#include <stdio.h>
#include <stdlib.h>
#include <conio.h>
#include <string.h>
#include <windows.h>
#include <tlhelp32.h>
bool Privilege()
{
//提升当前进程的访问令牌
HANDLE hToken=NULL;
if(OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hToken)!=TRUE) return false;
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount=1;
LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tp.Privileges[0].Luid);
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(tp),NULL,NULL);
CloseHandle(hToken);
return true;
}
bool ListProcess()
{
HANDLE hProcessSnapshot;
PROCESSENTRY32 pe32;
pe32.dwSize=sizeof(PROCESSENTRY32);
if(!Privilege())
printf(“提升进程访问令牌权限失败。\n”);
if((hProcessSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL))==INVALID_HANDLE_VALUE)
{
CloseHandle(hProcessSnapshot);
printf(“创建进程快照失败。\n”);
return false;
}
if(!Process32First(hProcessSnapshot,&pe32))
{
printf(“列举进程列表失败。\n”);
return false;
}
do
{
printf(“FileName:%s\t\t\tPID:%d\n”,pe32.szExeFile,pe32.th32ProcessID);
} while (Process32Next(hProcessSnapshot,&pe32));
CloseHandle(hProcessSnapshot);
return true;
}
bool ListModule(int pid)
{
int ID=0;
HANDLE hModuleSnapshot;
MODULEENTRY32 me32;
me32.dwSize=sizeof(MODULEENTRY32);
if((hModuleSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,pid))==INVALID_HANDLE_VALUE)
{
CloseHandle(hModuleSnapshot);
printf(“创建进程模块快照失败。\n”);
return false;
}
Module32First(hModuleSnapshot,&me32);
do
{
ID++;
printf(“%s\t\t\tID:%d\n”,me32.szExePath,ID);
} while (Module32Next(hModuleSnapshot,&me32));
CloseHandle(hModuleSnapshot);
return true;
}
bool UnloadDLL(int pid,int module_id)
{
int ID=0;
HANDLE hModuleSnapshot;
HANDLE hRemoteProcess;
MODULEENTRY32 me32;
me32.dwSize=sizeof(MODULEENTRY32);
if((hModuleSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,pid))==INVALID_HANDLE_VALUE)
{
CloseHandle(hModuleSnapshot);
printf(“创建进程模块快照失败。\n”);
return false;
}
Module32First(hModuleSnapshot,&me32);
do
{
ID++;
if(ID==module_id) break;
} while (Module32Next(hModuleSnapshot,&me32));
CloseHandle(hModuleSnapshot);
if(ID!=module_id) return false;
if((hRemoteProcess=OpenProcess(PROCESS_ALL_ACCESS,false,pid))==INVALID_HANDLE_VALUE)
{
CloseHandle(hRemoteProcess);
printf(“打开进程失败。\n”);
return false;
}
LPTHREAD_START_ROUTINE pFunAddr=(LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(“kernel32.dll”),”FreeLibrary”);
if(pFunAddr==NULL)
{
CloseHandle(hRemoteProcess);
printf(“获取函数地址失败。\n”);
return false;
}
HANDLE hThread=CreateRemoteThread(hRemoteProcess,NULL,0,pFunAddr,me32.hModule,0,NULL);
if(hThread==INVALID_HANDLE_VALUE)
{
CloseHandle(hRemoteProcess);
CloseHandle(hThread);
printf(“远程线程注入失败。”);
return false;
}
WaitForSingleObject(hThread,INFINITE);
CloseHandle(hThread);
CloseHandle(hRemoteProcess);
return true;
}
int main(int argc,char *argv[])
{
int pid;
int ModuleID;
again:
if(!ListProcess())
{
printf(“列举进程失败。\n”);
getch();
return -1;
}
printf(“请选择一个进程PID:”);
if(scanf(“%d”,&pid)!=1) return -1;
if(!ListModule(pid))
{
printf(“列举进程模块失败。\n”);
getch();
return -1;
}
printf(“请选择要卸载的ID:”);
if(scanf(“%d”,&ModuleID)!=1) return -1;
if(!UnloadDLL(pid,ModuleID))
{
printf(“卸载模块失败。\n”);
getch();
return -1;
}
printf(“模块卸载成功。\n”);
getch();
goto again;
return 0;
}