Thread: DLL Ejection

Does anyone know how to eject a DLL from a process?

Here is my Injection code:

Code:

BOOL InjectDLL ( HANDLE HanProcess, CONST CHAR * ChaDLL )
{

    CHAR ChaDLLFilePath [ ( MAX_PATH + 16 ) ] = { 0 };

    strcpy ( ChaDLLFilePath, ChaDLL );

    HMODULE ModKernel32 = GetModuleHandle ( "Kernel32.dll" );

    if ( ModKernel32 != NULL )
    {

        LPVOID ProcessBaseAdress = VirtualAllocEx ( HanProcess, NULL, sizeof ( ChaDLLFilePath ), MEM_COMMIT, PAGE_READWRITE );

        if ( ProcessBaseAdress != NULL )
        {

            if ( WriteProcessMemory ( HanProcess, ProcessBaseAdress, ( VOID * ) ChaDLLFilePath, sizeof ( ChaDLLFilePath ), NULL ) )
            {

                HANDLE HanDLLThread = CreateRemoteThread ( HanProcess, NULL, 0, LPTHREAD_START_ROUTINE ( GetProcAddress ( ModKernel32, "LoadLibraryA" ) ), ProcessBaseAdress, 0, NULL );

                if ( HanDLLThread != NULL )
                {

                    if ( WaitForSingleObject ( HanDLLThread, INFINITE ) != WAIT_FAILED )
                    {

                        CloseHandle ( HanDLLThread );

                        VirtualFreeEx ( HanProcess, ProcessBaseAdress, 0, MEM_RELEASE );

                        CloseHandle ( HanProcess );

                        return TRUE;
                    }

                    CloseHandle ( HanDLLThread );

                    VirtualFreeEx ( HanProcess, ProcessBaseAdress, 0, MEM_RELEASE );
                }

                else
                {

                    VirtualFreeEx ( HanProcess, ProcessBaseAdress, 0, MEM_RELEASE );
                }
            }

            else
            {

                VirtualFreeEx ( HanProcess, ProcessBaseAdress, 0, MEM_RELEASE );
            }
        }
    }

    CloseHandle ( HanProcess );

    return FALSE;
}

I think I may have to do something with like this:
GetProcAddress ( ModKernel32, "FreeLibraryA" )
instead of this:
GetProcAddress ( ModKernel32, "LoadLibraryA" )

Recording to this:

The FreeLibrary function decrements the reference count of the loaded dynamic-link library (DLL) module. When the reference count reaches zero, the module is unmapped from the address space of the calling process and the handle is no longer valid. This function supersedes the FreeModule function.

If you can get the HMODULE of the DLL you loaded, you can use exactly the same trick you're already using. Just put this HMODULE instead of ProcessBaseAddress.

But I find your trick very suspect already. What guarantee do you have that the HMODULE of kernel32.dll is the same in the other process as in yours?

On the other hand, it seems to match what Jeffrey Richter does, so that's probably fine. Just note that even he says only that in his experience, the handle is always the same.

The very same book, by the way, also contains an eject library call. It does indeed work like I said. It uses the Toolhelp32 library to create a snapshot of all modules and just searches for the one that has the same szModule and szExePath as the library you injected.

Here is with what I came up with, it doesn't work (ofcourse ), I tried alot of variations, all didn't work, I just can't figure it out, please help me out here:

Code:

BOOL EjectDLL ( HANDLE HanProcess, DWORD WorProcessId, CONST CHAR * ChaDLL )
{

    CHAR ChaDLLFilePath [ ( MAX_PATH + 16 ) ] = { 0 };

    strcpy ( ChaDLLFilePath, ChaDLL );

    HMODULE ModDLLHandle = NULL;

    BYTE * BytDLLBaseAdress = 0;

    MODULEENTRY32 MOEModuleInformation = { 0 };

    MOEModuleInformation.dwSize = sizeof ( MODULEENTRY32 );

    HANDLE HanModuleSnapshot = CreateToolhelp32Snapshot ( TH32CS_SNAPMODULE, WorProcessId );

    Module32First ( HanModuleSnapshot, & MOEModuleInformation );

    do
    {

        if ( ! strcmp ( MOEModuleInformation.szExePath, ChaDLLFilePath ) )
        {

            ModDLLHandle = MOEModuleInformation.hModule;

            BytDLLBaseAdress = MOEModuleInformation.modBaseAddr;
        }
    }

    while ( Module32Next ( HanModuleSnapshot, & MOEModuleInformation ) );

    CloseHandle ( HanModuleSnapshot );

    if ( ModDLLHandle != NULL )
    {

        if ( BytDLLBaseAdress != 0 )
        {

            if ( WriteProcessMemory ( HanProcess, BytDLLBaseAdress, ( VOID * ) ChaDLLFilePath, sizeof ( ChaDLLFilePath ), NULL ) )
            {

                if ( VirtualFreeEx ( HanProcess, BytDLLBaseAdress, 0, MEM_RELEASE ) )
                {

                    CloseHandle ( HanProcess );

                    return TRUE;
                }
            }
        }
    }

    CloseHandle ( HanProcess );

    return FALSE;
}

You're not even calling CreateRemoteThread. And you need to write the module handle into the memory, not the DLL path.

What cefarix suggested is a bad idea, btw. A thread procedure's return value is a 32-bit value. In 64-bit Windows, handles are 64 bits wide.

Ok, I got it like this now but it doesn't work either, can you see why?

Code:

BOOL EjectDLL ( HANDLE HanProcess, DWORD WorProcessId, CONST CHAR * ChaDLL )
{

    CHAR ChaDLLFilePath [ ( MAX_PATH + 16 ) ] = { 0 };

    strcpy ( ChaDLLFilePath, ChaDLL );

    HMODULE ModDLLHandle = NULL;

    BYTE * BytDLLBaseAdress = 0;

    MODULEENTRY32 MOEModuleInformation = { 0 };

    MOEModuleInformation.dwSize = sizeof ( MODULEENTRY32 );

    HANDLE HanModuleSnapshot = CreateToolhelp32Snapshot ( TH32CS_SNAPMODULE, WorProcessId );

    Module32First ( HanModuleSnapshot, & MOEModuleInformation );

    do
    {

        if ( ! strcmp ( MOEModuleInformation.szExePath, ChaDLLFilePath ) )
        {

            ModDLLHandle = MOEModuleInformation.hModule;

            BytDLLBaseAdress = MOEModuleInformation.modBaseAddr;
        }
    }

    while ( Module32Next ( HanModuleSnapshot, & MOEModuleInformation ) );

    CloseHandle ( HanModuleSnapshot );

    HMODULE ModKernel32 = GetModuleHandle ( "Kernel32.dll" );

    if ( ModKernel32 != NULL )
    {

        if ( ModDLLHandle != NULL &&
             BytDLLBaseAdress != 0 )
        {

            if ( WriteProcessMemory ( HanProcess, BytDLLBaseAdress, ( VOID * ) ModDLLHandle, sizeof ( ModDLLHandle ), NULL ) )
            {

               HANDLE HanDLLThread = CreateRemoteThread ( HanProcess, NULL, 0, LPTHREAD_START_ROUTINE ( GetProcAddress ( ModKernel32, "FreeLibrary" ) ), BytDLLBaseAdress, 0, NULL );

                if ( HanDLLThread != NULL )
                {

                    if ( WaitForSingleObject ( HanDLLThread, INFINITE ) != WAIT_FAILED )
                    {

                        CloseHandle ( HanDLLThread );

                        VirtualFreeEx ( HanProcess, BytDLLBaseAdress, 0, MEM_RELEASE );

                        CloseHandle ( HanProcess );

                        return TRUE;
                    }

                    CloseHandle ( HanDLLThread );
                }
            }
        }
    }

    CloseHandle ( HanProcess );

    return FALSE;
}

not its not smart.

you are doing it the hard way in the last 2 posts of code.

after calling WaitForSingleObject with the remote thread handle, call GetExitCodeThread with it. this will retrieve LoadLibrary/DllMain's return value, which will be the base address (HMODULE) of your mapped DLL. given this value, you can unmap the injected DLL via FreeLibrary:

Code:

HanDLLThread = CreateRemoteThread(HanProcess, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(ModKernel32, "FreeLibrary"), (void *)dwExitCode, 0, NULL);

where dwExitCode is the value you retrieved with GetExitCodeThread.

Yes, but in this way you are only able to eject a DLL which you have injected earlier because you have the handle of the main thread of the injected DLL. But if I want to eject a DLL which I didn't inject in the first place I can't get the exit code because I don't have the main thread of that DLL, only the process were it is mapped in and the file path of the DLL, how to eject a DLL by only knowing the process where it is mapped in and the file path of that DLL?

Allright, nevermind :P.

As Tonto said, using WriteProcessMemory and VirtualFreeEx is not usefull when ejecting a DLL,
so I removed those functions and I changed, according to sl34k, a parameter in the CreateRemoteThread function and it worked .

Here is the DLL Ejection function:

Code:

BOOL EjectDLL ( HANDLE HanProcess, DWORD WorProcessId, CONST CHAR * ChaDLL )
{

    CHAR ChaDLLFilePath [ ( MAX_PATH + 16 ) ] = { 0 };

    strcpy ( ChaDLLFilePath, ChaDLL );

    HMODULE ModDLLHandle = NULL;

    BYTE * BytDLLBaseAdress = 0;

    MODULEENTRY32 MOEModuleInformation = { 0 };

    MOEModuleInformation.dwSize = sizeof ( MODULEENTRY32 );

    HANDLE HanModuleSnapshot = CreateToolhelp32Snapshot ( TH32CS_SNAPMODULE, WorProcessId );

    Module32First ( HanModuleSnapshot, & MOEModuleInformation );

    do
    {

        if ( ! strcmp ( MOEModuleInformation.szExePath, ChaDLLFilePath ) )
        {

            ModDLLHandle = MOEModuleInformation.hModule;

            BytDLLBaseAdress = MOEModuleInformation.modBaseAddr;
        }
    }

    while ( Module32Next ( HanModuleSnapshot, & MOEModuleInformation ) );

    CloseHandle ( HanModuleSnapshot );

    HMODULE ModKernel32 = GetModuleHandle ( "Kernel32.dll" );

    if ( ModKernel32 != NULL )
    {

        if ( ModDLLHandle != NULL &&
             BytDLLBaseAdress != 0 )
        {

            HANDLE HanDLLThread = CreateRemoteThread ( HanProcess, NULL, 0, LPTHREAD_START_ROUTINE ( GetProcAddress ( ModKernel32, "FreeLibrary" ) ), ( VOID * ) BytDLLBaseAdress, 0, NULL );

            if ( HanDLLThread != NULL )
            {

                if ( WaitForSingleObject ( HanDLLThread, INFINITE ) != WAIT_FAILED )
                {

                    CloseHandle ( HanDLLThread );

                    CloseHandle ( HanProcess );

                    return TRUE;
                }

                CloseHandle ( HanDLLThread );
            }
        }
    }

    CloseHandle ( HanProcess );

    return FALSE;
}