环境:64位WIN7,VS2010,DLL为64位,注入和卸载程序为64位。
DLL的执行和远程注入都很正常,不存在64位WIN7下CreateRemoteThread出错的情况。
但通过远程线程卸载DLL,总卸载不了。卸载函数如下:
BOOL CANSTools::UnloadDll(DWORD dwPid, CString strDllName)
{
//获取宿主进程的句柄,注意那几个参数,不然会出错
HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD | \
PROCESS_VM_OPERATION | \
PROCESS_VM_WRITE,
FALSE, dwPid);
if(hProcess == NULL){
::MessageBox(NULL, "无法获取进程句柄", "错误", MB_OK | MB_ICONERROR);
return FALSE;
} DWORD dwSize = 0;
DWORD dwWritten = 0;
DWORD dwHandle = 0;
dwSize = strDllName.GetLength() + 1;//dll的全路径名的长度,待会分配内存要用到的 //向宿主进程分配内存,返回一个指针
LPVOID lpBuf = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE); //如果在宿主进程空间写失败就直接报错闪人
if(!WriteProcessMemory(hProcess, lpBuf, (LPVOID)strDllName.GetBuffer(dwSize), dwSize,(SIZE_T*)&dwWritten))
{
VirtualFreeEx(hProcess, lpBuf, dwSize, MEM_DECOMMIT);
CloseHandle(hProcess);
MessageBox(NULL, "在目标进程中写入失败", "错误", MB_OK | MB_ICONERROR);
return FALSE;
} //获取GetModuleHandleA函数地址
LPVOID pFun = GetProcAddress(GetModuleHandle("Kernel32"), "GetModuleHandleA"); //在宿主进程中创建一个远程线程,线程函数为上面导出的GetModuleHandleA,参数为lpBuf指针,还
//记得我们获取的dll全路径不
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFun,
lpBuf, 0, NULL);
//如果创建线程失败,直接报错闪人
if(hThread == NULL){
CloseHandle(hProcess);
::MessageBox(NULL, "在目标进程创建远程线程失败", "错误", MB_OK | MB_ICONERROR);
return FALSE;
}
// 等待GetModuleHandle运行完毕
WaitForSingleObject(hThread, INFINITE);
// 获得GetModuleHandle的返回值
GetExitCodeThread(hThread, &dwHandle); // 释放目标进程中申请的空间
VirtualFreeEx(hProcess, lpBuf, dwSize, MEM_DECOMMIT);
CloseHandle(hThread); // 使目标进程调用FreeLibraryAndExit,卸载DLL,实际也可以用FreeLibrary,但是我发现前者好一点
pFun = GetProcAddress(GetModuleHandle("Kernel32"), "FreeLibraryAndExitThread");
hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFun,
(LPVOID)dwHandle, 0, NULL);
// 等待FreeLibraryAndExitThread执行完毕
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
CloseHandle(hProcess); return TRUE; //操作成功
} GetExitCodeThread(hThread, &dwHandle);最关键在这行,总是返回-254672896。
网上很多这块代码,也有人讨论过,意思是64位下线程句柄没法返回到DWORD值里。参见:http://www.cppblog.com/sleepwom/archive/2010/02/05/107306.html
DLL的执行和远程注入都很正常,不存在64位WIN7下CreateRemoteThread出错的情况。
但通过远程线程卸载DLL,总卸载不了。卸载函数如下:
BOOL CANSTools::UnloadDll(DWORD dwPid, CString strDllName)
{
//获取宿主进程的句柄,注意那几个参数,不然会出错
HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD | \
PROCESS_VM_OPERATION | \
PROCESS_VM_WRITE,
FALSE, dwPid);
if(hProcess == NULL){
::MessageBox(NULL, "无法获取进程句柄", "错误", MB_OK | MB_ICONERROR);
return FALSE;
} DWORD dwSize = 0;
DWORD dwWritten = 0;
DWORD dwHandle = 0;
dwSize = strDllName.GetLength() + 1;//dll的全路径名的长度,待会分配内存要用到的 //向宿主进程分配内存,返回一个指针
LPVOID lpBuf = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE); //如果在宿主进程空间写失败就直接报错闪人
if(!WriteProcessMemory(hProcess, lpBuf, (LPVOID)strDllName.GetBuffer(dwSize), dwSize,(SIZE_T*)&dwWritten))
{
VirtualFreeEx(hProcess, lpBuf, dwSize, MEM_DECOMMIT);
CloseHandle(hProcess);
MessageBox(NULL, "在目标进程中写入失败", "错误", MB_OK | MB_ICONERROR);
return FALSE;
} //获取GetModuleHandleA函数地址
LPVOID pFun = GetProcAddress(GetModuleHandle("Kernel32"), "GetModuleHandleA"); //在宿主进程中创建一个远程线程,线程函数为上面导出的GetModuleHandleA,参数为lpBuf指针,还
//记得我们获取的dll全路径不
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFun,
lpBuf, 0, NULL);
//如果创建线程失败,直接报错闪人
if(hThread == NULL){
CloseHandle(hProcess);
::MessageBox(NULL, "在目标进程创建远程线程失败", "错误", MB_OK | MB_ICONERROR);
return FALSE;
}
// 等待GetModuleHandle运行完毕
WaitForSingleObject(hThread, INFINITE);
// 获得GetModuleHandle的返回值
GetExitCodeThread(hThread, &dwHandle); // 释放目标进程中申请的空间
VirtualFreeEx(hProcess, lpBuf, dwSize, MEM_DECOMMIT);
CloseHandle(hThread); // 使目标进程调用FreeLibraryAndExit,卸载DLL,实际也可以用FreeLibrary,但是我发现前者好一点
pFun = GetProcAddress(GetModuleHandle("Kernel32"), "FreeLibraryAndExitThread");
hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFun,
(LPVOID)dwHandle, 0, NULL);
// 等待FreeLibraryAndExitThread执行完毕
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
CloseHandle(hProcess); return TRUE; //操作成功
} GetExitCodeThread(hThread, &dwHandle);最关键在这行,总是返回-254672896。
网上很多这块代码,也有人讨论过,意思是64位下线程句柄没法返回到DWORD值里。参见:http://www.cppblog.com/sleepwom/archive/2010/02/05/107306.html
解决方案 »
免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货