//卸载掉指定进程中的指定模块,一般用来清除DLL木马
//
//注:
//1,对于多次调用了LoadLibrary的进程,需要多次调用该函数才能够保证从该进程完全卸载
//2,只有进程创建后动态载入的DLL调用该函数才能够达到效果(如果指定进程的引入表中包含了欲卸载的模块,调用虽然能够成功,但是该模块的函数资源等仍然有效。)。
//
//参数:
//Pid: 进程ID
//Module: 模块名
//
//返回值;成功 TRUE,失败 FALSE
BOOL FreeRemoteModule(DWORD Pid, LPCSTR Module)
{
//打开目标进程,需要的3种权限
HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE, FALSE, Pid);
if(hProcess==0)
return FALSE;
//在目标进程分配内存并将欲卸载的模块名写入
DWORD len=(DWORD)strlen(Module)+1,wlen=0;
void* lpBuf=VirtualAllocEx(hProcess, NULL, len, MEM_COMMIT, PAGE_READWRITE);
if(lpBuf==NULL)
{
CloseHandle(hProcess);
return FALSE;
}
if((!WriteProcessMemory(hProcess,lpBuf,(LPVOID)Module,len,&wlen)) || (wlen!=len))
{
VirtualFreeEx(hProcess, lpBuf, len, MEM_DECOMMIT);
CloseHandle(hProcess);
return FALSE;
}
DWORD dwHandle,ret;
HANDLE hThread;
LPVOID pFunc;
///
///dwHandle=GetModuleHandle(Module)
///
pFunc= GetModuleHandleA;
hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFunc, lpBuf, 0, NULL);
// 等待GetModuleHandle运行完毕
ret=WaitForSingleObject(hThread, INFINITE);
// 获得GetModuleHandle的返回值
ret=GetExitCodeThread(hThread, &dwHandle);
// 释放目标进程中申请的空间
ret=VirtualFreeEx(hProcess, lpBuf, len, MEM_DECOMMIT);
ret=CloseHandle(hThread);
///
//FreeLibrary(dwHandle);
///
pFunc = FreeLibrary;
hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFunc, (LPVOID)dwHandle, 0, NULL);
// 等待FreeLibrary卸载完毕
ret=WaitForSingleObject(hThread, INFINITE);
ret=CloseHandle(hThread);
ret=CloseHandle(hProcess);
return TRUE;
}