卸载已经注入进程的DLL 实验

知道了注入的原理，对于卸载就很容易学会了！

对于DLL注入型病毒、木马、可以很自己编写一个专杀软件！

 

下面的写法对于我来说比较新鲜，用的是返回错误代码的写法，有点API的味道！

 

//获取进程PID DWORD GetProcessPID(char *ProcessName) { CString Name; Name.Format("%s",ProcessName); //快照进程信息 HANDLE hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); PROCESSENTRY32 lppe; lppe.dwSize=sizeof(PROCESSENTRY32); //获得第一个进程的信息 Process32First(hSnapshot,&lppe); if(Name=="") { CloseHandle(hSnapshot); return 1; } do { TRACE(lppe.szExeFile); if(Name==lppe.szExeFile) { CloseHandle(hSnapshot); return lppe.th32ProcessID; } } while(Process32Next(hSnapshot,&lppe)); if(Name!=lppe.szExeFile) { TRACE("_______________"); TRACE(lppe.szExeFile); TRACE("_______________"); CloseHandle(hSnapshot); return 2; } return 0; }

 

 

 

 

 //卸载DLL char UnLoadDll(char *ProcessName,char *DllPath) { //获取进程PID号 DWORD ProcessPID=GetProcessPID(ProcessName); if(ProcessPID==1) { return 1; } if(ProcessPID==2) { TRACE("_______________"); TRACE(ProcessName); TRACE("_______________"); return 2; } //打开进程 HANDLE hProcess; hProcess=OpenProcess( PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE , FALSE,ProcessPID); if(!hProcess) { TRACE("打开目标进程失败"); CloseHandle(hProcess); return 3; } int allocSize=(strlen(DllPath)+1)*sizeof(char); //申请内存存放以DLL文件路径名 char *pLibFileName=(char*)VirtualAllocEx(hProcess,NULL,allocSize,MEM_COMMIT,PAGE_READWRITE); //写DLL文件路径名到远程进程 if(!pLibFileName) { TRACE("申请目标进程内存失败"); CloseHandle(hProcess); return 4; } if(!WriteProcessMemory(hProcess,pLibFileName,(PVOID)DllPath, allocSize, NULL)) { TRACE("写目标进程内存失败"); VirtualFreeEx(hProcess,pLibFileName,allocSize,MEM_RELEASE); CloseHandle(hProcess); return 5; } while(1) { //创建远程线程,GetModuleHandle获取刚刚注入的DLL的句柄 HANDLE hThread=CreateRemoteThread(hProcess,NULL,0,(PTHREAD_START_ROUTINE)GetModuleHandle,pLibFileName,0,NULL); if(!hThread) { TRACE("创建目标线程运行GetModuleHandle失败"); VirtualFreeEx(hProcess,pLibFileName,allocSize,MEM_RELEASE); CloseHandle(hThread); CloseHandle(hProcess); return 6; } WaitForSingleObject(hThread,INFINITE); DWORD hDll; GetExitCodeThread(hThread,&hDll); if(!hDll) { TRACE("卸载DLL成功");//卸载结束！！ VirtualFreeEx(hProcess,pLibFileName,allocSize,MEM_RELEASE); CloseHandle(hThread); CloseHandle(hProcess); return 7; } CloseHandle(hThread); hThread=NULL; //创建远程线程，卸载远程DLL hThread=CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)FreeLibrary,(LPVOID)hDll,0,NULL); if(!hThread) { TRACE("创建远程线程运行FreeLibrary失败"); VirtualFreeEx(hProcess,pLibFileName,allocSize,MEM_RELEASE); CloseHandle(hThread); CloseHandle(hProcess); return 8; } WaitForSingleObject(hThread,INFINITE); DWORD FreeLibInfo; GetExitCodeThread(hThread,&FreeLibInfo); if(!FreeLibInfo) { TRACE("FreeLibrary失败"); VirtualFreeEx(hProcess,pLibFileName,allocSize,MEM_RELEASE); CloseHandle(hThread); CloseHandle(hProcess); return 9; } } return 0; }