上一章我们将myhack.dll注入进了notepad,这一章我们就将学习,如何卸载DLL
同上一章注入myhack.dll时使用了exe文件一样,卸载dll也需要使用exe。
下面这个代码是在CSDN上找到的一个既可以注入DLL也可以卸载DLL的代码
使用时需要输入三个参数
1.注入还是卸载(0表示注入,1表示卸载)
2.DLL的路径, 注入需要路径和名字,卸载需要名字就够了
3.需要注入或卸载的进程名字 这里添加了改进,只需要输入进程名字程序会查找PID。
//EjectDLL
//InjectDLL
#include"windows.h"
#include"tlhelp32.h"
#include<tchar.h>
DWORD FindProcessID(LPCTSTR szProcessName)
{
DWORD dwPID = 0xFFFFFFFF;
HANDLE hSnapShot = INVALID_HANDLE_VALUE;
PROCESSENTRY32 pe;
//获取系统快照
pe.dwSize = sizeof(PROCESSENTRY32);
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, NULL);//返回系统快照句柄(NULL表示所有进程)
//查找进程
Process32First(hSnapShot, &pe);
do
{
if (!_tcsicmp(szProcessName, (LPCTSTR)pe.szExeFile))
{
dwPID = pe.th32ProcessID;
break;
}
} while (Process32Next(hSnapShot, &pe));
CloseHandle(hSnapShot);
return dwPID;
}
//提升权限
BOOL SetPrivilege(LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)
{
TOKEN_PRIVILEGES tp;
HANDLE hToken;
LUID luid;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
_tprintf(L"LookupPrivilegeValue error: %u
", GetLastError());
return FALSE;
}
if (!LookupPrivilegeValue(NULL, lpszPrivilege, &luid))
{
_tprintf(L"LookupPrivilegeValue error: %u
", GetLastError());
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;
//enable the privilege or disable all privileges.
if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL))
{
_tprintf(L"AdjustTokenPrivileges error: %u
", GetLastError());
return FALSE;
}
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
{
_tprintf(L"the token does nothave rhe specified privilege .
");
return FALSE;
}
return TRUE;
}
BOOL EjectDll(DWORD dwPID, LPCTSTR szDllName)
{
BOOL bMore = FALSE, bFound = FALSE;
HANDLE hSnapshot, hProcess, hThread;
HMODULE hModule = NULL;
MODULEENTRY32 me = { sizeof(me) };
LPTHREAD_START_ROUTINE pThreadProc;
//dwPID=notepad进程的PID
//使用TH32CS_SNAPMODULE参数获取加载到notepad进程的dll名称
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID);
bMore = Module32First(hSnapshot, &me);
for (; bMore; bMore = Module32Next(hSnapshot, &me))
{
if (!_tcsicmp((LPCTSTR)me.szModule, szDllName) || !_tcsicmp((LPCTSTR)me.szExePath, szDllName))
{
bFound = TRUE;
break;
}
}
if (!bFound)
{
CloseHandle(hSnapshot);
return FALSE;
}
if (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID)))
{
_tprintf(L"OpenProcess(%d) failed!!! [%d]
,", dwPID, GetLastError());
return FALSE;
}
hModule = GetModuleHandle(L"Kernel32.dll");
pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(hModule, "FreeLibrary");
hThread = CreateRemoteThread(hProcess, NULL, 0, pThreadProc, me.modBaseAddr, 0, NULL);
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
CloseHandle(hProcess);
CloseHandle(hSnapshot);
return TRUE;
}
BOOL InjectDll(DWORD dwPID, LPCTSTR szDllPath)
{
HANDLE hProcess = NULL, hThread = NULL;
HMODULE hMod = NULL;
LPVOID pRemoteBuf = NULL;
DWORD dwBufSize = (DWORD)(_tcslen(szDllPath) + 1) * sizeof(TCHAR);
LPTHREAD_START_ROUTINE pThreadProc;
//使用dwpid获取目标进程句柄
if (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID)))
{
_tprintf(L"OpenProcess(%d) failed!!![%d]
", dwPID, GetLastError());
return FALSE;
}
//在目标进程内存中分配szDllname大小的内存
pRemoteBuf = VirtualAllocEx(hProcess, NULL, dwBufSize, MEM_COMMIT, PAGE_READWRITE);//分配物理存储,可读可写
//将myhack.dll路径写入分配的内存。
WriteProcessMemory(hProcess, pRemoteBuf, (LPVOID)szDllPath, dwBufSize, NULL);
//获取LoadLibraryW API的地址
hMod = GetModuleHandle(L"Kernel32.dll");//获取已经加载模块的句柄
pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(hMod, "LoadLibraryW");//获取函数地址
//在目标进程中运行线程
hThread = CreateRemoteThread(hProcess, NULL, 0, pThreadProc, pRemoteBuf, 0, NULL);//创建远程线程
_tprintf(L"%d", GetLastError());
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hProcess);
return TRUE;
}
int _tmain(int argc, TCHAR* argv[])
{
if (argc != 4)
{
_tprintf(L"USAGE: 三个参数,1.flag(flag为0表示导入)。2.要导入的dll路径(要卸载的dll名字)3.要注入(或卸载)dll的进程
", argv[2]);
return 1;
}
DWORD dwPID = 0xFFFFFFFF;
dwPID = FindProcessID(argv[3]);
if (dwPID == 0xFFFFFFFF)
{
_tprintf(L"there is no %s process!
", argv[3]);
return 1;
}
_tprintf(L"PID of "%s"is%d
", argv[3], dwPID);
//enject dll
//inject dll
if (*argv[1] == (TCHAR)'0')
{
if (InjectDll(dwPID, argv[2]))
_tprintf(L"InjectDll("%s")success!!
", argv[2]);
else
_tprintf(L"InjectDll("%s") failed!!
", argv[2]);
}
else
{
//更改privilege
if (!SetPrivilege(SE_DEBUG_NAME, TRUE))
return 1;
if (EjectDll(dwPID, argv[2]))
_tprintf(L"EjectDll(%d,"%s")success!!!
", dwPID, argv[2]);
else
_tprintf(L"EjectDll(%d,"%s")failed!!!
", dwPID, argv[2]);
}
return 0;
}
接下来我们演示一下:
在这里我们已经将myhack.all注入进了notepad,然后我们输入命令执行EjectDLL.exe,卸载DLL:
这时候process explorer中,notepad的myhack.dll已经不见了。