📄 ntunload.cpp
字号:
#define UNICODE
#ifdef UNICODE
#define _UNICODE
#endif
#include <windows.h>
#include <stdio.h>
#include <conio.h>
#include <tchar.h>
//#define AH_STATIC_LINKING
#include <ApiHooks.h>
//#define PW_STATIC_LINKING
#include <PrcWorks.h>
#include <ntsecapi.h>
typedef LONG (WINAPI *TLGDH)(LPVOID, DWORD, PUNICODE_STRING, PHANDLE);
typedef LONG (WINAPI *TLUD)(HANDLE);
typedef struct _NTUNLOAD {
WCHAR DllNameW[MAX_PATH];
UNICODE_STRING DllName;
TLGDH LdrGetDllHandle;
TLUD LdrUnloadDll;
} NTUNLOAD, *PNTUNLOAD;
LONG WINAPI NtUnloadRC(PNTUNLOAD pNtUnload) {
LONG NtResult;
HANDLE hDll;
if((NtResult = pNtUnload->LdrGetDllHandle(NULL, 0, &pNtUnload->DllName, &hDll)) >= 0) {
pNtUnload->LdrUnloadDll(hDll);
NtResult = pNtUnload->LdrGetDllHandle(NULL, 0, &pNtUnload->DllName, &hDll)+1;
}
return(NtResult);
}
VOID _tmain(int argc, TCHAR** argv) {
if((int)GetVersion()<0)
_tprintf(_T("%s works in Windows NT only!"), argv[0]);
else
if(argc != 3)
_tprintf(_T("Usage: %s <ProcessName> <ModuleName>"), argv[0]);
else {
TCHAR ProcessName[MAX_PATH];
ExpandEnvironmentStrings(argv[1], ProcessName, MAX_PATH);
DWORD PID = ProcessName2PID(ProcessName);
if((PID == PW_PIDERROR) || (PID == PW_SESERROR))
_tprintf(_T("Process '%s' not found!"), argv[1]);
else
if(PID == PW_MEMERROR)
_tprintf(_T("Not enough memory!"));
else {
HINSTANCE hntdll;
BYTE WasEn;
typedef LONG (WINAPI *TRAP)(DWORD, BOOL, DWORD, BYTE*);
TRAP RAP;
if(hntdll = GetModuleHandle(_T("ntdll.dll"))) {
if(RAP = (TRAP)GetProcAddress(hntdll, "RtlAdjustPrivilege"))
RAP(20, TRUE, 0, &WasEn);
NTUNLOAD l_NtUnload;
l_NtUnload.LdrGetDllHandle = (TLGDH)GetProcAddress(hntdll, "LdrGetDllHandle");
l_NtUnload.LdrUnloadDll = (TLUD)GetProcAddress(hntdll, "LdrUnloadDll");
if(l_NtUnload.LdrGetDllHandle && l_NtUnload.LdrUnloadDll) {
#ifdef UNICODE
l_NtUnload.DllName.Length = sizeof(WCHAR)*(ExpandEnvironmentStrings(argv[2], l_NtUnload.DllNameW, sizeof(l_NtUnload.DllNameW))-1);
#else
CHAR DllNameA[MAX_PATH];
ExpandEnvironmentStrings(argv[2], DllNameA, sizeof(DllNameA));
l_NtUnload.DllName.Length = sizeof(WCHAR)*swprintf(l_NtUnload.DllNameW, L"%hs", DllNameA);
#endif
l_NtUnload.DllName.MaximumLength = sizeof(l_NtUnload.DllNameW);
HANDLE hProc;
if(hProc = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, PID)) {
DWORD RCresult = 0;
PRCINFO pRCI = GetDefaultRCInfo();
PNTUNLOAD pNtUnload;
if(l_NtUnload.DllName.Buffer = (PWSTR)(pNtUnload =
(PNTUNLOAD)pRCI->RtlAllocMem(hProc, sizeof(l_NtUnload)))) {
if(WriteProcessMemory(hProc, pNtUnload, &l_NtUnload, sizeof(l_NtUnload), NULL)) {
RCresult = RemoteExecute(NULL, PID, 30000, NtUnloadRC,
(DWORD)_tmain-(DWORD)NtUnloadRC+sizeof(DWORD)-1,
pNtUnload);
if(RCresult == 0xC0000135+1)
_tprintf(_T("'%s' was unloaded."), argv[2]);
else
if(RCresult == 1)
_tprintf(_T("'%s' usage count decremented (if loaded dynamically)."), argv[2]);
else
if(RCresult == 0xC0000135)
_tprintf(_T("Can't find '%s'!"), argv[2]);
else
if(RCresult == ErrorAHTimeOut)
_tprintf(_T("Unloading '%s' deferred."), argv[2]);
else
_tprintf(_T("Can't prepare unloading '%s'!"), argv[2]);
}
else
_tprintf(_T("Can't write to '%s' memory!"), argv[1]);
if(RCresult != ErrorAHTimeOut)
if(!pRCI->RtlFreeMem(hProc, pNtUnload))
_tprintf(_T("Can't free memory in '%s'"), argv[1]);
}
else
_tprintf(_T("Can't allocate memory in '%s'!"), argv[1]);
CloseHandle(hProc);
}
else
_tprintf(_T("Can't get OW handle to '%s'!"), argv[1]);
}
else
_tprintf(_T("Can't retrieve used APIs!"));
}
else
_tprintf(_T("Can't get handle to 'ntdll.dll'!"));
}
}
getch();
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -