请问如何卸载进程中exe的一个dll模块 ( 积分: 50 )

飞来石 · 2005-09-07

比如当前进程中有abc.exe，他有一个模块a.dll，如何卸载掉呢？

飞来石 · 2005-09-07

比如当前进程中有abc.exe，他有一个模块a.dll，如何卸载掉呢？

传说中的虫 · 2005-09-08

楼主是两边发贴啊~~！ 使用FreeLibrary FreeLibrary('a.dll'); LibHandle:=0;   还要注意这个dll是否传递过Application.Handle，有的话，要释放。

chenybin · 2005-09-08

FreeLibrary如果我没记错的话，参数应该是THandle 比较难，因为你找不到加载的那个Handle值，等高手

lichengbin · 2005-09-08

h := GetModuleHandle('a.dll'); FreeLibrary(h); 不过要是动态装载的才行，静态链接的好象不行。

zjan521 · 2005-09-08

静态链接的DLL不能卸载。延迟架载的DLL未必能卸载,根据程序开发时的设定.动态加载的支持卸载,可是写在别人程序的DLL基本上出错的可能性很大。 你可以用PSAPI中的函数得到其他进程的MODULE,你可以在MSDN中搜索ModuleFirst??/CreateXXXSnapXXX找到相关内容. 得到句柄之后,直接CreateRemoteThread(...,_FREELIBRARYW_ADDR_FROM_GETPROCADDR - KERNEL32_BASE_AT_THIS + KERNEL32_BASE_AT_THAT, hDll_AT_THAT,...)

飞来石 · 2005-09-09

我是想用在进程管理程序里面，比如我查看a.exe的时候，显示出了相应的模块dll（已经实现），然后想free掉用户想free的一些dll，这个怎么实现呢？

mysirius · 2005-09-10

我这有个C++的代码，楼主可以看看，高手可以翻译一下 Command Line dll Unloader v1.0 by r3L4x - r3L4x.com This creates a remote thread in a target process and attempts to call FreeLibrary() in order to unload the target dll. This software is FREE and OPEN SOURCE visit http://r3L4x.com for the C++ source!! usage: Unload.exe <Target PID> <Target dll> http://www.nohack.cn/bbs/UploadFile/2005-4/2005417121443574.rar

app2001 · 2005-09-10

这里有一些别人讨论的资料，你看看吧 若强行杀掉一个.exe,它的私有.DLL就自动释放了, 若单独强行卸掉某进程的某一个.DLL，API怎么做？ 每一个Module都有一个局柄，利用FreeLibrary试一下，刊可不可以释放，获得 DLL局柄的方法在上面我提供的源程序中有（http://www.applevb.com/sourcecode/moudle.zip ） FreeLibrary只释放自已进程的.DLL,人家的可能就不行了；FreeLibrary()好象无效,结果返回总是0，说明不成功 那么这个呢？ FreeLibraryAndExitThread FreeLibraryAndExitThread 参数中的线程句柄与退出码没法知道，也不行

初学者1号 · 2005-09-10

猜测一下，一般程序调用DLL用，都会使DLL的使用计数器加1.当有N个程序调用他的时候，那么他的计数器为N.当计数器为0时，DLL自动消失。想想用一般的API估计很难实现DLL的撤除，会造成系统崩溃的，MS不可能没考虑到此点的。 希望来个高手，把DLL的使用计算器置0，那就自动消失了。

zjan521 · 2005-09-10

静态链接或者延迟加载且不支持卸载的DLL,其引用计数是-1,因此FreeLibrary看到-1就直接返回了。Win2K可以有办法,但是WinXP到现在我还没有看到资料可以做到。 因为DLL不仅仅涉及到代码,关键是他会和整个进程交互,基本上你不可能做到卸载DLL而不导致进程失败。 不要追求镜花水月了。

jingtao · 2005-09-12

自己做一个DLL,然后把该DLL插入进程EXE,在自己的DLL中卸掉.详细见<<编程技巧与维护>>

tt.t · 2005-09-12

http://www.delphibbs.com/delphibbs/dispq.asp?lid=2583789

wangsea · 2005-11-06

标记一下，希望有答案 --------------------------------- 自己做一个DLL,然后把该DLL插入进程EXE,在自己的DLL中卸掉， -------------------------------- 这种做法是可行，但偶测试的结果是主进程也会同时被关闭，不知哪位有办法卸掉Explorer中注入的dll而Explorer又不关闭？

jingtao · 2005-11-06

不现实.因为Explorer会使用到该DLL的函数之类.卸了就找不到地址了,当然不错.

wangsea · 2005-11-06

to jintao:  用TASKKILL /IM /pid Explorer的pid /FI "MODULES EQ Dll文件名" 某些dll是可以卸掉而Explorer不关闭的呀!不信你试试http://www.2ccc.com/article.asp?articleid=1717 刘麻子的<利用Hook进行线程插入的改进版本>,用此命令可以卸掉(注意:如果不成功请多执行几次)  同样是卸这个dll,改用相同的注入方法注入另一个dll去Free它,就会出现Explorer关闭的情况.

jingtao · 2005-11-07

unit Unit1; interface uses  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,  Dialogs, StdCtrls; type  TForm1 = class(TForm)    Button1: TButton;    Edit1: TEdit;    Label1: TLabel;    Label2: TLabel;    Edit2: TEdit;    procedure Button1Click(Sender: TObject);  private    { Private declarations }  public    { Public declarations }  end; var  Form1: TForm1; type  TFreeLibrary = function(hLibModule: HMODULE): BOOL; stdcall;  TMessageBox = function(hWnd: HWND; lpText, lpCaption: PChar; uType: UINT): Integer; stdcall;  TVirtualFree = function(lpAddress: Pointer; dwSize, dwFreeType: DWORD): BOOL; stdcall;  TExitThread = procedure(dwExitCode: DWORD); stdcall;  TBuf = array[0..1023] of char; { Remote thread code start } function RemoteThreadProc(LParam: Integer): Integer; stdcall; function DummyBlockAddr: Integer; stdcall; { Remote thread code end ... } function DummyCodeEnd: Integer; implementation {$R *.dfm} type  PRemoteData = ^TRemoteData;  TRemoteData= record      // 全局变量区和重定位表    FreeLibrary: TFreeLibrary;    MessageBox: TMessageBox;    VirtualFree: TVirtualFree;    ExitThread: TExitThread;    Title:TBuf;//标题    Buf: TBuf;    dwModule: HMODULE;  end; var  RemoteData: TRemoteData=(Title:'Info'

; function RemoteThreadProc(LParam: Integer): Integer; stdcall; var  cp: PRemoteData;  p2, p3: Pointer; begin  Result := 0;  if LParam <> 0 then  begin    cp := Pointer(LParam);    cp.FreeLibrary(cp.dwModule);    cp.MessageBox(0, cp.Buf, cp.Title, MB_ICONINFORMATION + MB_TOPMOST);    p2 := @cp.VirtualFree;    p3 := @cp.ExitThread;    asm        push Result        push 0        push MEM_RELEASE        push 0        push cp        push p3        push p2        ret    end;  end  else    asm    call @@1  @@1:    pop eax    mov Result, eax    end; end; function DummyBlockAddr: Integer; stdcall; asm  call @@1 @@1:  pop eax;  ret  dd 0,0,0,0,0,0,0,0  dd 0,0,0,0,0,0,0,0  nop; nop; nop; nop; end; function DummyCodeEnd: Integer; begin  Result := Integer(@DummyCodeEnd); end; function EnableDebugPrivilege: Boolean;  function EnablePrivilege(hToken: Cardinal; PrivName: string; bEnable: Boolean): Boolean;  var    TP: TOKEN_PRIVILEGES;    Dummy: Cardinal;  begin    TP.PrivilegeCount := 1;    LookupPrivilegeValue(nil, pchar(PrivName), TP.Privileges[0].Luid);    if bEnable then      TP.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED    else TP.Privileges[0].Attributes := 0;    AdjustTokenPrivileges(hToken, False, TP, SizeOf(TP), nil, Dummy);    Result := GetLastError = ERROR_SUCCESS;  end; var  hToken: Cardinal; begin  OpenProcessToken(GetCurrentProcess, TOKEN_ADJUST_PRIVILEGES, hToken);  result := EnablePrivilege(hToken, 'SeDebugPrivilege', True);  CloseHandle(hToken); end; function FuncOffset(P1, P2: TFarProc): Integer; begin  Result := Integer(P2) - Integer(P1); end; procedure TForm1.Button1Click(Sender: TObject); var  kernel32, user32: THandle;  PID: Integer;  hProcess, th: THandle;  m, n,  len: Integer;  p, lp, cp, dp: Pointer;  tmp: string;  rmt: PRemoteData;  dw, tid: Cardinal; begin  Tid := 0;  EnableDebugPrivilege; //提升权限  PID := StrToIntDef(Edit1.Text, 0);  if PID = 0 then  begin    ShowMessage('Process ID Error!');    Exit;  end;  hProcess := OpenProcess(PROCESS_ALL_ACCESS, False, PID);  if hProcess = 0 then  begin    ShowMessage('Open Process Error!');    Exit;  end;  kernel32 := GetModuleHandle(Windows.kernel32);  user32 := GetModuleHandle(Windows.user32);  @RemoteData.FreeLibrary := GetProcAddress(kernel32, 'FreeLibrary');  @RemoteData.MessageBox := GetProcAddress(user32, 'MessageBoxA');  StrPCopy(RemoteData.Buf, '成功完成!');  RemoteData.dwModule := StrToIntDef(Edit2.Text, 0);  @RemoteData.ExitThread := GetProcAddress(kernel32, 'ExitThread');  @RemoteData.VirtualFree := GetProcAddress(kernel32, 'VirtualFree');  p := @RemoteThreadProc;  m := FuncOffset(p, @DummyCodeEnd) + 100;  n := FuncOffset(p, Pointer(DummyBlockAddr)) + 16;  len := m + SizeOf(TRemoteData) + 1024;  lp := VirtualAllocEx(hProcess, nil, len, MEM_COMMIT, PAGE_EXECUTE_READWRITE);  if lp <> nil then  begin    SetLength(tmp, len);    rmt := PRemoteData(tmp);    cp := PChar(tmp) + SizeOf(RemoteData);    Move(RemoteData, rmt^, SizeOf(RemoteData));    Move(p^, cp^, m);    PInteger(Integer(cp) + n)^ := Integer(lp);     // 函数重定位    dp := lp;    cp := Pointer(Integer(dp) + SizeOf(TRemoteData));    if WriteProcessMemory(hProcess, lp, rmt, len - 100, dw) then    begin      th := CreateRemoteThread(hProcess, nil, 0, cp, dp, 0, tid);      if th = 0 then      begin        Showmessage('Create remote thread fail');        if lp <> nil then VirtualFreeEx(hProcess, lp, 0, MEM_RELEASE);        if hProcess <> 0 then CloseHandle(hProcess);        Exit;      end;      CloseHandle(th);    end    else    begin      if lp <> nil then VirtualFreeEx(hProcess, lp, 0, MEM_RELEASE);      if hProcess <> 0 then CloseHandle(hProcess);      Exit;    end;  end;  ShowMessage('Remote thread create successfully, Addr: ' + '0x' + IntToHex(Integer(lp), 8)); end; end. 你试试

tt.t · 2005-11-07

“这种做法是可行，但偶测试的结果是主进程也会同时被关闭” 如果卸载掉的dll还会被调用自然会出错，这不是卸载的问题，问题出在没被卸载的模块里。

wangsea · 2005-11-07

to jingtao:  您的代码偶测试了不能卸载掉Explorer中的Dll． to tt.t：  我们先不说能否这么做，您用IceSword你试试卸载注入Explorer中的Dll!多数情况下Explorer都不会自动关闭。偶想知道的是如何实现这种方法。 to 楼主： 　借您的宝地讨论一下，希望不要见怪. 顺便贴出偶的"用钩子卸钩子"的测试代码，请大家研究一下如何来改进 使用方法:unload.exe insert.dll 申明:本示例只做了针对Exlporer中的Dll的卸载,代码改自刘麻子的线程插入的例子,实现了用钩子卸钩子的基本要求,但本程序不完善,卸载了Explorer中的Dll后会出现Explorer自动结束的情况. //主程序如下: program Unload; uses Windows, FUnit in 'FUnit.pas'; var UNFile:string; begin  UNFile:=ParamStr(1);  if UNFile='' then exit;  if (OpenMutex(MUTEX_ALL_ACCESS, FALSE, ExeMutex) <> 0) or     (OpenMutex(MUTEX_ALL_ACCESS, FALSE, DllMutex) <> 0) then Exit;  HMutex := CreateMutex(nil, TRUE, ExeMutex);  ExplorerPID := FindProcess('Explorer.exe');  if (ExplorerPID = 0) then  begin MessageBox(0, '寻找Explorer出错 ', nil, 0);  Exit; end;  FindDll(ExplorerPID,UNFile);  FileMap := CreateFileMapping($FFFFFFFF, nil, PAGE_READWRITE, 0, SizeOf(TNode), FileMapName);  if (FileMap = 0) then  begin    MessageBox(0, '创建映射文件出错 ', nil, 0);  Exit;  end;  PtNode := MapViewOfFile(FileMap, FILE_MAP_WRITE, 0, 0, 0);  if (PtNode = nil) then  begin    MessageBox(0, '映射到本进程出错 ', nil, 0);        CloseHandle(FileMap);  Exit;  end;  PtNode^.MainThread := GetCurrentThreadID();  PtNode^.ExplorerID := ExplorerPID;  ptNode^.UNDLLHandle:=FindDll(ExplorerPID,UNFile);//要卸载的DLL在Explorer中的Handle  UnmapViewOfFile(PtNode);  GetMsgHookOn;  while GetMessage(Msg, 0, 0, 0) do;  GetMsgHookOff;  CloseHandle(FileMap);  ReleaseMutex(HMutex); end. //所引用的FUnit.pas如下: unit FUnit; interface uses Windows,TLHelp32,SysUtils; type  TNode = record          MainThread: DWORD;    ExplorerID: DWORD;    UNDLLHandle

WORD;  end;  PNode = ^TNode; const  ExeMutex = 'ExeMutex_wangsea';    DllMutex = 'DllMutex_wangsea';    FileMapName = 'FileMap_wangsea'; var  HMutex: THandle;    Msg: TMsg;          FileMap: THandle;  PtNode: PNode;      ExplorerPID: DWORD; function FindProcess(ExeName: string): DWORD; function FindDll(ProcessID:cardinal;Dll:string):Cardinal; procedure GetMsgHookOn; external  'UnloadDll.dll'; procedure GetMsgHookOff; external 'UnloadDLL.dll'; implementation type  TProcessEntry32 = packed record    dwSize: DWORD;                  cntUsage: DWORD;    th32ProcessID: DWORD;          th32DefaultHeapID: DWORD;    th32ModuleID: DWORD;            cntThreads: DWORD;    th32ParentProcessID: DWORD;    pcPriClassBase: Longint;        dwFlags: DWORD;    szExeFile: array[0..MAX_PATH - 1] of Char;  end; function CreateToolhelp32Snapshot(dwFlags, th32ProcessID: DWORD): THandle stdcall; external 'kernel32.dll'; function Process32First(hSnapshot: THandle; var lppe: TProcessEntry32): BOOL stdcall; external 'kernel32.dll'; function Process32Next(hSnapshot: THandle; var lppe: TProcessEntry32): BOOL stdcall; external 'kernel32.dll'; function FindProcess(ExeName: string): DWORD; var  sphandle: THandle;  Found: BOOL;  PStruct: TProcessEntry32;  function AnsiEndsText(const ASubText, AText: string): Boolean;  var    P: PChar;    L, L2: Integer;  begin    P := PChar(AText);    L := Length(ASubText);    L2 := Length(AText);    Inc(P, L2 - L);    if (L > L2) then      Result := FALSE    else      Result := CompareString(LOCALE_USER_DEFAULT, NORM_IGNORECASE,P, L, PChar(ASubText), L) = 2;  end;       begin                                        Result := 0;              sphandle := CreateToolhelp32Snapshot($00000002, 0);  PStruct.dwSize := Sizeof(PStruct);  Found := Process32First(sphandle, PStruct);  while Found do  begin    if AnsiEndsText(ExeName, PStruct.szExefile) then    begin      Result := PStruct.th32ProcessID;      Break;    end;        Found := Process32Next(sphandle, PStruct);  end;    CloseHandle(sphandle); end; function FindDll(ProcessID:cardinal;Dll:string):Cardinal; var  snap:THandle;  lpme:TModuleEntry32; begin  result:=0;  snap:=CreateToolhelp32Snapshot(TH32CS_SNAPALL,ProcessID);  try    FillChar(lpme,Sizeof(TModuleEntry32),0);    lpme.dwSize:=Sizeof(TModuleEntry32);    if Module32First(snap,lpme) then     repeat       if UpperCase(ExtractFileName(lpme.szExePath))=UpperCase(Dll) then       begin          result:=lpme.hModule;          break;       end;     until not Module32Next(snap,lpme);  finally    CloseHandle(snap);  end; end; end. //Dll如下: library Unloaddll; uses  Windows, Messages,  Publics in 'Publics.pas',  Threads in 'Threads.pas',  JmpHook in 'JmpHook.pas'; exports  GetMsgHookOn,  GetMsgHookOff,  ThreadPro;     procedure DLLProcess(dwReason: Integer); begin      if (dwReason = DLL_PROCESS_DETACH) then  begin    if (PtNode <> nil) then UnmapViewOfFile(PtNode);    if (FileMap <> 0) then CloseHandle(FileMap);  end; end; begin  DllProc := @DLLProcess;  FileMap := OpenFileMapping(FILE_MAP_ALL_ACCESS, FALSE, FileMapName);  if (FileMap <> 0) then PtNode := MapViewOfFile(FileMap, FILE_MAP_ALL_ACCESS, 0, 0, 0); end. //Dll所用的三个pas如下: 1: unit Publics; interface uses  Windows; type  TNode = record            MainThread: DWORD;      ExplorerID: DWORD;      UNDLLHandle

WORD;    end;  PNode = ^TNode; const  DllMutex = 'DllMutex_wangsea';  FileMapName = 'FileMap_wangsea'; var  FileMap: THandle;  PtNode: PNode; implementation end. 2: unit Threads; interface procedure ThreadPro(Ct: Integer); stdcall; implementation uses Windows, Messages, Publics,SysUtils; procedure WriteScreen(S: string); var  ScreenDC: HDC; begin  ScreenDC := GetDC(0);  TextOut(ScreenDC, 10, 10, PChar(S), Length(S));  ReleaseDC(0, ScreenDC); end; function Int2Hex(x: Integer): string; var  J, K: Integer; begin  Result := '$00000000';  for J := 9 downto 2 do  begin    K := x and $0F;    if (K > 9) then K := K + 7;    K := K + $30;    Result[J] := Char(K);        x := x shr 4;  end; end; procedure ThreadPro(Ct: Integer); stdcall; var  //TheMsg: TMsg;  HMutex: DWORD;  //AtomID: ATOM; begin  PostThreadMessage(PtNode^.MainThread, WM_QUIT, 0, 0);  HMutex := OpenMutex(MUTEX_ALL_ACCESS, FALSE, DllMutex);  if (HMutex = 0) then  begin    HMutex := CreateMutex(nil, TRUE, DllMutex);    if PtNode^.UNDLLHandle<>0 then      FreeLibrary(PtNode^.UNDLLHandle);    ReleaseMutex(HMutex);  end;  CloseHandle(HMutex);  FreeLibraryAndExitThread(HInstance, 0); end; end. 3: unit JmpHook; interface procedure GetMsgHookOn; procedure GetMsgHookOff; implementation uses  Windows, Publics; var  GetMsgHook: HHOOK;      LibraryH: DWORD;        ThreadPt: Pointer;      ThreadID: DWORD;        ModuleFileName: array [0..MAX_PATH] of Char; function GetMsgHookPro(nCode: Integer; wParam: WPARAM; lParam: LPARAM): LRESULT; stdcall; begin  if (PtNode <> nil) and (PtNode^.ExplorerID <> 0) and     (GetCurrentProcessId() = PtNode^.ExplorerID) then  begin    GetModuleFileName(HInstance, @ModuleFileName[0], MAX_PATH);    LibraryH := LoadLibrary(ModuleFileName);    if (LibraryH <> 0) then ThreadPt := GetProcAddress(LibraryH, 'ThreadPro');    if (ThreadPt <> nil) then CreateThread(nil, 0, ThreadPt, Pointer($66666666), 0, ThreadID);  end;  Result:= CallNextHookEx(GetMsgHook, nCode, wParam, lParam);   end; procedure GetMsgHookOn; begin  GetMsgHook := SetWindowsHookEx(WH_GETMESSAGE, @GetMsgHookPro, HInstance, 0); end; procedure GetMsgHookOff; begin  UnHookWindowsHookEx(GetMsgHook); end; end.

jingtao · 2005-11-08

不会吧.你填写了EXE的进程ID和该DLL在EXE里面的MODULE吗? 很多DLL是需要卸几次才能干净的.因为可能EXE多次引用了该DLL

请问如何卸载进程中exe的一个dll模块 ( 积分: 50 )

飞来石

Unregistered / Unconfirmed

飞来石

Unregistered / Unconfirmed

传说中的虫

Unregistered / Unconfirmed

chenybin

Unregistered / Unconfirmed

lichengbin

Unregistered / Unconfirmed

zjan521

Unregistered / Unconfirmed

飞来石

Unregistered / Unconfirmed

mysirius

Unregistered / Unconfirmed

app2001

Unregistered / Unconfirmed

初学者1号

Unregistered / Unconfirmed

zjan521

Unregistered / Unconfirmed

jingtao

Unregistered / Unconfirmed

tt.t

Unregistered / Unconfirmed

wangsea

Unregistered / Unconfirmed

jingtao

Unregistered / Unconfirmed

wangsea

Unregistered / Unconfirmed

jingtao

Unregistered / Unconfirmed

tt.t

Unregistered / Unconfirmed

wangsea

Unregistered / Unconfirmed

jingtao

Unregistered / Unconfirmed

Similar threads