逆向工程核心原理——第二十四章

WflytoC 2020-09-23

上一章我们将myhack.dll注入进了notepad,这一章我们就将学习,如何卸载DLL

同上一章注入myhack.dll时使用了exe文件一样,卸载dll也需要使用exe。

下面这个代码是在CSDN上找到的一个既可以注入DLL也可以卸载DLL的代码

使用时需要输入三个参数

1.注入还是卸载(0表示注入,1表示卸载)

2.DLL的路径, 注入需要路径和名字,卸载需要名字就够了

3.需要注入或卸载的进程名字 这里添加了改进,只需要输入进程名字程序会查找PID。

//EjectDLL
//InjectDLL

#include"windows.h"
#include"tlhelp32.h"
#include<tchar.h>


DWORD FindProcessID(LPCTSTR szProcessName)
{
	DWORD dwPID = 0xFFFFFFFF;
	HANDLE hSnapShot = INVALID_HANDLE_VALUE;
	PROCESSENTRY32 pe;
	//获取系统快照
	pe.dwSize = sizeof(PROCESSENTRY32);
	hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, NULL);//返回系统快照句柄(NULL表示所有进程)
	//查找进程
	Process32First(hSnapShot, &pe);
	do
	{
		if (!_tcsicmp(szProcessName, (LPCTSTR)pe.szExeFile))
		{
			dwPID = pe.th32ProcessID;
			break;
		}
	} while (Process32Next(hSnapShot, &pe));
	CloseHandle(hSnapShot);
	return dwPID;
}
//提升权限
BOOL SetPrivilege(LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)
{
	TOKEN_PRIVILEGES tp;
	HANDLE hToken;
	LUID luid;

	if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
	{
		_tprintf(L"LookupPrivilegeValue error: %u\n", GetLastError());
		return FALSE;
	}
	if (!LookupPrivilegeValue(NULL, lpszPrivilege, &luid))
	{
		_tprintf(L"LookupPrivilegeValue error: %u\n", GetLastError());
		return FALSE;
	}
	tp.PrivilegeCount = 1;
	tp.Privileges[0].Luid = luid;
	if (bEnablePrivilege)
		tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	else
		tp.Privileges[0].Attributes = 0;
	//enable the privilege or disable all privileges.
	if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL))
	{
		_tprintf(L"AdjustTokenPrivileges error: %u\n", GetLastError());
		return FALSE;
	}
	if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
	{
		_tprintf(L"the token does nothave rhe specified privilege .\n");
		return FALSE;
	}
	return TRUE;

}

BOOL EjectDll(DWORD dwPID, LPCTSTR szDllName)
{
	BOOL bMore = FALSE, bFound = FALSE;
	HANDLE hSnapshot, hProcess, hThread;
	HMODULE hModule = NULL;
	MODULEENTRY32 me = { sizeof(me) };
	LPTHREAD_START_ROUTINE pThreadProc;
	//dwPID=notepad进程的PID
	//使用TH32CS_SNAPMODULE参数获取加载到notepad进程的dll名称
	hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID);
	bMore = Module32First(hSnapshot, &me);
	for (; bMore; bMore = Module32Next(hSnapshot, &me))
	{
		if (!_tcsicmp((LPCTSTR)me.szModule, szDllName) || !_tcsicmp((LPCTSTR)me.szExePath, szDllName))
		{
			bFound = TRUE;
			break;
		}
	}
	if (!bFound)
	{
		CloseHandle(hSnapshot);
		return FALSE;
	}
	if (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID)))
	{
		_tprintf(L"OpenProcess(%d) failed!!! [%d]\n,", dwPID, GetLastError());
		return FALSE;
	}
	hModule = GetModuleHandle(L"Kernel32.dll");
	pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(hModule, "FreeLibrary");
	hThread = CreateRemoteThread(hProcess, NULL, 0, pThreadProc, me.modBaseAddr, 0, NULL);
	WaitForSingleObject(hThread, INFINITE);
	CloseHandle(hThread);
	CloseHandle(hProcess);
	CloseHandle(hSnapshot);
	return TRUE;
}

BOOL InjectDll(DWORD dwPID, LPCTSTR szDllPath)
{
	HANDLE hProcess = NULL, hThread = NULL;
	HMODULE hMod = NULL;
	LPVOID pRemoteBuf = NULL;
	DWORD dwBufSize = (DWORD)(_tcslen(szDllPath) + 1) * sizeof(TCHAR);
	LPTHREAD_START_ROUTINE pThreadProc;

	//使用dwpid获取目标进程句柄
	if (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID)))
	{
		_tprintf(L"OpenProcess(%d) failed!!![%d]\n", dwPID, GetLastError());
		return FALSE;
	}
	//在目标进程内存中分配szDllname大小的内存
	pRemoteBuf = VirtualAllocEx(hProcess, NULL, dwBufSize, MEM_COMMIT, PAGE_READWRITE);//分配物理存储,可读可写
	//将myhack.dll路径写入分配的内存。
	WriteProcessMemory(hProcess, pRemoteBuf, (LPVOID)szDllPath, dwBufSize, NULL);
	//获取LoadLibraryW API的地址
	hMod = GetModuleHandle(L"Kernel32.dll");//获取已经加载模块的句柄
	pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(hMod, "LoadLibraryW");//获取函数地址
	
	//在目标进程中运行线程
	hThread = CreateRemoteThread(hProcess, NULL, 0, pThreadProc, pRemoteBuf, 0, NULL);//创建远程线程
	_tprintf(L"%d", GetLastError());
	WaitForSingleObject(hThread, INFINITE);
	CloseHandle(hProcess);
	return TRUE;

}
int _tmain(int argc, TCHAR* argv[])
{
	if (argc != 4)
	{
		_tprintf(L"USAGE: 三个参数,1.flag(flag为0表示导入)。2.要导入的dll路径(要卸载的dll名字)3.要注入(或卸载)dll的进程\n", argv[2]);
		return 1;
	}
	DWORD dwPID = 0xFFFFFFFF;
	dwPID = FindProcessID(argv[3]);
	if (dwPID == 0xFFFFFFFF)
	{
		_tprintf(L"there is no %s process!\n", argv[3]);
		return 1;
	}
	_tprintf(L"PID of \"%s\"is%d\n", argv[3], dwPID);

	//enject dll



	//inject dll
	if (*argv[1] == (TCHAR)‘0‘)
	{
		if (InjectDll(dwPID, argv[2]))
			_tprintf(L"InjectDll(\"%s\")success!!\n", argv[2]);
		else
			_tprintf(L"InjectDll(\"%s\") failed!!\n", argv[2]);
	
	}
	else
	{
		//更改privilege
		if (!SetPrivilege(SE_DEBUG_NAME, TRUE))
			return 1;
		if (EjectDll(dwPID, argv[2]))
			_tprintf(L"EjectDll(%d,\"%s\")success!!!\n", dwPID, argv[2]);
		else
			_tprintf(L"EjectDll(%d,\"%s\")failed!!!\n", dwPID, argv[2]);
	}
	return 0;

}

接下来我们演示一下:

逆向工程核心原理——第二十四章

在这里我们已经将myhack.all注入进了notepad,然后我们输入命令执行EjectDLL.exe,卸载DLL:

逆向工程核心原理——第二十四章
这时候process explorer中,notepad的myhack.dll已经不见了。