强制卸载目标进程模块

代码来源于网络,卸载模块后通过查询PEB得到进程信息的程序没有得到更新,(如:Windows优化大师和360的进程查看),可以通过冰刃查看。

注:强制卸载可能导致目标进程崩溃。

哈哈,又有了种结束进程的方式,卸载目标进程的ntdll.dll。

下面是代码:

class ForceQuit
{
public:
    bool EnablePriv()
    {
            HANDLE hToken;
            if ( OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken) )
            {
                    TOKEN_PRIVILEGES tkp;
		
                    LookupPrivilegeValue( NULL,SE_DEBUG_NAME,&tkp.Privileges[0].Luid );//修改进程权限
                    tkp.PrivilegeCount=1;
                    tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
                    AdjustTokenPrivileges( hToken,FALSE,&tkp,sizeof tkp,NULL,NULL );//通知系统修改进程权限
		
                    return( (GetLastError()==ERROR_SUCCESS) );
            }
            return false;
    }
    bool GetProcessIdByName(LPSTR lpProcessName,LPDWORD lpdwPID)
    {
            HANDLE hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
            assert(hSnap!=INVALID_HANDLE_VALUE);
            PROCESSENTRY32 pt32;
            pt32.dwSize=sizeof pt32;
            bool result=false;
            if (Process32First(hSnap,&pt32))
            {
                    do
                    {
                            if (!lstrcmpi(pt32.szExeFile,lpProcessName))
                            {
                                    *lpdwPID=pt32.th32ProcessID;
                                    result=true;
                                    break;
                            }
                    }while (Process32Next(hSnap,&pt32));
            }
            CloseHandle(hSnap);
            return result;
    }
    bool GetModuleBaseAddrByPID(DWORD dwProcessID,LPSTR lpDllName,LPDWORD lpdwBaseAddr)
    {
       HANDLE hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,dwProcessID);
       assert(hSnap!=INVALID_HANDLE_VALUE);
       MODULEENTRY32 md32;
       md32.dwSize=sizeof md32;
       bool result=false;
       if(Module32First(hSnap,&md32))
       {
           do
           {
              if(!lstrcmpiA(lpDllName,md32.szModule))
              {
                 *lpdwBaseAddr=(DWORD)md32.modBaseAddr;
                 result=true;
                 break;
              }
           }
           while(Module32Next(hSnap,&md32));
       }
       CloseHandle(hSnap);
       return result;
    }

    bool Execute(LPSTR lpProcessName,LPSTR lpDllName)
    {
        typedef DWORD (_stdcall *XXXNtUnmapViewOfSection)( HANDLE hProcess, PVOID Address);

        PVOID   NtdllAddress;
        HANDLE   hProcess;
       
        DWORD dwProcessID;
        EnablePriv();
        if(GetProcessIdByName(lpProcessName,&dwProcessID))
        {
            hProcess = OpenProcess( PROCESS_VM_OPERATION, FALSE, dwProcessID);
            assert(hProcess!=NULL);
            XXXNtUnmapViewOfSection  NtUnmapViewOfSection = (XXXNtUnmapViewOfSection)GetProcAddress(LoadLibraryA("ntdll.dll"), "NtUnmapViewOfSection" );
            assert(NtUnmapViewOfSection!=NULL);
            NtdllAddress = (PVOID)NtUnmapViewOfSection;
            
            DWORD moduleBaseAddr;
            if(GetModuleBaseAddrByPID(dwProcessID,lpDllName,&moduleBaseAddr))
            NtUnmapViewOfSection( hProcess,(PVOID)moduleBaseAddr);

            CloseHandle( hProcess );
            return true;
        }   
        return false;
    }
};

调用:

 ForceQuit quit;
    quit.EnablePriv();
    quit.Execute(DestProcessName,DestModuleName);


你可能感兴趣的:(windows,优化,Module,null,Class,token)