远程卸载的方法主要是在注入的基础上进行,主要区别在写入内存后干的事情不同,注入的代码在我上一篇文章中又写到,下面我们只讨论不同的地方,废话不多说上代码:
#include <Windows.h>
#include <tchar.h>
void main()
{
TCHAR dllstr[MAX_PATH] = _T("dlltest.dll");
HANDLE hprocess;
hprocess = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE, FALSE,7104);
LPVOID lpbuf;
lpbuf = VirtualAllocEx(hprocess,NULL,sizeof(dllstr),MEM_COMMIT,PAGE_READWRITE);
if(lpbuf==NULL)
{
VirtualFreeEx(hprocess,NULL,sizeof(dllstr),MEM_DECOMMIT);
CloseHandle(hprocess);
return;
}
WriteProcessMemory(hprocess,lpbuf,(LPVOID)dllstr,sizeof(dllstr),0);
while(1)
{
HANDLE thread = CreateRemoteThread(hprocess,NULL,0,(LPTHREAD_START_ROUTINE)GetModuleHandle,lpbuf,0,0);
WaitForSingleObject(thread,INFINITE);
DWORD hdll;
GetExitCodeThread(thread,&hdll);//hdll存储指定线程的返回值
if(!hdll)
{
VirtualFreeEx(hprocess,lpbuf,sizeof(dllstr),MEM_RELEASE);
CloseHandle(hprocess);
CloseHandle(thread);
return;
}
thread = CreateRemoteThread(hprocess,NULL,0,(LPTHREAD_START_ROUTINE)FreeLibrary,(LPVOID)hdll,0,0);
WaitForSingleObject(thread,INFINITE);
DWORD exit;
GetExitCodeThread(thread,&exit);
if(!exit)
{
VirtualFreeEx(hprocess,lpbuf,sizeof(dllstr),MEM_DECOMMIT);
CloseHandle(hprocess);
CloseHandle(thread);
return;
}
}
return;
}
在写入后,创建远程线程,CreateRemoteThread函数的第4个参数是已经加载到调用者进程空间中的模块句柄的地址,然后判断线程是否结束。
然后再一次调用CreateRemoteThread函数进行释放模块第4个参数为FreeLibrary,判断进程是否结束。
关闭句柄,进程,卸载结束。