逆向工程核心原理——第二十四章
上一章我们将myhack.dll注入进了notepad,这一章我们就将学习,如何卸载DLL
同上一章注入myhack.dll时使用了exe文件一样,卸载dll也需要使用exe。
下面这个代码是在CSDN上找到的一个既可以注入DLL也可以卸载DLL的代码
使用时需要输入三个参数
1.注入还是卸载(0表示注入,1表示卸载)
2.DLL的路径, 注入需要路径和名字,卸载需要名字就够了
3.需要注入或卸载的进程名字 这里添加了改进,只需要输入进程名字程序会查找PID。
//EjectDLL //InjectDLL #include"windows.h" #include"tlhelp32.h" #include<tchar.h> DWORD FindProcessID(LPCTSTR szProcessName) { DWORD dwPID = 0xFFFFFFFF; HANDLE hSnapShot = INVALID_HANDLE_VALUE; PROCESSENTRY32 pe; //获取系统快照 pe.dwSize = sizeof(PROCESSENTRY32); hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, NULL);//返回系统快照句柄(NULL表示所有进程) //查找进程 Process32First(hSnapShot, &pe); do { if (!_tcsicmp(szProcessName, (LPCTSTR)pe.szExeFile)) { dwPID = pe.th32ProcessID; break; } } while (Process32Next(hSnapShot, &pe)); CloseHandle(hSnapShot); return dwPID; } //提升权限 BOOL SetPrivilege(LPCTSTR lpszPrivilege, BOOL bEnablePrivilege) { TOKEN_PRIVILEGES tp; HANDLE hToken; LUID luid; if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) { _tprintf(L"LookupPrivilegeValue error: %u\n", GetLastError()); return FALSE; } if (!LookupPrivilegeValue(NULL, lpszPrivilege, &luid)) { _tprintf(L"LookupPrivilegeValue error: %u\n", GetLastError()); return FALSE; } tp.PrivilegeCount = 1; tp.Privileges[0].Luid = luid; if (bEnablePrivilege) tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; else tp.Privileges[0].Attributes = 0; //enable the privilege or disable all privileges. if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL)) { _tprintf(L"AdjustTokenPrivileges error: %u\n", GetLastError()); return FALSE; } if (GetLastError() == ERROR_NOT_ALL_ASSIGNED) { _tprintf(L"the token does nothave rhe specified privilege .\n"); return FALSE; } return TRUE; } BOOL EjectDll(DWORD dwPID, LPCTSTR szDllName) { BOOL bMore = FALSE, bFound = FALSE; HANDLE hSnapshot, hProcess, hThread; HMODULE hModule = NULL; MODULEENTRY32 me = { sizeof(me) }; LPTHREAD_START_ROUTINE pThreadProc; //dwPID=notepad进程的PID //使用TH32CS_SNAPMODULE参数获取加载到notepad进程的dll名称 hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID); bMore = Module32First(hSnapshot, &me); for (; bMore; bMore = Module32Next(hSnapshot, &me)) { if (!_tcsicmp((LPCTSTR)me.szModule, szDllName) || !_tcsicmp((LPCTSTR)me.szExePath, szDllName)) { bFound = TRUE; break; } } if (!bFound) { CloseHandle(hSnapshot); return FALSE; } if (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID))) { _tprintf(L"OpenProcess(%d) failed!!! [%d]\n,", dwPID, GetLastError()); return FALSE; } hModule = GetModuleHandle(L"Kernel32.dll"); pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(hModule, "FreeLibrary"); hThread = CreateRemoteThread(hProcess, NULL, 0, pThreadProc, me.modBaseAddr, 0, NULL); WaitForSingleObject(hThread, INFINITE); CloseHandle(hThread); CloseHandle(hProcess); CloseHandle(hSnapshot); return TRUE; } BOOL InjectDll(DWORD dwPID, LPCTSTR szDllPath) { HANDLE hProcess = NULL, hThread = NULL; HMODULE hMod = NULL; LPVOID pRemoteBuf = NULL; DWORD dwBufSize = (DWORD)(_tcslen(szDllPath) + 1) * sizeof(TCHAR); LPTHREAD_START_ROUTINE pThreadProc; //使用dwpid获取目标进程句柄 if (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID))) { _tprintf(L"OpenProcess(%d) failed!!![%d]\n", dwPID, GetLastError()); return FALSE; } //在目标进程内存中分配szDllname大小的内存 pRemoteBuf = VirtualAllocEx(hProcess, NULL, dwBufSize, MEM_COMMIT, PAGE_READWRITE);//分配物理存储,可读可写 //将myhack.dll路径写入分配的内存。 WriteProcessMemory(hProcess, pRemoteBuf, (LPVOID)szDllPath, dwBufSize, NULL); //获取LoadLibraryW API的地址 hMod = GetModuleHandle(L"Kernel32.dll");//获取已经加载模块的句柄 pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(hMod, "LoadLibraryW");//获取函数地址 //在目标进程中运行线程 hThread = CreateRemoteThread(hProcess, NULL, 0, pThreadProc, pRemoteBuf, 0, NULL);//创建远程线程 _tprintf(L"%d", GetLastError()); WaitForSingleObject(hThread, INFINITE); CloseHandle(hProcess); return TRUE; } int _tmain(int argc, TCHAR* argv[]) { if (argc != 4) { _tprintf(L"USAGE: 三个参数,1.flag(flag为0表示导入)。2.要导入的dll路径(要卸载的dll名字)3.要注入(或卸载)dll的进程\n", argv[2]); return 1; } DWORD dwPID = 0xFFFFFFFF; dwPID = FindProcessID(argv[3]); if (dwPID == 0xFFFFFFFF) { _tprintf(L"there is no %s process!\n", argv[3]); return 1; } _tprintf(L"PID of \"%s\"is%d\n", argv[3], dwPID); //enject dll //inject dll if (*argv[1] == (TCHAR)‘0‘) { if (InjectDll(dwPID, argv[2])) _tprintf(L"InjectDll(\"%s\")success!!\n", argv[2]); else _tprintf(L"InjectDll(\"%s\") failed!!\n", argv[2]); } else { //更改privilege if (!SetPrivilege(SE_DEBUG_NAME, TRUE)) return 1; if (EjectDll(dwPID, argv[2])) _tprintf(L"EjectDll(%d,\"%s\")success!!!\n", dwPID, argv[2]); else _tprintf(L"EjectDll(%d,\"%s\")failed!!!\n", dwPID, argv[2]); } return 0; }
接下来我们演示一下:
在这里我们已经将myhack.all注入进了notepad,然后我们输入命令执行EjectDLL.exe,卸载DLL:
这时候process explorer中,notepad的myhack.dll已经不见了。