卸载其他进程已加载模块作者:webfly 日期:2006-10-21字体大小: 小 中 大#i nclude "stdafx.h" #i nclude#i nclude#i ncludetypedef struct RemoteInfo { DWORD dwLoadLibrary; DWORD ModuleAddr;}RemotePara; //传递给远程线程的参数 DWORD WINAPI ThreadProc (RemotePara *lpPara) {
typedef BOOL (__stdcall *pFreeLibrary)(DWORD); pFreeLibrary pFuckLibrary; pFuckLibrary = (pFreeLibrary)lpPara->dwLoadLibrary; pFuckLibrary(lpPara->ModuleAddr); //模块基地址 return 0; } int main(int argc, char* argv[]) {
MODULEENTRY32 ModuleStor;
RemotePara
pRemoteCallParam;
RemotePara
*pRPCParam = NULL;
if(argc!=3)
{
printf("Remote Modules Uninject Tool by Rhett 2006.1.16\n");
printf("%s Module name Process id\n",argv[0]);
return 1;
}
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,atoi(argv[2]));
if(INVALID_HANDLE_value==hSnapshot)
{
printf("snapshot failed\n");
return 1;
}
ModuleStor.dwSize = sizeof(MODULEENTRY32);
bool bFind = false;
int i = Module32First(hSnapshot,&ModuleStor);
if(i>0)
{
printf("%s",ModuleStor.szModule);
printf("\t%8x\n",ModuleStor.modBaseAddr);
if(!strcmp(ModuleStor.szModule,argv[1]))
{
pRemoteCallParam.ModuleAddr = (unsigned long)ModuleStor.modBaseAddr;
bFind = true;
}
}
while(bFind==false)
{
i = Module32Next(hSnapshot,&ModuleStor);
printf("%s",ModuleStor.szModule);
printf("\t%8x\n",ModuleStor.modBaseAddr);
if(!strcmp(ModuleStor.szModule,argv[1]))
{
pRemoteCallParam.ModuleAddr = (unsigned long)ModuleStor.modBaseAddr;
break;
}
}
CloseHandle(hSnapshot);//----------------------------------------------------------------------------
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,atoi(argv[2]));
if(hProcess==NULL)
{
//printf(" open process failed\n");
return 1;
}
HMODULE hModule = LoadLibrary("kernel32.dll");
pRemoteCallParam.dwLoadLibrary = (DWORD)GetProcAddress(hModule,"FreeLibrary"); //
pRemoteCallParam.ModuleAddr = 0x10000000;
pRPCParam = (RemotePara *)VirtualAllocEx(hProcess,NULL,sizeof(RemotePara),MEM_COMMIT,PAGE_READWRITE); if (pRPCParam == NULL)
{
//printf("virtualallocex failed\n");
return 1;
}
WriteProcessMemory(hProcess,pRPCParam,&pRemoteCallParam,sizeof(pRemoteCallParam),0);
PVOID pRemoteThread = VirtualAllocEx(hProcess,NULL,2048,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
if(pRemoteThread==NULL)
{
//printf("second virtualallocex failed\n");
return 1;
}
WriteProcessMemory(hProcess,pRemoteThread,&ThreadProc,2048,0);
HANDLE hThread = CreateRemoteThread(hProcess,0,0,(DWORD (__stdcall *)(void *))pRemoteThread,pRPCParam,0,NULL);
if(hThread==NULL)
{
//printf("createremotethread failed\n");
return 1;
}
CloseHandle(hProcess);
return 0; }参考这个看看吧http://www.wesoho.com/article.asp?id=1960
|
