[转]强制卸载目标进程模块

http://blog.csdn.net/qq752923276/article/details/7333835

代码来源于网络,卸载模块后通过查询PEB得到进程信息的程序没有得到更新,(如:Windows优化大师和360的进程查看),可以通过冰刃查看。

注:强制卸载可能导致目标进程崩溃。

哈哈,又有了种结束进程的方式,卸载目标进程的ntdll.dll。

下面是代码:

class ForceQuit  
{  
public:  
    bool EnablePriv()  
    {  
            HANDLE hToken;  
            if ( OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken) )  
            {  
                    TOKEN_PRIVILEGES tkp;  
          
                    LookupPrivilegeValue( NULL,SE_DEBUG_NAME,&tkp.Privileges[0].Luid );//修改进程权限  
                    tkp.PrivilegeCount=1;  
                    tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;  
                    AdjustTokenPrivileges( hToken,FALSE,&tkp,sizeof tkp,NULL,NULL );//通知系统修改进程权限  
          
                    return( (GetLastError()==ERROR_SUCCESS) );  
            }  
            return false;  
    }  
    bool GetProcessIdByName(LPSTR lpProcessName,LPDWORD lpdwPID)  
    {  
            HANDLE hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);  
            assert(hSnap!=INVALID_HANDLE_VALUE);  
            PROCESSENTRY32 pt32;  
            pt32.dwSize=sizeof pt32;  
            bool result=false;  
            if (Process32First(hSnap,&pt32))  
            {  
                    do  
                    {  
                            if (!lstrcmpi(pt32.szExeFile,lpProcessName))  
                            {  
                                    *lpdwPID=pt32.th32ProcessID;  
                                    result=true;  
                                    break;  
                            }  
                    }while (Process32Next(hSnap,&pt32));  
            }  
            CloseHandle(hSnap);  
            return result;  
    }  
    bool GetModuleBaseAddrByPID(DWORD dwProcessID,LPSTR lpDllName,LPDWORD lpdwBaseAddr)  
    {  
       HANDLE hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,dwProcessID);  
       assert(hSnap!=INVALID_HANDLE_VALUE);  
       MODULEENTRY32 md32;  
       md32.dwSize=sizeof md32;  
       bool result=false;  
       if(Module32First(hSnap,&md32))  
       {  
           do  
           {  
              if(!lstrcmpiA(lpDllName,md32.szModule))  
              {  
                 *lpdwBaseAddr=(DWORD)md32.modBaseAddr;  
                 result=true;  
                 break;  
              }  
           }  
           while(Module32Next(hSnap,&md32));  
       }  
       CloseHandle(hSnap);  
       return result;  
    }  
  
    bool Execute(LPSTR lpProcessName,LPSTR lpDllName)  
    {  
        typedef DWORD (_stdcall *XXXNtUnmapViewOfSection)( HANDLE hProcess, PVOID Address);  
  
        PVOID   NtdllAddress;  
        HANDLE   hProcess;  
         
        DWORD dwProcessID;  
        EnablePriv();  
        if(GetProcessIdByName(lpProcessName,&dwProcessID))  
        {  
            hProcess = OpenProcess( PROCESS_VM_OPERATION, FALSE, dwProcessID);  
            assert(hProcess!=NULL);  
            XXXNtUnmapViewOfSection  NtUnmapViewOfSection = (XXXNtUnmapViewOfSection)GetProcAddress(LoadLibraryA("ntdll.dll"), "NtUnmapViewOfSection" );  
            assert(NtUnmapViewOfSection!=NULL);  
            NtdllAddress = (PVOID)NtUnmapViewOfSection;  
              
            DWORD moduleBaseAddr;  
            if(GetModuleBaseAddrByPID(dwProcessID,lpDllName,&moduleBaseAddr))  
            NtUnmapViewOfSection( hProcess,(PVOID)moduleBaseAddr);  
  
            CloseHandle( hProcess );  
            return true;  
        }     
        return false;  
    }  
};

  调用:

  1. ForceQuit quit;  
  2.    quit.EnablePriv();  
  3.    quit.Execute(DestProcessName,DestModuleName);  
【推广】 免费学中医,健康全家人
原文地址:https://www.cnblogs.com/FCoding/p/2951275.html