-
Notifications
You must be signed in to change notification settings - Fork 87
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How can I uninject the injected lib #1
Comments
Here is a sample. DWORD pid = ...process id of the target process...;
// find the base address of the library in the target process.
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid);
if (hSnapshot == INVALID_HANDLE_VALUE) {
...error handling...
}
MODULEENTRY32 me;
me.dwSize = sizeof(me);
BOOL ok;
for (ok = Module32FirstW(hSnapshot, &me); ok; ok = Module32NextW(hSnapshot, &me)) {
if (...check `me.szModule` or `me.szExePath`...) {
break;
}
}
if (!ok) {
...error handling...
}
CloseHandle(hSnapshot);
// `me.modBaseAddr` is the base address of the library to be uninjected.
// Call FreeLibarry in the target process.
HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD, FALSE, pid);
if (hProcess == NULL) {
...error handling...
}
HMODULE kernel32 = GetModuleHandleA("kernel32");
LPTHREAD_START_ROUTINE func_addr = (LPTHREAD_START_ROUTINE)GetProcAddress(kernel32, "FreeLibrary");
HANDLE hThread = CreateRemoteThead(hProcess, NULL, 0, func_addr, me.modBaseAddr, 0, NULL);
if (hThread == NULL) {
...error handling...
}
WaitForSingleObject(hThread, INFINITE);
DWORD exit_code;
GetExitCodeThread(hThread, &exit_code);
if (exit_code == 0) {
// FreeLibrary in the target process failed.
...error handling...
}
CloseHandle(hThread);
CloseHandle(hProcess); |
Sorry for so late replay, After test, it works. But in one situation, it does not work: the injected dll start new thread and the thread is running. In this situation, seem like did nothing. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks for your great job! It work prefect.
However I'm new to windows api, and I now want to uninject the injected success lib. Can I do this, and how, thanks.
The text was updated successfully, but these errors were encountered: