终止一个dll线程的问题。

我写一了个DLL,并用CreateRemoteThread的方式注入到Explorer.exe中。DLL可以正常工作。可是我现在想终止这个DLL的线程。我试过在DLL中直接
CloseHandle\ExitThread\TerminateThread,因为我的DLL载入时会显示一个窗体,用到上述三个中任何一个时,我都可以看到我的窗体已经消失不见了。应该来说,DLL这个线程已经被终止掉了。可是我试着重新编译、删除、重命名那个DLL时,系统提示DLL正在使用中....有什么解决的方法?急盼回复。多谢http://expert.csdn.net/Expert/topic/2604/2604905.xml?temp=.9400751

解决方案 »

  1.   

    这个有一定的难度,我这里贴一个别人的代码,包括DLL注入和取消的单元;注明本单元为转载,如涉及版权,请斑竹马上删除;
    (******************************************************************************
    *   CopyRight (c) By GanHuaXin 2002
    *   All Right Reserved
    *   Email : [email protected]
    *   Date    :
    *       New Develop   : 2002-x-x
    *       Modified      : 2001-05-26
    ******************************************************************************)unit untInjectCode;interfaceuses
      Windows, Sysutils;function LoadDllToProcess(hProcess:Thandle;
                              strDllName:PChar;
                              var dllHandle:HModule):BOOL;
    function UnLoadDllFromProcess(hProcess:THandle;
                                  hLibModule: HModule;
                                  var bOK:BOOL):BOOL;implementationtype
      TLoadLibraryA = function (lpLibFileName: PAnsiChar): HMODULE; stdcall;
      TLoadInjectInfo = Record
        fnLoadLibraryA : TLoadLibraryA;
        szDllName : array[0..255] of AnsiChar;
        hDLL : HModule;
        InjectCode : array [0..99] of byte;
      end;
      PLoadInjectInfo = ^TLoadInjectInfo;  TMessageBeep = function (uType: UINT): BOOL; stdcall;
      TFreeLibrary = function (hLibModule: HMODULE): BOOL; stdcall;
      TFreeInjectInfo = Record
        fnFreeLibrary : TFreeLibrary;
        hLibModule : HMODULE;
        fnMessageBeep : TMessageBeep;
        uBeep : UINT;
        InjectCode : array[0..99] of byte;
      end;
      PFreeInjectInfo = ^TFreeInjectInfo;function RemoteLoadFunc(p : PLoadInjectInfo):DWORD;stdcall;
    begin
      Result := DWORD(p.fnLoadLibraryA(p.szDllName));
    end;function RemoteFreeFunc(p : PFreeInjectInfo):DWORD;stdcall;
    begin
      p.fnMessageBeep(p.uBeep);
      Result := DWORD(p.fnFreeLibrary(p.hLibModule));
    end;function LoadDllToProcess(hProcess:THandle;
                              strDllName:PChar;
                              var dllHandle:HModule):BOOL;
    var
      pCode : ^Byte;
      i : Integer;
      InjectInfo : TLoadInjectInfo;
      pRemoteCode : PLoadInjectInfo;
      dwCount : DWORD;
      dwThreadID : DWORD;
      hThread : THandle;
      dwExitCode : DWORD;begin
      result := TRUE;
      dllHandle := 0;
    try
      pCode := Addr(RemoteLoadFunc);  for i:=0 to SizeOf(InjectInfo.InjectCode) - 1 do begin
        InjectInfo.InjectCode[i] := pCode^;
        Inc(pCode);
      end;  InjectInfo.fnLoadLibraryA := GetProcAddress(GetModuleHandle('Kernel32.dll'),
                                        'LoadLibraryA');
      for i:=0 to strlen(strDllName) do begin
        InjectInfo.szDllName[i] := strDllName[i];
      end;
      InjectInfo.szDllName[strlen(strDllName)] := Char(0);  pRemoteCode := nil;
      pRemoteCode := VirtualAllocEx( hProcess,
                                nil,
                                SizeOf(TLoadInjectInfo),
                                MEM_COMMIT,
                                PAGE_EXECUTE_READWRITE);
      if (pRemoteCode = nil) then
        RaiseLastWin32Error;  if not WriteProcessMemory(hProcess,
                                pRemoteCode,
                                @InjectInfo,
                                SizeOf(TLoadInjectInfo),
                                dwCount) then
        RaiseLastWin32Error;  hThread := 0;
      hThread := CreateRemoteThread( hProcess,
                                    nil,
                                    0,
                                    Addr(pRemoteCode^.InjectCode[0]),
                                    pRemoteCode,
                                    0,
                                    dwThreadId);
      if hThread=0 then
        RaiseLastWin32Error;  WaitForSingleObject(hThread, INFINITE);  GetExitCodeThread(hThread, dwExitCode);  dllHandle := dwExitCode;  CloseHandle(hThread);
    finally
      if Assigned(pRemoteCode) then
             VirtualFreeEx( hProcess,
                            pRemoteCode,
                            SizeOf(TLoadInjectInfo),
                            MEM_RELEASE);
    end;end;function UnLoadDllFromProcess(hProcess:THandle;
                                  hLibModule: HModule;
                                  var bOK:BOOL):BOOL;
    var
      pCode : ^Byte;
      i : Integer;
      InjectInfo : TFreeInjectInfo;
      pRemoteCode : PFreeInjectInfo;
      dwCount : DWORD;
      dwThreadID : DWORD;
      hThread : THandle;
      dwExitCode : DWORD;begin
      result := TRUE;
      bOK := TRUE;
    try
      pCode := Addr(RemoteFreeFunc);  for i:=0 to SizeOf(InjectInfo.InjectCode) - 1 do begin
        InjectInfo.InjectCode[i] := pCode^;
        Inc(pCode);
      end;  InjectInfo.fnFreeLibrary := GetProcAddress(GetModuleHandle('Kernel32.dll'),
                                        'FreeLibrary');
      InjectInfo.hLibModule := hLibModule;
      InjectInfo.fnMessageBeep := GetProcAddress(GetModuleHandle('User32.dll'),
                                        'MessageBeep');
      InjectInfo.uBeep := 0;  pRemoteCode := nil;
      pRemoteCode := VirtualAllocEx( hProcess,
                                nil,
                                SizeOf(TFreeInjectInfo),
                                MEM_COMMIT,
                                PAGE_EXECUTE_READWRITE);
      if (pRemoteCode = nil) then
        RaiseLastWin32Error;  if not WriteProcessMemory(hProcess,
                                pRemoteCode,
                                @InjectInfo,
                                SizeOf(TFreeInjectInfo),
                                dwCount) then
        RaiseLastWin32Error;  hThread := 0;
      hThread := CreateRemoteThread( hProcess,
                                    nil,
                                    0,
                                    Addr(pRemoteCode^.InjectCode[0]),
                                    pRemoteCode,
                                    0,
                                    dwThreadId);
      if hThread=0 then
        RaiseLastWin32Error;  WaitForSingleObject(hThread, INFINITE);  GetExitCodeThread(hThread, dwExitCode);  bOK := BOOL(dwExitCode);  CloseHandle(hThread);
    finally
      if Assigned(pRemoteCode) then
             VirtualFreeEx( hProcess,
                            pRemoteCode,
                            SizeOf(TLoadInjectInfo),
                            MEM_RELEASE);
    end;end;
    end.
      

  2.   

    多谢outer2000(天外流星) ,我先测试一下。
      

  3.   

    outer2000(天外流星):
    代码的思路,就是再一次CreateRemoteThread,但是这次用FreeLibray来释放掉DLL的引用。我在<windows核心编程>第22章中,也看到是使用这种方法。
    但我测试时,Explorer.exe报错,还在测试。