Logic, Analysis, and Computation

宠辱不惊 静观窗前花开花落 去留无意 闲看天上云卷云舒

导航

<2024年4月>
31123456
78910111213
14151617181920
21222324252627
2829301234
567891011

统计

公告

如需转载, 请注明出处。

常用链接

留言簿

随笔分类

随笔档案

文章档案

I/O performance

搜索

最新评论

re: 利用NtUnmapViewOfSection强制卸载模块 [未登录] 小学毕业生 2014-07-28 18:19
NtUnmapViewOfSection可以再Ring3下使用。
我用VB做给你看
Private Declare Function NtUnmapViewOfSection Lib "ntdll.dll" (ByVal ProcessHandle As Long ,ByVal BaseAddress As Long)As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long ,ByVal bInheritHandle As Boolean, ByVal dwProcessId As Long)As Long
Private Declare Function GetModuleHandleA Lib "kernel32" (ByVal lpModuleFileName As String) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Sub UnloadNtdll(ByVal PID As Long)
Dim hProc As Long
hProc = OpenProcess(&h8 Or &H400, False, PID)
If hProc = 0 Then Exit Sub
NtUnmapViewOfSection hProc, GetModuleHandleA("ntdll.dll")
CloseHandle hProc
End Sub