Does anyone know how to eject a DLL from a process?
Here is my Injection code:
Code:
BOOL InjectDLL ( HANDLE HanProcess, CONST CHAR * ChaDLL )
{
CHAR ChaDLLFilePath [ ( MAX_PATH + 16 ) ] = { 0 };
strcpy ( ChaDLLFilePath, ChaDLL );
HMODULE ModKernel32 = GetModuleHandle ( "Kernel32.dll" );
if ( ModKernel32 != NULL )
{
LPVOID ProcessBaseAdress = VirtualAllocEx ( HanProcess, NULL, sizeof ( ChaDLLFilePath ), MEM_COMMIT, PAGE_READWRITE );
if ( ProcessBaseAdress != NULL )
{
if ( WriteProcessMemory ( HanProcess, ProcessBaseAdress, ( VOID * ) ChaDLLFilePath, sizeof ( ChaDLLFilePath ), NULL ) )
{
HANDLE HanDLLThread = CreateRemoteThread ( HanProcess, NULL, 0, LPTHREAD_START_ROUTINE ( GetProcAddress ( ModKernel32, "LoadLibraryA" ) ), ProcessBaseAdress, 0, NULL );
if ( HanDLLThread != NULL )
{
if ( WaitForSingleObject ( HanDLLThread, INFINITE ) != WAIT_FAILED )
{
CloseHandle ( HanDLLThread );
VirtualFreeEx ( HanProcess, ProcessBaseAdress, 0, MEM_RELEASE );
CloseHandle ( HanProcess );
return TRUE;
}
CloseHandle ( HanDLLThread );
VirtualFreeEx ( HanProcess, ProcessBaseAdress, 0, MEM_RELEASE );
}
else
{
VirtualFreeEx ( HanProcess, ProcessBaseAdress, 0, MEM_RELEASE );
}
}
else
{
VirtualFreeEx ( HanProcess, ProcessBaseAdress, 0, MEM_RELEASE );
}
}
}
CloseHandle ( HanProcess );
return FALSE;
}
I think I may have to do something with like this:
GetProcAddress ( ModKernel32, "FreeLibraryA" )
instead of this:
GetProcAddress ( ModKernel32, "LoadLibraryA" )
Recording to this:
The FreeLibrary function decrements the reference count of the loaded dynamic-link library (DLL) module. When the reference count reaches zero, the module is unmapped from the address space of the calling process and the handle is no longer valid. This function supersedes the FreeModule function.