Posted November 15, 201410 yr I want to unload some module in a process . I use this function : bool UnInjectDll(const TCHAR* ptszDllFile, DWORD dwProcessId) { if (NULL == ptszDllFile || 0 == ::_tcslen(ptszDllFile)) { return false; } HANDLE hModuleSnap = INVALID_HANDLE_VALUE; HANDLE hProcess = NULL; HANDLE hThread = NULL; hModuleSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId); if (INVALID_HANDLE_VALUE == hModuleSnap) { return false; } MODULEENTRY32 me32; memset(&me32, 0, sizeof(MODULEENTRY32)); me32.dwSize = sizeof(MODULEENTRY32); if(FALSE == ::Module32First(hModuleSnap, &me32)) { ::CloseHandle(hModuleSnap); return false; } bool isFound = false; do { isFound = (0 == ::_tcsicmp(me32.szModule, ptszDllFile) || 0 == ::_tcsicmp(me32.szExePath, ptszDllFile)); if (isFound) { break; } } while (TRUE == ::Module32Next(hModuleSnap, &me32)); ::CloseHandle(hModuleSnap); if (false == isFound) { return false; } hProcess = ::OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION, FALSE, dwProcessId); if (NULL == hProcess) { return false; } LPTHREAD_START_ROUTINE lpThreadFun = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "FreeLibrary"); if (NULL == lpThreadFun) { ::CloseHandle(hProcess); return false; } hThread = ::CreateRemoteThread(hProcess, NULL, 0, lpThreadFun, me32.modBaseAddr , 0, NULL); if (NULL == hThread) { ::CloseHandle(hProcess); return false; } ::WaitForSingleObject(hThread, INFINITE); ::CloseHandle(hThread); ::CloseHandle(hProcess); return true; } but when I use this code it can not special module that I want to unload from project , I also use "process detective" tool for doing this but this tool can not do this also.now I want a function that I sure can unload a special module from a process i want.
November 15, 201410 yr Read the doc http://msdn.microsoft.com/en-us/library/windows/desktop/ms683152%28v=vs.85%29.aspxand check the return value of this function
November 16, 201410 yr 1) As Aguila said - check the return codes.2) Only dynamically loaded DLLs can be removed from the process. If DLL is referenced in main exe import table, you won't be able to unload it. See: http://www.securityxploded.com/dllrefcount.php
Create an account or sign in to comment