[转]强制卸载目标进程模块

http://blog.csdn.net/qq752923276/article/details/7333835

 

代码来源于网络，卸载模块后通过查询PEB得到进程信息的程序没有得到更新，（如：Windows优化大师和360的进程查看），可以通过冰刃查看。

注：强制卸载可能导致目标进程崩溃。

哈哈，又有了种结束进程的方式，卸载目标进程的ntdll.dll。

下面是代码：

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92

class ForceQuit  {  public:      bool EnablePriv()      {              HANDLE hToken;              if ( OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken) )              {                      TOKEN_PRIVILEGES tkp;                                  LookupPrivilegeValue( NULL,SE_DEBUG_NAME,&tkp.Privileges[0].Luid );//修改进程权限                      tkp.PrivilegeCount=1;                      tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;                      AdjustTokenPrivileges( hToken,FALSE,&tkp,sizeof tkp,NULL,NULL );//通知系统修改进程权限                                  return( (GetLastError()==ERROR_SUCCESS) );              }              return false;      }      bool GetProcessIdByName(LPSTR lpProcessName,LPDWORD lpdwPID)      {              HANDLE hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);              assert(hSnap!=INVALID_HANDLE_VALUE);              PROCESSENTRY32 pt32;              pt32.dwSize=sizeof pt32;              bool result=false;              if (Process32First(hSnap,&pt32))              {                      do                      {                              if (!lstrcmpi(pt32.szExeFile,lpProcessName))                              {                                      *lpdwPID=pt32.th32ProcessID;                                      result=true;                                      break;                              }                      }while (Process32Next(hSnap,&pt32));              }              CloseHandle(hSnap);              return result;      }      bool GetModuleBaseAddrByPID(DWORD dwProcessID,LPSTR lpDllName,LPDWORD lpdwBaseAddr)      {         HANDLE hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,dwProcessID);         assert(hSnap!=INVALID_HANDLE_VALUE);         MODULEENTRY32 md32;         md32.dwSize=sizeof md32;         bool result=false;         if(Module32First(hSnap,&md32))         {             do             {                if(!lstrcmpiA(lpDllName,md32.szModule))                {                   *lpdwBaseAddr=(DWORD)md32.modBaseAddr;                   result=true;                   break;                }             }             while(Module32Next(hSnap,&md32));         }         CloseHandle(hSnap);         return result;      }          bool Execute(LPSTR lpProcessName,LPSTR lpDllName)      {          typedef DWORD (_stdcall *XXXNtUnmapViewOfSection)( HANDLE hProcess, PVOID Address);              PVOID   NtdllAddress;          HANDLE   hProcess;                     DWORD dwProcessID;          EnablePriv();          if(GetProcessIdByName(lpProcessName,&dwProcessID))          {              hProcess = OpenProcess( PROCESS_VM_OPERATION, FALSE, dwProcessID);              assert(hProcess!=NULL);              XXXNtUnmapViewOfSection  NtUnmapViewOfSection = (XXXNtUnmapViewOfSection)GetProcAddress(LoadLibraryA("ntdll.dll"), "NtUnmapViewOfSection" );              assert(NtUnmapViewOfSection!=NULL);              NtdllAddress = (PVOID)NtUnmapViewOfSection;                              DWORD moduleBaseAddr;              if(GetModuleBaseAddrByPID(dwProcessID,lpDllName,&moduleBaseAddr))              NtUnmapViewOfSection( hProcess,(PVOID)moduleBaseAddr);                  CloseHandle( hProcess );              return true;          }             return false;      }  };

　　调用：

ForceQuit quit;
   quit.EnablePriv();
   quit.Execute(DestProcessName,DestModuleName);