlen(strDllName)+ 1;
        LPVOID lpBuf = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
        if(!WriteProcessMemory(hProcess, lpBuf, (LPVOID)strDllName, dwSize, &dwWritten))
        {   
                VirtualFreeEx(hProcess, lpBuf, dwSize, MEM_DECOMMIT);
                CloseHandle(hProcess);
                return FALSE;
        }
        LPVOID pFun = GetProcAddress(GetModuleHandle("Kernel32"), "GetModuleHandleA");
       
        HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFun,
                lpBuf, 0, NULL);
        if(hThread == NULL){
                CloseHandle(hProcess);
                return FALSE;
        }
        WaitForSingleObject(hThread, INFINITE);
        GetExitCodeThread(hThread, &dwHandle);
       
        VirtualFreeEx(hProcess, lpBuf, dwSize, MEM_DECOMMIT);
        CloseHandle(hThread);
       
        pFun = GetProcAddress(GetModuleHandle("Kernel32"), "FreeLibraryAndExitThread");
        hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFun,(LPVOID)dwHandle, 0, NULL);   
        WaitForSingleObject(hThread, INFINITE);
        CloseHandle(hThread);
        CloseHandle(hProcess);
       
        return TRUE;
}
2009-8-18 22:24
0
游客
登录 | 注册 方可回帖
返回
//