#include <TlHelp32.h>
#ifdef UNICODE
#define EjectLib EjectLibW
#else
#define EjectLib EjectLibA
#endif // !UNICODE
//dwProcessId 進程id
//pszLibFile 庫的絕對路徑
BOOL WINAPI EjectLibW(DWORD dwProcessId,PCWSTR pszLibFile)
{
BOOL fOk=FALSE;//賦初值,假定函數失敗
HANDLE hthSnapshot=NULL;
HANDLE hProcess=NULL,hThread=NULL;
__try
{
//獲取進程快照
hthSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,dwProcessId);
if (hthSnapshot==NULL) __leave;
//獲取注入dll的句柄
MODULEENTRY32W me={sizeof(me)};
BOOL fFound=FALSE;
BOOL fMoreMods=Module32FirstW(hthSnapshot,&me);
for(;fMoreMods;fMoreMods=Module32NextW(hthSnapshot,&me))//枚舉進程模塊判斷是否爲注入模塊
{
fFound=(lstrcmpiW(me.szModule,pszLibFile)==0)||(lstrcmpiW(me.szExePath,pszLibFile)==0);
if(fFound)break;
}
if(!fFound)__leave;
//獲得進程句柄
hProcess = OpenProcess(
PROCESS_QUERY_INFORMATION | // Required by Alpha
PROCESS_CREATE_THREAD |
PROCESS_VM_OPERATION, //可以使用CreateRemoteThread
FALSE,dwProcessId);
if(hProcess==NULL) __leave;
//獲取Kernel32.dll中LoadLibraryW的真實地址
PTHREAD_START_ROUTINE pfnThreadRtn=(PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")),"FreeLibrary");
if(pfnThreadRtn == NULL) __leave;
////建立遠程線程調用LoadLibraryW
hThread=CreateRemoteThread(hProcess,NULL,0,pfnThreadRtn,me.modBaseAddr,0,NULL);
if (hThread==NULL) __leave;
//等待線程結束
WaitForSingleObject(hThread, INFINITE);
fOk=TRUE; //釋放成功
}
__finally
{
//異常處理
if(hthSnapshot != NULL)
CloseHandle(hthSnapshot);
if(hThread != NULL)
CloseHandle(hThread);
if(hProcess != NULL)
CloseHandle(hProcess);
}
return(fOk);
}
///////////////////////////////////////////////////////////////////////////////
BOOL WINAPI EjectLibA(DWORD dwProcessId,PCSTR pszLibFile)
{
//分配Unicode格式下路徑存儲空間
PWSTR pszLibFileW=(PWSTR)_alloca((lstrlenA(pszLibFile) + 1) * sizeof(WCHAR));
//把ANSI路徑名轉換爲Unicode格式
wsprintfW(pszLibFileW, L"%S", pszLibFile);
//調用Unicode格式的函數
return(EjectLibW(dwProcessId, pszLibFileW));
}