All geek questions in one place

Retrieving dll by calling CreateRemoteThread: failed

I am trying to create a tool for extracting / removing DLLs from processes. I have already come across LoadLibrary and injections, but this time the logic does not seem to apply. This is my code:

HMODULE findModuleOffset(HANDLE proc, char *mod_name) {
    //Finds module address in specified process. 0 if not found
    HMODULE hMods[2048];
    DWORD modules_byte_size;
    if (EnumProcessModules(proc, hMods, sizeof(hMods), &modules_byte_size))
    {
        for (unsigned long i = 0; i < (modules_byte_size / sizeof(HMODULE)); i++) {
            CHAR module_name[MAX_PATH];

            // Get the full path to the module file.

            if (GetModuleFileNameExA(proc, hMods[i], module_name, sizeof(module_name))) {
                if (strcmp(strrchr(module_name,'.')+1,"exe")!=0 && compareExeName(module_name, mod_name)) {
                    return hMods[i];
                }
            }
        }
    }
    return 0;
}
bool compareExeName(char *path, char *partial_name) {
    //This will substract the filename from path and compare it with partial_name
    char *lastSlash = strrchr(path, '\\') + 1;
    if (lastSlash != NULL && strstr(lastSlash, partial_name) == lastSlash) return 1;
    return 0;
}

void unload_all_dll(char *dll_name) {
    DWORD process_ids[2048];
    DWORD process_byte_size;            //size of filled process_ids in BYTES (after the call)
    DWORD process_count;        //count of all elements in process_ids
    HMODULE  ext_dll_module;
    HANDLE opened_process;
    HANDLE Hthread;
    DWORD thread_exit_code = 1;
    CHAR exe_path[1024];

    if (EnumProcesses(process_ids, sizeof(process_ids), &process_byte_size)) {
        process_count = process_byte_size / sizeof(DWORD);

        for (int i = 0; i < process_count; i++) {
            thread_exit_code = 0;
            if ((opened_process = OpenProcess(PROCESS_ALL_ACCESS, false, process_ids[i])) == NULL) continue;

            GetModuleFileNameExA(opened_process, 0, exe_path, MAX_PATH);

            if ((ext_dll_module = findModuleOffset(opened_process, dll_name)) != 0) {

                while (thread_exit_code == 0) {
                    if ((Hthread = CreateRemoteThread(opened_process, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("kernel32.dll"), "FreeLibrary"), (void*)ext_dll_module, 0, NULL)) == NULL) {
                        cout<<"Process closed meanwhile or dll unloaded";
                        break;  //process has closed meanwhile
                    }
                    while (WaitForSingleObject(Hthread, 1000) == WAIT_TIMEOUT);
                    GetExitCodeThread(Hthread, &thread_exit_code);
                }
                cout << "Dll unloaded from " << exe_path << endl;
            }

        }
    }
}

Warning: some variable names may be confusing (I'm in a hurry) But every time I try to pull the dll, everything fails (of course, only those applications that contain specfied dll). I tested everything I could, and everything seems fine: the module address returned findModuleOffsetis good (checked against the value specified by the process handler). I have no ideea that the return value of createremotethread is either thread_exit_codedue to the application crashing (it delays the DLL to retrieve ... etc.). Can you help me?

+4
1

( )

, , dll, , dll. , , CPU,

, , - , dll; Windows IPC, , , mailslots.

dll , "master" , - . dlls, , , dll, " ": 1.

, , , ( + WaitForSingleObject) , , FreeLibraryAndExitThread , dll.

  • , , , , , , , , DLL, - .
+3

Source: https://habr.com/ru/post/1684262/

More articles:


All Articles