远程dll文件卸载失败？？？

HMODULE      phmd=GetModuleHandle( "kernel32.dll ");
LPTHREAD_START_ROUTINE   fnStartAddr=(LPTHREAD_START_ROUTINE)
GetProcAddress(phmd, "FreeLibrary "); //获取动态链接库函数地址  CreateRemoteThread(  hProcess,  NULL,  0,  fnStartAddr,
                  (LPVOID)dwHandle,  0,  NULL); 这样看看

解决方案 »

免费领取超大流量手机卡，每月29元包185G流量+100分钟通话, 中国电信官方发货

VirtualFreeEx(hProcess,szDllName,dwsize,MEM_DECOMMIT);
这个不对,你都没有分配内存就跑去释放了
之前先给他VirtualAllocEx
http://www.sudu.cn/info/html/edu/network_technology/20050915/172367.html
你看看这个吧,CreateRemoteThread之前需要VirtualAllocEx
代码如下：
#include "stdafx.h"
DWORD getprocessid(char *processname)
{PROCESSENTRY32 pe32;
pe32.dwSize=sizeof(pe32);
HANDLE hprocesssnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if (hprocesssnap==INVALID_HANDLE_VALUE)
{
printf("error");
return 0;
}
bool bprocess=Process32First(hprocesssnap,&pe32);
while (bprocess==1)
{ if (strcmp(strupr(pe32.szExeFile),strupr(processname))==0) {return pe32.th32DefaultHeapID;
}
bprocess=Process32Next(hprocesssnap,&pe32);}
CloseHandle(hprocesssnap);
return 0;
}

void undll(DWORD dwProcessID,char *szDllName)
{
DWORD   dwHandle=NULL;
DWORD dwid,dwsize;

          HANDLE   hProcess   =   OpenProcess( PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,
                  FALSE,   dwProcessID);
  if   (!hProcess)
  {
                          return   ;
  }

LPVOID pfunc=GetModuleHandle("iexplore.exe");
    DWORD dllhandll;  HANDLE   hThread   =   CreateRemoteThread(   hProcess,   NULL,   0,
                 (LPTHREAD_START_ROUTINE)pfunc ,
                  (LPVOID)dwHandle,   0,  &dwid);
          if   (hThread   ==   NULL)
          {
                  CloseHandle(hProcess);

                  return   ;
          }


          //   等待GetModuleHandle运行完毕
          WaitForSingleObject(   hThread,   INFINITE   );

          //   获得GetModuleHandle的返回值
          GetExitCodeThread(   hThread,   &dwHandle   );


  dwsize=lstrlen(szDllName)+1;
  VirtualFreeEx(hProcess,szDllName,dwsize,MEM_DECOMMIT);
               CloseHandle(hThread);
     HMODULE phmd=GetModuleHandle("kernel32.dll");
  LPTHREAD_START_ROUTINE fnstartaddr=(LPTHREAD_START_ROUTINE)GetProcAddress(phmd,"FreeLibrary");
          //   使目标进程调用FreeLibrary，卸载DLL    hThread   =   CreateRemoteThread(   hProcess,   NULL,   0,   fnstartaddr,
                  (LPVOID)dwHandle,   0,   &dwid);

          //   等待FreeLibrary卸载完毕
      WaitForSingleObject(hThread,   INFINITE);

      CloseHandle(hThread);

  CloseHandle(hProcess);
}int main(int argc, char* argv[])
{DWORD aa;
aa=getprocessid("iexplore.exe");
undll(aa,"FlashFetBHO.dll");
return 0;
}
看看那错了；
你少了?VirtualAllocEx/VirtualFreeEx - 用于在目标进程中分配/释放内存空间。
　　?WriteProcessMemory - 用于在目标进程中写入要加载的DLL名称。
这么两个步骤
不要采用CreateRemoteThread的方式来获取远程DLL的模块句柄，直接去目标进程搜索模块，找到模块基地址，就是你想要的模块句柄了。
//检索目标进程的模块 HANDLE hProcessSnap = NULL ;
DWORD          dwRet      = 0;
MODULEENTRY32  me32      = {0};
DWORD dwModuleBase = 0 ;
DWORD  dwSize = 0  ; {
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessid);
if (hProcessSnap == INVALID_HANDLE_VALUE)
{
printf("CreateToolhelp32Snapshot %d\n", GetLastError());
return 0;
}
me32.dwSize = sizeof(MODULEENTRY32);
if (!Module32First(hProcessSnap, &me32))
{
printf("Module32First %d\n", GetLastError());
return 0;
} do
{
if (!stricmp(me32.szModule, strDllName))
{
dwModuleBase = (DWORD)me32.modBaseAddr ;
break ;
}
}while ( Module32Next(hProcessSnap, &me32) ); CloseHandle (hProcessSnap);
}
//然后，再远程卸载就可以了
      CreateRemoteThread(  hProcess,  NULL,  0,  fnstartaddr, (LPVOID)dwModuleBase ,  0,  &dwid);