sr3330 Posted November 15, 2014 Posted November 15, 2014 I want to unload some module in a process . I use this function : bool UnInjectDll(const TCHAR* ptszDllFile, DWORD dwProcessId) { if (NULL == ptszDllFile || 0 == ::_tcslen(ptszDllFile)) { return false; } HANDLE hModuleSnap = INVALID_HANDLE_VALUE; HANDLE hProcess = NULL; HANDLE hThread = NULL; hModuleSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId); if (INVALID_HANDLE_VALUE == hModuleSnap) { return false; } MODULEENTRY32 me32; memset(&me32, 0, sizeof(MODULEENTRY32)); me32.dwSize = sizeof(MODULEENTRY32); if(FALSE == ::Module32First(hModuleSnap, &me32)) { ::CloseHandle(hModuleSnap); return false; } bool isFound = false; do { isFound = (0 == ::_tcsicmp(me32.szModule, ptszDllFile) || 0 == ::_tcsicmp(me32.szExePath, ptszDllFile)); if (isFound) { break; } } while (TRUE == ::Module32Next(hModuleSnap, &me32)); ::CloseHandle(hModuleSnap); if (false == isFound) { return false; } hProcess = ::OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION, FALSE, dwProcessId); if (NULL == hProcess) { return false; } LPTHREAD_START_ROUTINE lpThreadFun = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "FreeLibrary"); if (NULL == lpThreadFun) { ::CloseHandle(hProcess); return false; } hThread = ::CreateRemoteThread(hProcess, NULL, 0, lpThreadFun, me32.modBaseAddr , 0, NULL); if (NULL == hThread) { ::CloseHandle(hProcess); return false; } ::WaitForSingleObject(hThread, INFINITE); ::CloseHandle(hThread); ::CloseHandle(hProcess); return true; } but when I use this code it can not special module that I want to unload from project , I also use "process detective" tool for doing this but this tool can not do this also.now I want a function that I sure can unload a special module from a process i want.
Aguila Posted November 15, 2014 Posted November 15, 2014 Read the doc http://msdn.microsoft.com/en-us/library/windows/desktop/ms683152%28v=vs.85%29.aspxand check the return value of this function
kao Posted November 16, 2014 Posted November 16, 2014 1) As Aguila said - check the return codes.2) Only dynamically loaded DLLs can be removed from the process. If DLL is referenced in main exe import table, you won't be able to unload it. See: http://www.securityxploded.com/dllrefcount.php
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now