远程线程注入和卸载DLL
########################################################################
########################################################################
/*
* 在远程进程中搜索模块句柄
*/
HMODULE FindRemoteMod(HANDLE hProcess, const wchar_t * pszModShortName)
{
HMODULE _hModules [0x100] = {0};
int _cbNeeded = 0;
if (!EnumProcessModules(hProcess
, _hModules
, sizeof(_hModules)
, (unsigned long *)&_cbNeeded))
return (HMODULE)0;
for (int _i = 0; _i < (_cbNeeded >>2); _i ++)
{
wchar_t _szModuleName [0x200] = {0};
GetModuleBaseNameW(hProcess
, _hModules[_i]
, _szModuleName
, sizeof(_szModuleName)/sizeof(_szModuleName[0]));
if (!wcsicmp(_szModuleName, pszModShortName))
return _hModules[_i];
}
return (HMODULE)0;
}
########################################################################
/*
* 卸载远程dll
*/
BOOL UnloadDll(unsigned long pid, const wchar_t * dllname)
{
// 打开进程,具备写入权限和创建线程权限
HANDLE hProcess = OpenProcess(PROCESS_VM_READ
| PROCESS_VM_WRITE
| PROCESS_VM_OPERATION
| PROCESS_SUSPEND_RESUME
| PROCESS_CREATE_THREAD
| PROCESS_QUERY_INFORMATION
, FALSE
, pid);
if (NULL == hProcess)
return FALSE;
// 检查是否是同一个用户会话中的进程
HANDLE _hToken = INVALID_HANDLE_VALUE;
if (!OpenProcessToken(hProcess, TOKEN_READ, &_hToken))
{
CloseHandle(hProcess);
return FALSE;
}
CloseHandle(_hToken);
HMODULE _hDllModule = CheckDllLoaded(hProcess, dllname);
if (_hDllModule != 0)
{
// 以FreeLibrary为线程体创建线程,卸载目标进程中的特定DLL.
unsigned long _tid = 0;
CreateRemoteThread(hProcess
, 0, 0
, (LPTHREAD_START_ROUTINE)FreeLibrary
, _hDllModule
, 0
, &_tid);
}
CloseHandle(hProcess); hProcess=0;
return TRUE;
}
########################################################################
/*
* 加载dll到远程进程
*/
BOOL LoadDll(HANDLE hProcess, const wchar_t * dllpath)
{
// 计算路径长度,分配远程进程空间内虚拟内存
DWORD dwRemoteBufLength = (wcslen(dllpath)+1)*sizeof(wchar_t);
// 在目标进程中分配一点空间来存放LoadLibraryW的参数
wchar_t * _pBuf =(wchar_t * )VirtualAllocEx(hProcess
, NULL
, dwRemoteBufLength
, MEM_COMMIT
, PAGE_READWRITE);
if(!_pBuf)
return FALSE;
// 把dll的全路径写入到远程进程地址空间
if(!(WriteProcessMemory(hProcess
,_pBuf
,(PVOID)dllpath
,dwRemoteBufLength
,NULL)))
return FALSE;
// 以LoadLibraryW为线程体来创建远程线程
HANDLE _hThread = CreateRemoteThread(hProcess
, NULL
, 0
, (PTHREAD_START_ROUTINE)(LoadLibraryW)
, (PVOID)_pBuf
, 0
, NULL);
// 内存泄漏?!
return (_hThread != INVALID_HANDLE_VALUE);
}