强制卸载目标进程模块

http://blog.csdn.net/qq752923276/article/details/7333835

 

代码来源于网络，卸载模块后通过查询PEB得到进程信息的程序没有得到更新，（如：Windows优化大师和360的进程查看），可以通过冰刃查看。

注：强制卸载可能导致目标进程崩溃。

哈哈，又有了种结束进程的方式，卸载目标进程的ntdll.dll。

下面是代码：

class ForceQuit  

{  

public:  

    bool EnablePriv()  

    {  

            HANDLE hToken;  

            if ( OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken) )  

            {  

                    TOKEN_PRIVILEGES tkp;  

          

                    LookupPrivilegeValue( NULL,SE_DEBUG_NAME,&tkp.Privileges[0].Luid );//修改进程权限  

                    tkp.PrivilegeCount=1;  

                    tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;  

                    AdjustTokenPrivileges( hToken,FALSE,&tkp,sizeof tkp,NULL,NULL );//通知系统修改进程权限  

          

                    return( (GetLastError()==ERROR_SUCCESS) );  

            }  

            return false;  

    }  

    bool GetProcessIdByName(LPSTR lpProcessName,LPDWORD lpdwPID)  

    {  

            HANDLE hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);  

            assert(hSnap!=INVALID_HANDLE_VALUE);  

            PROCESSENTRY32 pt32;  

            pt32.dwSize=sizeof pt32;  

            bool result=false;  

            if (Process32First(hSnap,&pt32))  

            {  

                    do  

                    {  

                            if (!lstrcmpi(pt32.szExeFile,lpProcessName))  

                            {  

                                    *lpdwPID=pt32.th32ProcessID;  

                                    result=true;  

                                    break;  

                            }  

                    }while (Process32Next(hSnap,&pt32));  

            }  

            CloseHandle(hSnap);  

            return result;  

    }  

    bool GetModuleBaseAddrByPID(DWORD dwProcessID,LPSTR lpDllName,LPDWORD lpdwBaseAddr)  

    {  

       HANDLE hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,dwProcessID);  

       assert(hSnap!=INVALID_HANDLE_VALUE);  

       MODULEENTRY32 md32;  

       md32.dwSize=sizeof md32;  

       bool result=false;  

       if(Module32First(hSnap,&md32))  

       {  

           do  

           {  

              if(!lstrcmpiA(lpDllName,md32.szModule))  

              {  

                 *lpdwBaseAddr=(DWORD)md32.modBaseAddr;  

                 result=true;  

                 break;  

              }  

           }  

           while(Module32Next(hSnap,&md32));  

       }  

       CloseHandle(hSnap);  

       return result;  

    }  

  

    bool Execute(LPSTR lpProcessName,LPSTR lpDllName)  

    {  

        typedef DWORD (_stdcall *XXXNtUnmapViewOfSection)( HANDLE hProcess, PVOID Address);  

  

        PVOID   NtdllAddress;  

        HANDLE   hProcess;  

         

        DWORD dwProcessID;  

        EnablePriv();  

        if(GetProcessIdByName(lpProcessName,&dwProcessID))  

        {  

            hProcess = OpenProcess( PROCESS_VM_OPERATION, FALSE, dwProcessID);  

            assert(hProcess!=NULL);  

            XXXNtUnmapViewOfSection  NtUnmapViewOfSection = (XXXNtUnmapViewOfSection)GetProcAddress(LoadLibraryA("ntdll.dll"), "NtUnmapViewOfSection" );  

            assert(NtUnmapViewOfSection!=NULL);  

            NtdllAddress = (PVOID)NtUnmapViewOfSection;  

              

            DWORD moduleBaseAddr;  

            if(GetModuleBaseAddrByPID(dwProcessID,lpDllName,&moduleBaseAddr))  

            NtUnmapViewOfSection( hProcess,(PVOID)moduleBaseAddr);  

  

            CloseHandle( hProcess );  

            return true;  

        }     

        return false;  

    }  

};  

　　调用：

ForceQuit quit;
   quit.EnablePriv();
   quit.Execute(DestProcessName,DestModuleName);