DLL卸载的工作原理

使用CreateRemoteThread()API进行DLL注入的工作原理概括如下:
驱使目标进程调用LoadLibrary() API
同样,DLL卸载工作原理也非常简单:
驱使目标进程调用FreeLibrary() API
也就是说,将FreeLibrary() API的地址传递给CreateRemoteThread()的lpStartAddress参数,并把要卸载的DLL
的句柄传递给lpParameter参数。

实现DLL卸载

EjectDll.exe程序,用来从进程目标(notepad.exe)卸载指定的DLL文件,源码如下:

  1. #include "windows.h"
  2. #include "tjhelp32.h"
  3. #include "tchar.h"
  5. #define DEF_PROC_NAME(L"notepad.exe")
  6. #define DEF_DLL_NAME (L"myhack.dll")
  8. DWORD FindProcessID(LPCTSTR szProcessName){
  9.     DWORD dwPID=0xFFFFFFFF;
  10.     HANDLE hSnapShot=INVALID_HANDLE_VALUE;
  11.     PROCESSENTRY32 pe;
  13.     //获取系统快照(Snapshot)
  14.     pe.dwSize=sizeof(PROCESSENTRY32);
  15.     hSnapShot=CreateToolhelp32Snapshot(TH32CS_SNAPALL,NULL);
  17.     //查找进程
  18.     Process32First(hSnapShot, &pe);
  19.     do{
  20.         if(!_tcs/Picmp(szProcessName, (LPCTSTR)pe.szExeFile)){
  21.             dwPID=pe.th32ProcessID;
  22.             break;    
  23.         }
  24.     }
  25.     while(Process32Next(hSnapShot, &pe));
  26.     CloseHandle(hSnapShot);
  27.     return dwPID;
  28. }
  30. BOOL SetPrivilege(LPCTSTR lpszPrivilege, BOOL bEnablePrivilege){
  31.     TOKEN_PRIVILEGES tp;
  32.     HANDLE hToken;
  33.     LUID luid;
  35.     if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)){
  36.         _tprintf(L"OpenProcessToken error: %u\n", GetLastError());
  37.         return FALSE;
  38.     }
  40.     if(!LookupPrivilegeValue(NULL,              //lookup privilege on local system
  41.                              lpszPrivilege,     //privilege to lookup
  42.                              &luid)){            //receives LUID of privilege
  43.     _tprintf(L"LookupPrivilegeValue error: %u\n", GetLastError());
  44.     return FALSE;
  45.     }
  47.     tp.PrivilegeCount=1;
  48.     tp.Privileges[0].Luid=luid;
  49.     if(bEnablePrivilege)
  50.         tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
  51.     else
  52.         tp.Privileges[0].Attributes=0;
  54.     //Enable the privilege or disable all privileges
  55.     if(!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES) NULL, (PDWORD) NULL)){
  56.         _tprintf(L"AdjustTokenPrivileges error: %u\n", GetLastError());
  57.         return FALSE;
  58.     }
  60.     if(GetLastError()==ERROR_NOT_ALL_ASSIGNED){
  61.         _tprintf(L"The token does not have the specified privilege. \n");
  62.         return FALSE;
  63.     }
  64.     return TRUE;
  65. }
  67. BOOL EjectDll(DWORD dwPID, LPCTSTR szDllName){
  68.     BOOL bMore=FALSE, bFound=FALSE;
  69.     HANDLE hSnapshot,hProcess, hThread;
  70.     HMODULE hModule=NULL;
  71.     MODULEENTRY32 me={sizeof(me)};
  72.     LPTHREAD_START_ROUTINE pThreadProc;
  74.     //dwPID=notepad进程ID
  75.     //使用TH32CS_SNAPMODULE参数,获取加载到notepad进程的DLL名称
  76.     hSnapshot=CreateToolhelp32Snapshot(TH32CS-SNAPMODULE, dwPID);
  78.     bMore=Module32First(hSnopshot, &me);
  79.     for(; bMore; bMore=Module32Next(hSnapshot, &me)){          //对dll进行比较
  80.         if(!_tcsicmp((LPCTSTR)me.szModule, szDllName) || !_tcsicmp((LPCTSTR)me.szExePath, szDllName)){     //szModule代表DLL的名称
  81.             bFound=TRUE;
  82.             break;
  83.         }
  84.     }
  86.     if(!bFound){
  87.         CloseHandle(hSnapshot);
  88.         return FALSE;
  89.     }
  91.     //获取目标进程的句柄
  92.     if(!(hProcess=OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID))){
  93.         _tprintf(L"OpenProcess(%d) failed !!! [%d]\n", dwPID, GetLastError());
  94.         return FALSE;
  95.     }
  97.     //获取FreeLibrary() API地址
  98.     hModule=GetModuleHandle(L"kernel32.dll");
  99.     pThreadProc=(LPTHREAD_START_ROUTINE)GetProcAddress(hModule, "FreeLibrary");
  101.     //在目标进程中运行线程
  102.     hThread=CreateRemoteThread(hProcess, NULL, 0, pThreadProc, me.modBaseAddr, 0, NULL);      //pThreadProc为FreeLibrary() API的地址,me.modBaseAddr是要卸载的DLL的加载地址
  103.     WaitForSingleObject(hThread, INFINITE);
  104.     CloseHandle(hThread);
  105.     CloseHandle(hProcess);
  106.     CloseHandle(hSnapshot);
  108.     return TRUE;
  109. }
  111. int _tmain(int argc, TCHAR* argv[]){
  112.     DWORD dwPID=0xFFFFFFFF;
  114.     //查找process
  115.     dwPID=FindProcessID(DEF_PROC_NAME);
  116.     if(dwPID==0xFFFFFFFF){
  117.         _tprintf(L"There is no %s process!\n", DEF_PROC_NAME);
  118.         return 1;
  119.     }
  121.     _tprintf(L"PID of \"%s\" is %d\n", DEF_PROC_NAME, dwPID);
  123.     //更改privilege
  124.     if(!SetPrivilege(SE_DEBUG_NAME, TRUE))
  125.         return 1;
  127.     //eject dll
  128.     if(EjectDll(dwPID, DEF_DLL_NAME))
  129.         _tprintf(L"EjectDll(%d, \"%s\") success!!!\n", dwPID, DEF_DLL_NAME);
  130.     else
  131.         _tprintf(L"EjectDll(%d, \"%s\") gailed!!!\n", dwPID, DEF_DLL_NAME);
  133.     return 0;
  134. }

卸载DLL的原理是驱使目标对象自己调用FreeLibrary() API,上述代码中的EjectDll()函数就是用来卸载DLL的。

获取进程中加载的DLL信息

hSnapshot=CreateToolhelp32Snapshot(TH32CS-SNAPMODULE, dwPID);
使用CreateToolhelp32Snapshot() API可以获取加载到进程的模块(DLL)信息。将获取的hSnapshot句柄传递
给Module32First()/Module32Next()函数后,即可设置与MODULEENTRY32结构体相关模块信息。代码24-2为该结构体的定义。

  1. typedef struct tagMODULEENTRY32
  2. {
  3.     DWORD    dwSize;
  4.     DWORD    th32ModuleID;
  5.     DWORD    th32ProcessID;
  6.     DWORD    GlblcntUsage;
  7.     DWORD    ProccntUsage;
  9.     BYTE    * modBaseAddr;
  11.     DWORD    modBaseSize;
  13.     HMODULE    hModule;
  15.     char    szModule[MAX_MODULE_NAME32 + 1];
  16.     char    szExePath[MAX_PATH];
  17. } MODULEENTRY32