从进程中卸载dll
[英]Unload dll from process
问题描述
Hello I want to unload this dll from the process it is injected to, how can I do this?
你好,我想从它注入的进程中卸载这个 dll,我该怎么做? this is how I inject the dll to process:这就是我注入 dll 进行处理的方式:
this is just me showing how i inject my dll into a process, but how do i UNLOAD / UNINJECT this dll from the process if my inject method is this这只是我展示了我如何将我的 dll 注入到一个进程中,但是如果我的注入方法是这个,我如何从进程中卸载/UNINJECT 这个 dll
HANDLE h = OpenProcess(PROCESS_ALL_ACCESS, false, GetProcessIdByName("csgo.exe"));
if (h)
{
LPVOID LoadLibAddr = (LPVOID)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA");
//cout << "[!] Initialized Library\n";
LPVOID dereercomp = VirtualAllocEx(h, NULL, strlen(dllName), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
//cout << "[!] Initialized memory allocation\n";
WriteProcessMemory(h, dereercomp, dllName, strlen(dllName), NULL);
//cout << "[!] Wrote dll name to memory: " << strlen(dllName) << " byte(s)\n";
HANDLE asdc = CreateRemoteThread(h, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddr, dereercomp, 0, NULL);
//cout << "[!] Created remote thread: " << asdc << endl;
//cout << "[!] Waiting for Dll exit...\n";
WaitForSingleObject(asdc, INFINITE);
VirtualFreeEx(h, dereercomp, strlen(dllName), MEM_RELEASE);
//cout << "[!] Freeing memory\n";
CloseHandle(asdc);
CloseHandle(h);
//cout << "[!] Closed all handles\n";
//cout << "[!] Complete!\n";
}
1 个解决方案
解决方案1
2 2019-02-24 20:01:12
You're using CreateRemoteThread to launch a thread in your target process that runs “LoadLibraryA”.您正在使用CreateRemoteThread在运行“LoadLibraryA”的目标进程中启动一个线程。
I have no idea why commenters didn't like your injection code.我不知道为什么评论者不喜欢你的注入代码。 Looks OK to me.对我来说看起来不错。 I think you're correctly closing that thread, however I recommend adding GetExitCodeThread call after WaitForSingleObject , this will give you the return code from LoadLibrary so you can check for errors.我认为您正确关闭了该线程,但是我建议在WaitForSingleObject之后添加GetExitCodeThread调用,这将为您提供LoadLibrary的返回代码,以便您检查错误。 You can't call FreeLibrary on that handle because different processes.由于不同的进程,您不能在该句柄上调用FreeLibrary 。 GetLastError won't work either. GetLastError 也不起作用。 But at least you can compare with nullptr to detect a fail.但至少您可以与nullptr进行比较以检测失败。
The reason why DLL stays loaded is no one has called FreeLibrary . DLL 保持加载状态的原因是没有人调用FreeLibrary 。
One pattern here, in DllMain of your DLL, under DLL_PROCESS_ATTACH case, create one more remote thread.这里的一种模式,在 DLL 的 DllMain 中,在DLL_PROCESS_ATTACH情况下,再创建一个远程线程。 This time no need to use CreateRemoteThread , just call normal CreateThread because that code already runs in the target process.这次不需要使用CreateRemoteThread ,只需调用普通的CreateThread因为该代码已经在目标进程中运行。 Call CloseHandle at once on the returned handle (this won't kill the new thread just release the handle).在返回的CloseHandle上立即调用CloseHandle (这不会杀死新线程,只是释放句柄)。 Now in that second remote thread, do whatever you want to do in the target process, and when finished, call FreeLibraryAndExitThread API.现在在第二个远程线程中,在目标进程中执行您想做的任何操作,完成后调用FreeLibraryAndExitThread API。 This will exit the second remote thread, at the same time unloading your DLL from your target process.这将退出第二个远程线程,同时从目标进程中卸载 DLL。
More info: DllMain entry point For DLLs, HINSTANCE is same as HMODULE, just cast the first argument to HMODULE and keep that argument in some variable to pass into FreeLibraryAndExitThread .更多信息: DllMain 入口点对于 DLL,HINSTANCE 与 HMODULE 相同,只需将第一个参数转换为 HMODULE 并将该参数保存在某个变量中以传递给FreeLibraryAndExitThread 。
Update : As said by the commenter, ideally you need to allocate, and copy, one extra character.更新:正如评论者所说,理想情况下您需要分配和复制一个额外的字符。 Just replace strlen(dllName) with strlen(dllName)+1 in both cases.在这两种情况下,只需将strlen(dllName)替换为strlen(dllName)+1 。
Update 2 : BTW it's often a good idea to call DisableThreadLibraryCalls first thing in DLL_PROCESS_ATTACH handler.更新 2 :顺便说一句,在 DLL_PROCESS_ATTACH 处理程序中首先调用DisableThreadLibraryCalls通常是个好主意。 Especially if you then launch new threads from your DllMain .特别是如果您随后从DllMain启动新线程。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.