[转]强制卸载目标进程模块
http://blog.csdn.net/qq752923276/article/details/7333835
代码来源于网络,卸载模块后通过查询PEB得到进程信息的程序没有得到更新,(如:Windows优化大师和360的进程查看),可以通过冰刃查看。
注:强制卸载可能导致目标进程崩溃。
哈哈,又有了种结束进程的方式,卸载目标进程的ntdll.dll。
下面是代码:
class ForceQuit { public: bool EnablePriv() { HANDLE hToken; if ( OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken) ) { TOKEN_PRIVILEGES tkp; LookupPrivilegeValue( NULL,SE_DEBUG_NAME,&tkp.Privileges[0].Luid );//修改进程权限 tkp.PrivilegeCount=1; tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED; AdjustTokenPrivileges( hToken,FALSE,&tkp,sizeof tkp,NULL,NULL );//通知系统修改进程权限 return( (GetLastError()==ERROR_SUCCESS) ); } return false; } bool GetProcessIdByName(LPSTR lpProcessName,LPDWORD lpdwPID) { HANDLE hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); assert(hSnap!=INVALID_HANDLE_VALUE); PROCESSENTRY32 pt32; pt32.dwSize=sizeof pt32; bool result=false; if (Process32First(hSnap,&pt32)) { do { if (!lstrcmpi(pt32.szExeFile,lpProcessName)) { *lpdwPID=pt32.th32ProcessID; result=true; break; } }while (Process32Next(hSnap,&pt32)); } CloseHandle(hSnap); return result; } bool GetModuleBaseAddrByPID(DWORD dwProcessID,LPSTR lpDllName,LPDWORD lpdwBaseAddr) { HANDLE hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,dwProcessID); assert(hSnap!=INVALID_HANDLE_VALUE); MODULEENTRY32 md32; md32.dwSize=sizeof md32; bool result=false; if(Module32First(hSnap,&md32)) { do { if(!lstrcmpiA(lpDllName,md32.szModule)) { *lpdwBaseAddr=(DWORD)md32.modBaseAddr; result=true; break; } } while(Module32Next(hSnap,&md32)); } CloseHandle(hSnap); return result; } bool Execute(LPSTR lpProcessName,LPSTR lpDllName) { typedef DWORD (_stdcall *XXXNtUnmapViewOfSection)( HANDLE hProcess, PVOID Address); PVOID NtdllAddress; HANDLE hProcess; DWORD dwProcessID; EnablePriv(); if(GetProcessIdByName(lpProcessName,&dwProcessID)) { hProcess = OpenProcess( PROCESS_VM_OPERATION, FALSE, dwProcessID); assert(hProcess!=NULL); XXXNtUnmapViewOfSection NtUnmapViewOfSection = (XXXNtUnmapViewOfSection)GetProcAddress(LoadLibraryA("ntdll.dll"), "NtUnmapViewOfSection" ); assert(NtUnmapViewOfSection!=NULL); NtdllAddress = (PVOID)NtUnmapViewOfSection; DWORD moduleBaseAddr; if(GetModuleBaseAddrByPID(dwProcessID,lpDllName,&moduleBaseAddr)) NtUnmapViewOfSection( hProcess,(PVOID)moduleBaseAddr); CloseHandle( hProcess ); return true; } return false; } };
调用:
- ForceQuit quit;
- quit.EnablePriv();
- quit.Execute(DestProcessName,DestModuleName);