关闭

dll注入进程后卸载的代码

标签: dllnullaccess
2929人阅读 评论(1) 收藏 举报
分类:
//App.cpp
#include "stdafx.h"
#include <windows.h>


#define MAX_SIZE 1024*16
#define DLL "D:/Code/TestCode/UnloadDll/UnloadDll/Debug/demo.dll" // 需要完整路径
HMODULE LoadRemoteLibrary(HANDLE hProcess,const char *pcLibraryName
);
BOOL FreeRemoteLibrary(HANDLE hProcess, HMODULE hRemoteLibrary
);


int main(int argc, char* argv
[])
{
    
DWORD dwPID = 0
;
    
HANDLE hNewHandle = NULL
;
    
HMODULE hRemoteHandle = NULL
;
    
int i=0
;
    if(
argc < 2
)
    {
        return -
1
;
    }

    
dwPID = atoi(argv[1
]);

    
hNewHandle = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwPID
);

    if(
NULL == hNewHandle
)
    {
        
printf("[-] OpenProcess failed.../r/n"
);
        return -
2
;
    }

    
hRemoteHandle = LoadRemoteLibrary(hNewHandle,DLL
);
    
    if(
NULL == hRemoteHandle  
)
    {
        
printf("[-] LoadRemoteLibaray failed.../r/n"
);
        return -
3
;
    }
    
    
printf("[+] LoadRemoteLibaray succeed!/r/n"
);

    for(
i=0;i<=20;i
++)
    {
        
printf("."
);
        
Sleep(100
);
    }
    
printf("/r/n"
);

    if(
FreeRemoteLibrary(hNewHandle,hRemoteHandle) == NULL
)
    {
        
printf("[-] FreeRemoteLibaray failed.../r/n"
);
        return -
4
;
    }
    
printf("[+] FreeRemoteLibrary succeed!/r/n"
);
    return
0
;
}

HMODULE LoadRemoteLibrary(HANDLE hProcess,const char *pcLibraryName
)
{
    
void* pvRemoteMem=NULL
;
    
DWORD dwBytesWritten
;
    
HMODULE nRet=NULL
;
    
DWORD dwRemoteThreadId
;
    
HANDLE hRemoteThread=NULL
;

    
__try
    
{
        
pvRemoteMem=VirtualAllocEx(hProcess,NULL,strlen(pcLibraryName)+1,MEM_COMMIT,PAGE_EXECUTE_READWRITE
);
        if (
NULL == pvRemoteMem
)
        {
            
printf("[-] VirtualAllocEx failed.../r/n"
);
            
__leave
;
        }

        if (
FALSE == WriteProcessMemory(hProcess,pvRemoteMem,(void*)pcLibraryName,strlen(pcLibraryName)+1,&dwBytesWritten
))
        {
            
printf("[-] WriteProcessMemory failed.../r/n"
);
            
__leave
;
        }
        
hRemoteThread=CreateRemoteThread(hProcess,NULL,MAX_SIZE,(LPTHREAD_START_ROUTINE
)
#ifdef UNICODE
        
GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryW"
),
#else
        
GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"
),
#endif
        
pvRemoteMem,0,&dwRemoteThreadId
);
        if (
NULL == hRemoteThread
)
        {
            
printf("[-] CreateRemoteThread failed.../r/n"
);
            
__leave
;
        }
        else
        {
            
__try
            
{
                
WaitForSingleObject(hRemoteThread,INFINITE
);
                
GetExitCodeThread(hRemoteThread,(DWORD*)&nRet
);
                
printf("ErrorCode:%d/r/n",GetLastError
() );
            }
            
__finally
            
{
                
CloseHandle(hRemoteThread
);
            }
        }
    }
    
__finally
    
{
        if (
NULL != pvRemoteMem
)
            
VirtualFreeEx(hProcess,pvRemoteMem,0,MEM_RELEASE
);
    }
    return
nRet
;
}

BOOL FreeRemoteLibrary(HANDLE hProcess, HMODULE hRemoteLibrary
)
{
    
DWORD dwRemoteThreadId
;
    
HANDLE hRemoteThread
;
    
BOOL nRet
;

    
hRemoteThread=CreateRemoteThread(hProcess,NULL,MAX_SIZE
,
        (
LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32.dll"), "FreeLibrary"),(void*)hRemoteLibrary,0,&dwRemoteThreadId
);
    
    if (
NULL == hRemoteThread
)
        return
FALSE
;
    
    
WaitForSingleObject(hRemoteThread,INFINITE
);
    
GetExitCodeThread(hRemoteThread,(DWORD*)&nRet
);
    return
nRet
;
}


Code:

//DemoDll.cpp
#include "stdafx.h"

BOOL APIENTRY DllMain( HANDLE hModule,
                       
DWORD  ul_reason_for_call,
                       
LPVOID lpReserved
                    
)
{
    
MessageBox(NULL,"DemoMessage","MSG",MB_OK);
    return
TRUE;
}
0
0

查看评论
* 以上用户言论只代表其个人观点,不代表CSDN网站的观点或立场
    个人资料
    • 访问:3708998次
    • 积分:60363
    • 等级:
    • 排名:第42名
    • 原创:1549篇
    • 转载:1252篇
    • 译文:0篇
    • 评论:459条
    最新评论