远程卸载DLL的问题

先上代码 
项目定义了 UNICODE
HANDLE hRemoteProcess; 
DWORD exitcode;
DWORD dwRemoteProcessId=processid;//远程进程ID
EnableDebugPriv(SE_DEBUG_NAME); //提权,与远程注入一样的代码
//打开远程线程 
hRemoteProcess = OpenProcess( PROCESS_ALL_ACCESS | //允许远程创建线程PROCESS_VM_OPERATION | //允许远程VM操作 
PROCESS_VM_WRITE,//允许远程VM写 
FALSE, dwRemoteProcessId ); WCHAR *pszLibFileRemote; 
//使用VirtualAllocEx函数在远程进程的内存地址空间分配DLL文件名空间 
pszLibFileRemote = (WCHAR *) VirtualAllocEx( hRemoteProcess, NULL, (lstrlen((LPWSTR)(LPCWSTR)driverpath)+1)*sizeof(WCHAR), 
MEM_COMMIT, PAGE_READWRITE); //driverpath 为远程DLL的全路进 //使用WriteProcessMemory函数将DLL的路径名写入到远程进程的内存空间 
WriteProcessMemory(hRemoteProcess, 
pszLibFileRemote, (LPVOID)(LPWSTR)(LPCWSTR)driverpath, (lstrlen((LPWSTR)(LPCWSTR)driverpath)+1)*sizeof(WCHAR), NULL); 
//计算GetModuleHandleW的入口地址 
PTHREAD_START_ROUTINE pfnrGetModuleHandle = (PTHREAD_START_ROUTINE) 
GetProcAddress(GetModuleHandle(_T("Kernel32")), "GetModuleHandleW");
//启动远程线程GetModuleHandleW,通过远程线程调用创建新的线程 
HANDLE hRemoteThread;  if( (hRemoteThread = CreateRemoteThread( hRemoteProcess, NULL, 0, pfnrGetModuleHandle, pszLibFileRemote, 0, NULL) ) == NULL) 

AfxMessageBox(CUtil::ErrorMessageFormatW(GetLastError()));
TRACE("CreateRemoteThread error!\r\n"); 
return ; 
}  WaitForSingleObject(hRemoteThread, INFINITE);
GetExitCodeThread(hRemoteThread, &exitcode);
//以上代码返回值 exitcode  与远程注入的时候 返回的值一样,说明以上代码执行正确吧.....?? VirtualFreeEx( hRemoteProcess, pszLibFileRemote, (lstrlen(pszLibFileRemote)+1)*sizeof(WCHAR), MEM_DECOMMIT ); CloseHandle(hRemoteThread);
TRACE("CreateRemoteThread Success!\r\n"); 

以下使用ANSI 编写,用UNICODE编写一样效果,不能卸载dll
//计算FreeLibrary的入口地址 
PTHREAD_START_ROUTINE pfnrFreeLibrary = (PTHREAD_START_ROUTINE) 
GetProcAddress(GetModuleHandle(_T("Kernel32")), "FreeLibrary"); char buffer[MAX_PATH];
LPCSTR buf=buffer;
sprintf(buffer,"%d",exitcode);//exitcode 为要卸载 dll的hmodule //使用VirtualAllocEx函数在远程进程的内存地址空间分配 FreeLibrary 参数空间
char *pszLibFileRemoteA= (char *) VirtualAllocEx( hRemoteProcess, NULL, lstrlenA(buf)+1, 
MEM_COMMIT, PAGE_READWRITE); 
exitcode=lstrlenA(buf)+1;
//使用WriteProcessMemory函数将FreeLibrary 参数 写入到远程进程的内存空间 
WriteProcessMemory(hRemoteProcess, 
pszLibFileRemoteA, (LPVOID)buf, lstrlenA(buf)+1, &exitcode);
     //    这里也用readprocessmemory 读写进去的值,也是正确的 exitcode的就是 buf的长度+1
//创建远程线程  FreeLibraryAndExitThread
hRemoteThread = CreateRemoteThread( hRemoteProcess, NULL, 0, pfnrFreeLibrary,pszLibFileRemoteA, 0, NULL );
// 等待FreeLibrary卸载完毕
WaitForSingleObject(hRemoteThread, INFINITE );
GetExitCodeThread(hRemoteThread, &exitcode);//这里exitcode 为0 VirtualFreeEx( hRemoteProcess, pszLibFileRemoteA, lstrlenA(pszLibFileRemoteA)+1, MEM_DECOMMIT ); //delete pszLibFileRemote;
CloseHandle(hRemoteThread);
CloseHandle(hRemoteProcess);
以上代码卸载不了其它进程的DLL,当然那个DLL是我自己注入的  注入进的记事本程序

解决方案 »

  1.   


    那我注入dll也是用的    EnableDebugPriv(SE_DEBUG_NAME); //提权,与远程注入一样的代码
      

  2.   


    //卸载
    void CInjectDlg::OnButtonUnload() 
    {
    int nPid=0;
    HANDLE hModuleSnap=NULL;
    MODULEENTRY32 stModuleEntry={0};
    BOOL bFlag=TRUE;
    WCHAR szDllPath[MAX_PATH]={0};
    HMODULE hFindModule=NULL; stModuleEntry.dwSize=sizeof(stModuleEntry);
    m_CtrEditPath.GetDllInfo(szDllPath); //获取dll路径
    nPid=m_CtrCboProcess.GetUserChoosePid(); //获取选择的进程PID
    hModuleSnap=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,nPid);
    bFlag=Module32FirstW(hModuleSnap,&stModuleEntry);
    for(;bFlag;)
    {
    if (0==wcsicmp(szDllPath,stModuleEntry.szExePath))
    {
    hFindModule=stModuleEntry.hModule;
    }
    bFlag=Module32NextW(hModuleSnap,&stModuleEntry);
    }

    //准备工作完成,开始工作
    //////////////////////////////////////////////////////////////////////////
    HANDLE hRemoteProcess=NULL;
    HANDLE hRemoteThread=NULL;
    LPTHREAD_START_ROUTINE pFreeLibrary=NULL;

    pFreeLibrary=(LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(L"Kernel32"),"FreeLibrary");

    __try
    {
    hRemoteProcess=OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,\
    FALSE,nPid);
    if (NULL==hRemoteProcess)
    {
    ShowErrorInfo(L"OpenProcess Error!");
    __leave;
    }

    // 鸡冻人心的时刻
    hRemoteThread=CreateRemoteThread(hRemoteProcess,NULL,0,pFreeLibrary,hFindModule,0,NULL);
    if (NULL==hRemoteThread)
    {
    ShowErrorInfo(L"CreateRemoteThread error!");
    __leave;
    }
    WaitForSingleObject(hRemoteThread,INFINITE);
    }
    __finally
    {
    if (NULL!=hRemoteProcess)
    {
    CloseHandle(hRemoteProcess);
    hRemoteProcess=NULL;
    }
    }


    }