- 注册时间
- 2011-3-6
- 最后登录
- 1970-1-1
该用户从未签到
|
- BOOL UnLoadModules( LPCTSTR processname , LPCTSTR modulename)
- {
- HANDLE hModuleSnap = INVALID_HANDLE_VALUE;
- MODULEENTRY32 me32;
- HANDLE hpro;
- DWORD modulebase;
- DWORD pid=GetProcessIdByName(processname);
- hpro= OpenProcess
- (
- PROCESS_ALL_ACCESS,
- TRUE,
- pid
- );
- hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, pid );
- if( hModuleSnap == INVALID_HANDLE_VALUE )
- {
-
- return( FALSE );
- }
- me32.dwSize = sizeof( MODULEENTRY32 );
- if( !Module32First( hModuleSnap, &me32 ) )
- {
- CloseHandle( hModuleSnap );
- return( FALSE );
- }
- do
- {
- printf( "\n\n MODULE NAME: %s", me32.szModule );
- printf( "\n executable = %s", me32.szExePath );
- printf( "\n process ID = 0x%08X", me32.th32ProcessID );
- printf( "\n ref count (g) = 0x%04X", me32.GlblcntUsage );
- printf( "\n ref count (p) = 0x%04X", me32.ProccntUsage );
- printf( "\n base address = 0x%08X", (DWORD) me32.modBaseAddr );
- printf( "\n base size = %d", me32.modBaseSize );
- if(!strcmpi(me32.szModule, modulename))
- {
- modulebase=(DWORD)me32.modBaseAddr;
- printf("module :%s found at :%x\n",modulename,modulebase);
- break;
- }
- } while( Module32Next( hModuleSnap, &me32 ) );
- ZwUnmapViewOfSection(hpro,(DWORD)modulebase);
- CloseHandle( hModuleSnap );
- return( TRUE );
- }
- DWORD GetProcessIdByName(LPCTSTR name)
- {
- PROCESSENTRY32 prostruct;
- DWORD id = 0;
- HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
- prostruct.dwSize = sizeof(PROCESSENTRY32);
- if(!Process32First(hSnapshot,&prostruct))
- return 0;
- do
- {
- prostruct.dwSize = sizeof(PROCESSENTRY32);
- if(!Process32Next(hSnapshot,&prostruct))
- break;
- if(strcmp(prostruct.szExeFile,name) == 0)
- {
- id = prostruct.th32ProcessID;
- break;
- }
- }while(TRUE);
- CloseHandle(hSnapshot);
- return id;
- }
- ZwUnmapViewOfSection这个NTDLL中的函数的地址自己用GetProcAddress就可以得到引用了
|
|
发表于 2012-10-17 21:18:58
