从进程中卸载模块有两种方法 1. /************************************************************************************* 程序作用: 用 NtUnmapViewOfSection 来卸载DLL。测试成功! 程序原理: 程序作者: wyART 代码日期: 2009-12-01 修改日期: 2009-12-01 *************************************************************************************/ typedef DWORD (WINAPI *pfnNtUnmapViewOfSection)(HANDLE hProcess, PVOID Address); BOOL UnmapViewOfModule(DWORD dwProcessId, LPVOID lpBaseAddr) { ULONG ret; pfnNtUnmapViewOfSection NtUnmapViewOfSection = (pfnNtUnmapViewOfSection) GetProcAddress (GetModuleHandle ("ntdll.dll" ) , "NtUnmapViewOfSection" ) ; HANDLE hProcess = OpenProcess ( PROCESS_ALL_ACCESS, TRUE, dwProcessId) ; if(NtUnmapViewOfSection) ret = NtUnmapViewOfSection(hProcess, lpBaseAddr) ; CloseHandle ( hProcess ) ; return ret ? FALSE : TRUE ; } //进程提权函数 BOOL WINAPI AdjustPrivileges() { HANDLE hToken; TOKEN_PRIVILEGES tkp; BOOL bResult=FALSE; //打开当前进程信令 if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken)) return bResult; LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tkp.Privileges[0].Luid); tkp.PrivilegeCount=1; tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED; //提升访问令牌权限 AdjustTokenPrivileges(hToken,FALSE,&tkp,0,(PTOKEN_PRIVILEGES)NULL,0); if(GetLastError() == ERROR_SUCCESS) bResult=TRUE; return bResult; }