In a recent study DLL injection, after use the CreateRemoteThread DLL can be injected into the process, but only to find that after unloading the DLL is still in process, how be to return a responsibility excuse me?
BOOL EjectDll (DWORD PID, LPCTSTR DllPath)
{
BOOL bMore=FALSE, bFound=FALSE;
HANDLE hSnapshot=INVALID_HANDLE_VALUE;
HANDLE hProcess=NULL;
MODULEENTRY32 me={sizeof (me)};
LPTHREAD_START_ROUTINE pThreadProc=NULL;
HMODULE hMod=NULL;
HSnapshot=CreateToolhelp32Snapshot (TH32CS_SNAPMODULE, PID);
If (INVALID_HANDLE_VALUE=hSnapshot https://bbs.csdn.net/topics/=
{
_tprintf (L "snapshot creation process failed!" , GetLastError ());
return FALSE;
}
BMore=Module32First (hSnapshot, & amp; Me);
For (; BMore; BMore=Module32Next (hSnapshot, & amp; Me))//find module handles
{
If (_wcsicmp (me) szModule, DllPath) | | _wcsicmp (me) szExePath, DllPath))
{
BFound=TRUE;
break;
}
}
if (! BFound)
{
_tprintf (L "was not found in the process of being injected into the DLL");
If (hSnapshot!=INVALID_HANDLE_VALUE)
The CloseHandle (hSnapshot);
return FALSE;
}
HProcess=OpenProcess (PROCESS_ALL_ACCESS, FALSE, PID);
if (! HProcess)
{
_tprintf (L "open by injection process failed, did not get process handles!" , GetLastError ());
If (hSnapshot!=INVALID_HANDLE_VALUE)
The CloseHandle (hSnapshot);
return FALSE;
}
HMod=GetModuleHandle (L "kernel32. DLL");
If (hMod==NULL)
{
_tprintf (L "unable to obtain kernel32. The DLL module handles!" ,
GetLastError ());
If (hProcess)
The CloseHandle (hProcess);
If (hSnapshot!=INVALID_HANDLE_VALUE)
The CloseHandle (hSnapshot);
return FALSE;
}
PThreadProc=(LPTHREAD_START_ROUTINE) GetProcAddress call (hMod, "FreeLibrary");
If (pThreadProc==NULL)
{
Failed to get FreeLibrary function starting address _tprintf (L "!" , GetLastError ());
If (hProcess)
The CloseHandle (hProcess);
If (hSnapshot!=INVALID_HANDLE_VALUE)
The CloseHandle (hSnapshot);
return FALSE;
}
HANDLE hThread=CreateRemoteThread (hProcess, NULL, 0, pThreadProc, me. ModBaseAddr, 0, NULL);
If (! HThread)
{
_tprintf (L "failed to create the remote thread!" );
If (hProcess)
The CloseHandle (hProcess);
If (hSnapshot!=INVALID_HANDLE_VALUE)
The CloseHandle (hSnapshot);
return FALSE;
}
If (hSnapshot!=NULL)
The CloseHandle (hSnapshot);
If (hThread!=NULL)
The CloseHandle (hThread);
If (hProcess!=NULL)
The CloseHandle (hProcess);
Return TRUE;
}

CodePudding user response:

Uninstall function calls a DLL within itself,

CodePudding user response:

reference 1st floor smwhotjay response:

DLL call uninstall function within themselves,

No, let its own uninstall themselves have failed, the DLL is still in process

CodePudding user response:

reference 1st floor smwhotjay response:

DLL call uninstall function within themselves,

Used FreeLibraryAndExitThread and FreeLibrary, injection process collapsed as a result,

CodePudding user response:

Online if there is an article said, the best don't unload, stay there, and at that time I can't find it, probably is about the same place for a number of hooks, unloading time if there is something wrong with the order, may crash, write articles suggest don't uninstalled,
I do think if doesn't affect the use of the back, with it, also not bad this stuff anyway