如何编程实现卸载进程内的DLL

最新推荐文章于 2021-03-07 13:32:46 发布

原创最新推荐文章于 2021-03-07 13:32:46 发布 · 801 阅读

1 ·

CC 4.0 BY-SA版权

文章标签：

#dll #编程 #null #access

编程积累专栏收录该内容

52 篇文章

订阅专栏

本文介绍了一个C语言程序，该程序能够通过进程名获取进程ID，并从指定进程中卸载指定DLL文件。程序首先查找目标进程，然后创建远程线程来调用目标进程中的API卸载DLL。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

//Author: Leng_que //Date: 2009-11-11 23:44:44 #include <stdio.h> #include <windows.h> #include <tlhelp32.h> //功能：通过进程名（进程名不区分大小写）得到进程ID号。 DWORD GetProcessIdByName(char *processName) { DWORD dwRet = -1; HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); PROCESSENTRY32 pe32={0}; pe32.dwSize = sizeof(PROCESSENTRY32); Process32First( hSnapshot, &pe32 ); do { if ( strcmpi(pe32.szExeFile, processName) == 0 ) { dwRet = pe32.th32ProcessID; break; } } while ( Process32Next(hSnapshot, &pe32) ); CloseHandle(hSnapshot); return dwRet; } //功能：将完全路径为DllFullName的DLL从名为ProcessName的进程中卸载。 bool unLoadDll(char* processName, char* DllFullName) { bool ret = true; HANDLE hProcess = NULL; LPVOID lpBuf = NULL; DWORD dwHandle = NULL; LPVOID pFun = NULL; HANDLE hThread = NULL; DWORD len_DllFullName = 0; DWORD pid = GetProcessIdByName(processName); if ( pid == -1 ) { ret = false; goto CLEAN; } hProcess = OpenProcess(PROCESS_ALL_ACCESS , FALSE, pid); if ( hProcess == NULL ) { ret = false; goto CLEAN; } len_DllFullName = strlen(DllFullName)+1; lpBuf = VirtualAllocEx(hProcess, NULL, len_DllFullName, MEM_COMMIT, PAGE_READWRITE); if ( lpBuf == NULL ) { ret = false; goto CLEAN; } if ( !WriteProcessMemory(hProcess, lpBuf, (LPVOID)DllFullName, len_DllFullName, NULL) ) { ret = false; goto CLEAN; } pFun = GetProcAddress(GetModuleHandle("Kernel32"), "GetModuleHandleA"); if ( pFun == NULL ) { ret = false; goto CLEAN; } hThread = CreateRemoteThread(hProcess, NULL, 0,(LPTHREAD_START_ROUTINE)pFun, lpBuf , 0, NULL); if ( hThread == NULL ) { ret = false; goto CLEAN; } WaitForSingleObject(hThread, INFINITE); if ( !GetExitCodeThread(hThread, &dwHandle) ) { ret = false; goto CLEAN; } if ( dwHandle == NULL ) { ret = false; goto CLEAN; } pFun = GetProcAddress(GetModuleHandle("Kernel32"), "FreeLibrary"); if ( pFun == NULL ) { ret = false; goto CLEAN; } CloseHandle(hThread); hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFun, (LPVOID)dwHandle, 0, NULL); if ( hThread == NULL ) { ret = false; goto CLEAN; } WaitForSingleObject(hThread, INFINITE); CLEAN: if ( hThread != NULL ) { CloseHandle(hThread); } if ( hProcess != NULL ) { if ( lpBuf != NULL ) { VirtualFreeEx(hProcess, lpBuf, len_DllFullName, MEM_DECOMMIT); } CloseHandle(hProcess); } return ret; } //主函数入口 int main(void) { //例如：将在D盘根目录下的evil.dll从名为target.exe的进程内卸载掉。 bool ret = unLoadDll("target.exe", "D://evil.dll"); if ( ret ) { printf("卸载成功！/r/n"); } else { printf("卸载失败！/r/n"); } return 0; }