代码来源于网络,卸载模块后通过查询PEB得到进程信息的程序没有得到更新,(如:Windows优化大师和360的进程查看),可以通过冰刃查看。
注:强制卸载可能导致目标进程崩溃。
哈哈,又有了种结束进程的方式,卸载目标进程的ntdll.dll。
下面是代码:
class ForceQuit
{
public:
bool EnablePriv()
{
HANDLE hToken;
if ( OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken) )
{
TOKEN_PRIVILEGES tkp;
LookupPrivilegeValue( NULL,SE_DEBUG_NAME,&tkp.Privileges[0].Luid );//修改进程权限
tkp.PrivilegeCount=1;
tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges( hToken,FALSE,&tkp,sizeof tkp,NULL,NULL );//通知系统修改进程权限
return( (GetLastError()==ERROR_SUCCESS) );
}
return false;
}
bool GetProcessIdByName(LPSTR lpProcessName,LPDWORD lpdwPID)
{
HANDLE hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
assert(hSnap!=INVALID_HANDLE_VALUE);
PROCESSENTRY32 pt32;
pt32.dwSize=sizeof pt32;
bool result=false;
if (Process32First(hSnap,&pt32))
{
do
{
if (!lstrcmpi(pt32.szExeFile,lpProcessName))
{
*lpdwPID=pt32.th32ProcessID;
result=true;
break;
}
}while (Process32Next(hSnap,&pt32));
}
CloseHandle(hSnap);
return result;
}
bool GetModuleBaseAddrByPID(DWORD dwProcessID,LPSTR lpDllName,LPDWORD lpdwBaseAddr)
{
HANDLE hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,dwProcessID);
assert(hSnap!=INVALID_HANDLE_VALUE);
MODULEENTRY32 md32;
md32.dwSize=sizeof md32;
bool result=false;
if(Module32First(hSnap,&md32))
{
do
{
if(!lstrcmpiA(lpDllName,md32.szModule))
{
*lpdwBaseAddr=(DWORD)md32.modBaseAddr;
result=true;
break;
}
}
while(Module32Next(hSnap,&md32));
}
CloseHandle(hSnap);
return result;
}
bool Execute(LPSTR lpProcessName,LPSTR lpDllName)
{
typedef DWORD (_stdcall *XXXNtUnmapViewOfSection)( HANDLE hProcess, PVOID Address);
PVOID NtdllAddress;
HANDLE hProcess;
DWORD dwProcessID;
EnablePriv();
if(GetProcessIdByName(lpProcessName,&dwProcessID))
{
hProcess = OpenProcess( PROCESS_VM_OPERATION, FALSE, dwProcessID);
assert(hProcess!=NULL);
XXXNtUnmapViewOfSection NtUnmapViewOfSection = (XXXNtUnmapViewOfSection)GetProcAddress(LoadLibraryA("ntdll.dll"), "NtUnmapViewOfSection" );
assert(NtUnmapViewOfSection!=NULL);
NtdllAddress = (PVOID)NtUnmapViewOfSection;
DWORD moduleBaseAddr;
if(GetModuleBaseAddrByPID(dwProcessID,lpDllName,&moduleBaseAddr))
NtUnmapViewOfSection( hProcess,(PVOID)moduleBaseAddr);
CloseHandle( hProcess );
return true;
}
return false;
}
};
调用:
ForceQuit quit;
quit.EnablePriv();
quit.Execute(DestProcessName,DestModuleName);