最近在學習DLL注入,在使用CreateRemoteThread后可以將DLL注入到行程中,但卸載后卻發現DLL還在行程中,請問是怎么回事?
BOOL EjectDll(DWORD PID, LPCTSTR DllPath)
{
BOOL bMore = FALSE, bFound = FALSE;
HANDLE hSnapshot = INVALID_HANDLE_VALUE;
HANDLE hProcess = NULL;
MODULEENTRY32 me = { sizeof(me)};
LPTHREAD_START_ROUTINE pThreadProc = NULL;
HMODULE hMod = NULL;
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, PID);
if (INVALID_HANDLE_VALUE == hSnapshot)
{
_tprintf(L"創建行程快照失敗!",GetLastError());
return FALSE;
}
bMore = Module32First(hSnapshot, &me);
for (; bMore; bMore = Module32Next(hSnapshot, &me))//查找模塊句柄
{
if (_wcsicmp(me.szModule, DllPath) || _wcsicmp(me.szExePath, DllPath))
{
bFound = TRUE;
break;
}
}
if (!bFound)
{
_tprintf(L"未在被注入行程中發現注入的DLL");
if (hSnapshot != INVALID_HANDLE_VALUE)
CloseHandle(hSnapshot);
return FALSE;
}
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
if (!hProcess)
{
_tprintf(L"打開被注入行程失敗,未獲取行程句柄!",GetLastError());
if (hSnapshot != INVALID_HANDLE_VALUE)
CloseHandle(hSnapshot);
return FALSE;
}
hMod = GetModuleHandle(L"kernel32.dll");
if (hMod == NULL)
{
_tprintf(L"無法獲取kernel32.dll的模塊句柄!",
GetLastError());
if (hProcess)
CloseHandle(hProcess);
if (hSnapshot != INVALID_HANDLE_VALUE)
CloseHandle(hSnapshot);
return FALSE;
}
pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(hMod, "FreeLibrary");
if (pThreadProc == NULL)
{
_tprintf(L"獲取FreeLibrary函式起始地址失敗!",GetLastError());
if (hProcess)
CloseHandle(hProcess);
if (hSnapshot != INVALID_HANDLE_VALUE)
CloseHandle(hSnapshot);
return FALSE;
}
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, pThreadProc, me.modBaseAddr, 0, NULL);
if (!hThread)
{
_tprintf(L"創建遠程執行緒失敗!");
if (hProcess)
CloseHandle(hProcess);
if (hSnapshot != INVALID_HANDLE_VALUE)
CloseHandle(hSnapshot);
return FALSE;
}
if (hSnapshot != NULL)
CloseHandle(hSnapshot);
if (hThread != NULL)
CloseHandle(hThread);
if (hProcess != NULL)
CloseHandle(hProcess);
return TRUE;
}
uj5u.com熱心網友回復:

dll內部自身呼叫 卸載函式。
uj5u.com熱心網友回復:
不行,讓它自身卸載自己也失敗了,DLL還是留在行程里
uj5u.com熱心網友回復:
使用過FreeLibraryAndExitThread和FreeLibrary,結果注入的行程崩潰了。
uj5u.com熱心網友回復:
網上好像有一篇文章說,最好別卸載,留在那兒吧。一時間找不到了。大概講的是同一個地方放了很多個鉤子,卸載的時候如果順序有問題,可能會崩掉,寫文章的人就建議別卸載了。我是覺得如果不影響后面的使用的話,就放著吧。反正也不差這個東西
轉載請註明出處,本文鏈接:https://www.uj5u.com/houduan/56525.html
標籤:C++ 語言
下一篇:推薦收藏!C語言入門基礎知識大全
