#i nclude "stdafx.h"
#i nclude <windows.h>
#i nclude <stdio.h>
#i nclude <Tlhelp32.h>
typedef struct RemoteInfo
{
DWORD dwLoadLibrary;
DWORD ModuleAddr;
}RemotePara; //传递给远程线程的参数
DWORD WINAPI ThreadProc (RemotePara *lpPara)
{
typedef BOOL (__stdcall *pFreeLibrary)(DWORD);
pFreeLibrary pFuckLibrary;
pFuckLibrary = (pFreeLibrary)lpPara->dwLoadLibrary;
pFuckLibrary(lpPara->ModuleAddr); //模块基地址
return 0;
}
int main(int argc, char* argv[])
{
MODULEENTRY32 ModuleStor;
RemotePara pRemoteCallParam;
RemotePara *pRPCParam = NULL;
if(argc!=3)
{
printf("Remote Modules Uninject Tool by Rhett 2006.1.16\n");
printf("%s Module name Process id\n",argv[0]);
return 1;
}
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,atoi(argv[2]));
if(INVALID_HANDLE_value==hSnapshot)
{
printf("snapshot failed\n");
return 1;
}
ModuleStor.dwSize = sizeof(MODULEENTRY32);
bool bFind = false;
int i = Module32First(hSnapshot,&ModuleStor);
if(i>0)
{
printf("%s",ModuleStor.szModule);
printf("\t%8x\n",ModuleStor.modBaseAddr);
if(!strcmp(ModuleStor.szModule,argv[1]))
{
pRemoteCallParam.ModuleAddr = (unsigned long)ModuleStor.modBaseAddr;
bFind = true;
}
}
while(bFind==false)
{
i = Module32Next(hSnapshot,&ModuleStor);
printf("%s",ModuleStor.szModule);
printf("\t%8x\n",ModuleStor.modBaseAddr);
if(!strcmp(ModuleStor.szModule,argv[1]))
{
pRemoteCallParam.ModuleAddr = (unsigned long)ModuleStor.modBaseAddr;
break;
}
}
CloseHandle(hSnapshot);
//----------------------------------------------------------------------------
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,atoi(argv[2]));
if(hProcess==NULL)
{
//printf(" open process failed\n");
return 1;
}
HMODULE hModule = LoadLibrary("kernel32.dll");
pRemoteCallParam.dwLoadLibrary = (DWORD)GetProcAddress(hModule,"FreeLibrary");
// pRemoteCallParam.ModuleAddr = 0x10000000;
pRPCParam = (RemotePara *)VirtualAllocEx(hProcess,NULL,sizeof(RemotePara),MEM_COMMIT,PAGE_READWRITE);
if (pRPCParam == NULL)
{
//printf("virtualallocex failed\n");
return 1;
}
WriteProcessMemory(hProcess,pRPCParam,&pRemoteCallParam,sizeof(pRemoteCallParam),0);
PVOID pRemoteThread = VirtualAllocEx(hProcess,NULL,2048,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
if(pRemoteThread==NULL)
{
//printf("second virtualallocex failed\n");
return 1;
}
WriteProcessMemory(hProcess,pRemoteThread,&ThreadProc,2048,0);
HANDLE hThread = CreateRemoteThread(hProcess,0,0,(DWORD (__stdcall *)(void *))pRemoteThread,pRPCParam,0,NULL);
if(hThread==NULL)
{
//printf("createremotethread failed\n");
return 1;
}
CloseHandle(hProcess);
return 0;
}
正文
卸载其他进程已加载模块2008-05-31 17:29:00
【评论】 【打印】 【字体:大 中 小】 本文链接:http://blog.pfan.cn/vfdff/35805.html
阅读(703) | 评论(0)
版权声明:编程爱好者网站为此博客服务提供商,如本文牵涉到版权问题,编程爱好者网站不承担相关责任,如有版权问题请直接与本文作者联系解决。谢谢!
评论