登 录
啥也不说了,贴代码:
#include "stdafx.h"<br /> #define MAX_MODULE_NAME_LEN 16<br /> // 传入到远程线程中的参数结构定义<br /> typedef struct tagThreadParam<br /> {<br /> DWORD dwFreeLibrary; // FreeLibrary 地址<br /> DWORD dwGetModuleHandle; // GetModuleHandle 地址<br /> TCHAR szModuleName[MAX_MODULE_NAME_LEN];// 需要卸载的模块的名称<br /> }ThreadParam,*PThreadParam;<br /> /*<br /> 远程线程函数<br /> */<br /> void RemoteThreadFun(PThreadParam PParam)<br /> {<br /> DWORD dwFreeLibrary;<br /> DWORD dwGetModuleHandle;<br /> DWORD dwModuleName;</p> <p> dwFreeLibrary = PParam->dwFreeLibrary;<br /> dwGetModuleHandle = PParam->dwGetModuleHandle;<br /> dwModuleName = (DWORD)PParam->szModuleName;</p> <p> // 释放的最高次数<br /> DWORD dwCount = 100;</p> <p> // 循环寻找指定模块的句柄,如果找到,那么调用FreeLibrary释放,<br /> // 直到该模块被释放<br /> __asm<br /> {<br /> START:<br /> push dwModuleName; // 模块名称压栈<br /> call dwGetModuleHandle; // 调用GetModuleHandle<br /> test eax,eax; //<br /> jz OVER; // 没有找到模块返回<br /> dec dwCount;<br /> jz OVER; // 达到最高次数<br /> push eax; // 模块句柄压栈<br /> call dwFreeLibrary; // 调用FreeLibrary<br /> test eax,eax;<br /> jnz START;<br /> OVER:<br /> }<br /> return;<br /> }<br /> /*<br /> 调整权限<br /> */<br /> bool AdjustPurview()<br /> {<br /> TOKEN_PRIVILEGES TokenPrivileges;<br /> bool bRet;<br /> HANDLE hToken;</p> <p> LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &TokenPrivileges.Privileges[0].Luid);<br /> OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken);</p> <p> TokenPrivileges.PrivilegeCount = 1;<br /> TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;</p> <p> bRet = !!AdjustTokenPrivileges(hToken, FALSE, &TokenPrivileges, 0, NULL, NULL);</p> <p> CloseHandle(hToken);<br /> return bRet ;<br /> }<br /> BOOL FreeModuleByPid(TCHAR * szModuleName,DWORD dwPid)<br /> {<br /> // 参数构造<br /> ThreadParam Param = ...{0};<br /> Param.dwFreeLibrary = (DWORD)FreeLibrary;<br /> Param.dwGetModuleHandle = (DWORD)GetModuleHandleA;<br /> MoveMemory(Param.szModuleName,szModuleName,MAX_MODULE_NAME_LEN);</p> <p> // 打开指定的进程<br /> HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwPid);<br /> if(hProcess==NULL)<br /> {<br /> OutputDebugString(_T("OpenProcess failed!!"));<br /> return FALSE;<br /> }</p> <p> // 参数写入<br /> LPVOID lpParam = NULL;<br /> lpParam = VirtualAllocEx(hProcess,NULL,sizeof(Param),MEM_COMMIT,PAGE_READWRITE);<br /> if (lpParam == NULL)<br /> {<br /> return FALSE;<br /> }</p> <p> if (!WriteProcessMemory(hProcess,lpParam,&Param,sizeof(Param),0))<br /> {<br /> VirtualFreeEx(hProcess,lpParam,0,MEM_RELEASE);<br /> return FALSE;<br /> }</p> <p> // 函数写入<br /> LPVOID lpThread = NULL;<br /> lpThread = VirtualAllocEx(hProcess,NULL,0x100,MEM_COMMIT,PAGE_EXECUTE_READWRITE);<br /> if (lpThread == NULL)<br /> {<br /> return FALSE;<br /> }</p> <p> if (!WriteProcessMemory(hProcess,lpThread,RemoteThreadFun,0x100,0))<br /> {<br /> VirtualFreeEx(hProcess,lpThread,0,MEM_RELEASE);<br /> return FALSE;<br /> }</p> <p> // 创建线程<br /> HANDLE hThread = NULL;<br /> hThread = CreateRemoteThread(hProcess,0,0,(LPTHREAD_START_ROUTINE)lpThread,lpParam,0,NULL);<br /> if(hThread == NULL)<br /> {<br /> return FALSE;<br /> }</p> <p> // 等待线程结束<br /> WaitForSingleObject(hThread,INFINITE);</p> <p> // 清理工作<br /> VirtualFreeEx(hProcess,lpThread,0,MEM_RELEASE);<br /> VirtualFreeEx(hProcess,lpParam,0,MEM_RELEASE);<br /> CloseHandle(hProcess);</p> <p> return TRUE;<br /> }<br /> int APIENTRY WinMain(HINSTANCE hInstance,<br /> HINSTANCE hPrevInstance,<br /> LPSTR lpCmdLine,<br /> int nCmdShow)<br /> {<br /> AdjustPurview();<br /> TCHAR * szModuleName = _T("AcroIEHelper.dll");<br /> DWORD dwPid = 1128;<br /> FreeModuleByPid(szModuleName,dwPid);<br /> return 0;<br /> }
抱歉!评论已关闭.