卸载dll无效

[hailiangchen]

使用命令
.\ConsoleInject.exe -i WeChat.exe -d wxhelper.dll
卸载dll 无效

注册的后台服务依然运行

[ttttupup]

-u

[hailiangchen]

-u

我粘贴错了我用的也是-u
.\ConsoleInject.exe -u WeChat.exe -d wxhelper.dll
是这个不生效的。

[ttttupup]

`
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
#include <tlhelp32.h>
DWORD GetPIDForProcess(wchar_t* process)
{
HANDLE hSnapshot;
DWORD targetPid = 0;
PROCESSENTRY32W pe32;
int working;
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (!hSnapshot) {
return 0;
}
pe32.dwSize = sizeof(PROCESSENTRY32);
for (working = Process32FirstW(hSnapshot, &pe32); working; working = Process32NextW(hSnapshot, &pe32))
{
if (!wcscmp(pe32.szExeFile, process))
{
targetPid = pe32.th32ProcessID;
break;
}
}
CloseHandle(hSnapshot);
return targetPid;
}

HINSTANCE__* cdecl GetDLLHandle(wchar_t* wDllName, DWORD dPid)
{
HINSTANCE* result;
tagMODULEENTRY32W me32;
void* snapMod;

if (!dPid) {
	return 0;
}

snapMod = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dPid);
me32.dwSize = sizeof(tagMODULEENTRY32W);
if (Module32FirstW(snapMod, &me32))
{
	while (wcscmp(wDllName, me32.szModule))
	{
		if (!Module32NextW(snapMod, &me32))
			goto error;
	}
	CloseHandle(snapMod);
	result = me32.hModule;
}
else
{
error:
	CloseHandle(snapMod);
	result = 0;
}
return result;

}

int cdecl InjectDll(wchar_t* szPName, wchar_t* szDllPath)
{
int result;
HANDLE hRemoteThread;
LPTHREAD_START_ROUTINE lpSysLibAddr;
HINSTANCE* hKernelModule;
LPVOID lpRemoteDllBase;
HANDLE hProcess;
unsigned int dwPid;
size_t ulDllLength;

dwPid = GetPIDForProcess(szPName);
ulDllLength = wcslen(szDllPath) + 1;
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, dwPid);
if (!hProcess) {
	return 0;
}

lpRemoteDllBase = VirtualAllocEx(hProcess, NULL, ulDllLength, MEM_COMMIT, PAGE_READWRITE);
if (lpRemoteDllBase)
{
	if (WriteProcessMemory(hProcess, lpRemoteDllBase, szDllPath, ulDllLength, NULL)
		&& (hKernelModule = GetModuleHandleW(L"kernel32.dll")) != 0
		&& (lpSysLibAddr = (LPTHREAD_START_ROUTINE)GetProcAddress(hKernelModule, "LoadLibraryW")) != 0
		&& (hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, lpSysLibAddr, lpRemoteDllBase, 0, NULL)) != 0)
	{
		WaitForSingleObject(hRemoteThread, INFINITE);
		VirtualFreeEx(hProcess, lpRemoteDllBase, ulDllLength, MEM_DECOMMIT | MEM_RELEASE);
		CloseHandle(hRemoteThread);
		CloseHandle(hProcess);
		OutputDebugStringA("[DBG] dll inject success");
		result = 1;
	}
	else
	{
		VirtualFreeEx(hProcess, lpRemoteDllBase, ulDllLength, MEM_DECOMMIT | MEM_RELEASE);
		CloseHandle(hProcess);
		result = 0;
	}
}
else
{
	CloseHandle(hProcess);
	result = 0;
}
return result;

}

int cdecl UnInjectDll(wchar_t* szPName, wchar_t* szDName)
{
HINSTANCE* hDll;
LPTHREAD_START_ROUTINE lpFreeLibAddr;
HINSTANCE__* hK32;
HANDLE hProcess;
unsigned int dwPID;

dwPID = GetPIDForProcess(szPName);
hProcess = OpenProcess(0x1FFFFFu, 0, dwPID);
if (!hProcess) {
	return 0;
}

hK32 = GetModuleHandleW(L"Kernel32.dll");
if (!hK32) {
	return 0;
}

lpFreeLibAddr = (LPTHREAD_START_ROUTINE)GetProcAddress(hK32, "FreeLibraryAndExitThread");
hDll = GetDLLHandle(szDName, dwPID);
if (hDll && CreateRemoteThread(hProcess, 0, 0, lpFreeLibAddr, hDll, 0, 0)) {
	return 1;
}

CloseHandle(hProcess);
return 0;

}

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

`

ida逆向出的来的，卸载函数你可以替换成常规卸载函数。

[hailiangchen]

是用这个FreeLibrary 和 FreeLibraryAndExitThread 都是卸载不掉，会在WaitForSingleObject(hThread, INFINITE) 这一步卡着。我自己写了一个dll 弹出窗口的，使用FreeLibrary 可以卸载掉

[ttttupup]

已经修复