CreateRemoteThread卸载DLL在DEBUG下可以,但Release下失败,且无任何提示(我设置的失败应该有msg),怎么弄?
基本思路是打开目标进程,修改内存,写入代码,启动远程线程,虽然网上有更好的我我主要想弄清问题所在,请高手指导。
struct MyData
{
HMODULE inmodule; // 传入的模块地址
DWORD dwFreeLibrary; // FreeLibrary的地址
};
//远程卸载函数
DWORD __stdcall RMTFunc(MyData *pData)
{
typedef int(__stdcall*MFreeLibrary)(HMODULE);
MFreeLibrary Mfremod = (MFreeLibrary)pData->dwFreeLibrary;
Mfremod(pData->inmodule);
return 0;
}
bool Killmod(LPCTSTR inCurprocId,LPCTSTR Modadre,bool ShowMsg)
{
//远程注入CurprocId指定的进程,卸载Modadre地址处的DLL
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,_wtoi(inCurprocId));
// ========= 代码结构 =============================
MyData data;
ZeroMemory(&data, sizeof (MyData));
data.inmodule=(HMODULE)_wtol( Modadre);
HINSTANCE hUser = LoadLibrary(L"kernel32.dll");
if (! hUser)
{
if(ShowMsg) MessageBox(NULL,L"在载入kernel32模块时失败,请确认该DLL是\n否存在,卸载不能继续。",L"卸载失败",MB_ICONSTOP|MB_OK);
return false;
}
data.dwFreeLibrary = (DWORD)GetProcAddress(hUser,(LPCSTR)"FreeLibrary");
FreeLibrary(hUser);
if (! data.dwFreeLibrary)
{
if(ShowMsg) MessageBox(NULL,L"获取系统卸载函数失败,请确认kernel32是否\n正常,卸载不能继续",L"卸载失败",MB_ICONSTOP|MB_OK);
return false;
}
// ======= 分配空间备远程注入====================
void *pRemoteThread=VirtualAllocEx(hProcess,0,1024*4, MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
if (!pRemoteThread)
{
if(ShowMsg) MessageBox(NULL,L"目标进程内存修改失败,可能你没有此权限或\n安全软件不允许你这样做,卸载不能继续。",L"卸载失败",MB_ICONSTOP|MB_OK);
return false;
}
if (!WriteProcessMemory(hProcess,pRemoteThread,&RMTFunc,1024*4,0))
{
if(ShowMsg) MessageBox(NULL,L"目标进程内存写入失败,可能你没有此权限或\n安全软件不允许你这样做,卸载不能继续。",L"卸载失败",MB_ICONSTOP|MB_OK);
return false;
}
MyData *pData = (MyData*)VirtualAllocEx(hProcess,0,sizeof (MyData), MEM_COMMIT,PAGE_READWRITE);
if (!pData)
{
if(ShowMsg) MessageBox(NULL,L"目标进程内存写入失败,可能你没有此权限或\n安全软件不允许你这样做,卸载不能继续。",L"卸载失败",MB_ICONSTOP|MB_OK);
return false;
}
if (! WriteProcessMemory(hProcess, pData, &data, sizeof (MyData), 0))
{
if(ShowMsg) MessageBox(NULL,L"目标进程内存写入失败,可能你没有此权限或安\n全软件不允许你这样做,卸载不能继续。",L"卸载失败",MB_ICONSTOP|MB_OK);
return false;
}
// =========== 启动远程线程==================
HANDLE hThread =CreateRemoteThread(hProcess, 0,0, (LPTHREAD_START_ROUTINE)pRemoteThread,pData, 0, 0);
if (! hThread)
{
if(ShowMsg) MessageBox(NULL,L"远程线程启动失败,可能你没有此权限或安\n全软件不允许你这样做,卸载不能继续。",L"卸载失败",MB_ICONSTOP|MB_OK);
return false;
}
WaitForSingleObject(hThread,INFINITE);
CloseHandle(hThread);
VirtualFreeEx(hProcess, pRemoteThread, 1024*3, MEM_RELEASE);
VirtualFreeEx(hProcess, pData, sizeof (MyData), MEM_RELEASE);
CloseHandle(hProcess);
return true;
}
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
