| View previous topic :: View next topic |
| Author |
Message |
Reak
I post too much
 Reputation: 0
Joined: 15 May 2007
Posts: 3496
|
 Posted: Sun Jan 04, 2009 1:19 pm Post subject: Unload another dll with a dll? |
 |
|
Hey,
I'm trying to unload a dll in another process.
For that, I'm injecting this dll:
| Code: | var
tid: Cardinal;
Hcepe: Cardinal;
begin
Sleep(5000);
//ShowMessage('lol');
Hcepe := GetModuleHandle('cepe.dll');
if Hcepe<>0 then
begin
DisableThreadLibraryCalls(Hcepe);
FreeLibraryAndExitThread(Hcepe, 0);
DisableThreadLibraryCalls(hInstance);
FreeLibraryAndExitThread(hInstance, 0);
end;
end. |
But this crashs the whole application, why?
|
|
| Back to top |
|
 |
DeletedUser14087
I post too much
![]() Reputation: 2
Joined: 21 Jun 2006
Posts: 3069
|
| Posted: Sun Jan 04, 2009 1:48 pm Post subject: |
|
|
Ok reakw0n, a description of my sample:
1)It will take a snapshot (with a Camera by canon) of all loaded modules of the injected target
2)It will loop module by module until it will meet the module you're looking for (look at const)
3)When the module is found, it will unload it
| Code: | library ModuleUnloader;
uses
Windows, //Windows Functions
Tlhelp32; //Tool Help Functions
const //#define
Module_To_Be_Seeked = 'cepe.dll'; //the module you're seeking for
type
LPVOID = Pointer; //Define LPVOID as Pointer (Since Delphi doesn't support this shit)
var
hSnapShot: THandle; //Temp variable to store snapshot handle
lpme: MODULEENTRY32; //Declare structure
{$R *.res}
function DllMain(hLibModule: HMODULE; dwReason: DWORD; lpvReserved: LPVOID): BOOL; //DllMain callback function declaration
begin
case dwReason of //Switch/Case statement
DLL_PROCESS_ATTACH: //This block of code will execute when the .dll is attached
begin
lpme.dwSize := sizeof( lpme ); //MSDN: If you do not initialize dwSize, Module32First fails.
DisableThreadLibraryCalls(hLibModule); //Disable the DLL_THREAD_ATTACH and DLL_THREAD_DETACH notifications
hSnapShot := Tlhelp32.CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, GetCurrentProcessId() ); //Take a snapshot of current process and store handle
if Module32First(hSnapShot, lpme) <> False then //Check if the first module has been obtained successfully
begin
if lpme.szModule = Module_To_Be_Seeked then //check if the first obtained module is cepe.dll
begin
FreeLibraryAndExitThread( lpme.hModule, 0 );
CloseHandle( lpme.hModule );
end;
while Module32Next( hSnapShot, lpme ) do //if not, it will keep looping until it finished looping all modules that are loaded on the process
if lpme.szModule = Module_To_Be_Seeked then
begin
FreeLibraryAndExitThread( lpme.hModule, 0 );
CloseHandle( lpme.hModule ); //for the sake of safety
end;
end;
end;
DLL_PROCESS_DETACH:
begin
CloseHandle( hsnapShot ); //When the .dll is detached (unloaded), we close the handle of temp Snapshot (avoid memory leaks)
end;
end;
Result := True;
end;
begin //Define entry-point for DllMain callback
DllProc := @DllMain;
DllProc(DLL_PROCESS_ATTACH);
end. |
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 472
Joined: 09 May 2003
Posts: 25890
Location: The netherlands
|
| Posted: Sun Jan 04, 2009 3:57 pm Post subject: |
|
|
try this: (assuming you already unhooked the hooked apis)
| Code: |
while (freelibrary(hcepe)) do ; //free till the instance count is 0
FreeLibraryAndExitThread(hInstance, 0); //exit yourself
|
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
tombana
Master Cheater
![]() Reputation: 2
Joined: 14 Jun 2007
Posts: 456
Location: The Netherlands
|
| Posted: Mon Jan 05, 2009 12:10 pm Post subject: |
|
|
| Code: | DisableThreadLibraryCalls(Hcepe);
FreeLibraryAndExitThread(Hcepe, 0); |
I think FreeLibraryAndExitThread is only meant for a dll that wants to unload itself, not unload another dll, since it'll terminate the calling thread. So do like Dark Byte said: free it using FreeLibrary, and it should automatically terminate.
|
|
| Back to top |
|
|
Reak
I post too much
Reputation: 0
Joined: 15 May 2007
Posts: 3496
|
| Posted: Mon Jan 05, 2009 7:29 pm Post subject: |
|
|
| Ok thank you all, but I fixed it with something else since this never really worked.
|
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Tue Jan 06, 2009 7:36 pm Post subject: |
|
|
| I think it crashed because you didn't unhook the apis that CEPE hooked. I made a program that hooks function but if u close the window, the app crashes because the app still has the jmp func. SO it jumps into inaccessible code so it fails.
|
|
| Back to top |
|
|
DeletedUser14087
I post too much
![]() Reputation: 2
Joined: 21 Jun 2006
Posts: 3069
|
| Posted: Wed Jan 07, 2009 5:31 am Post subject: |
|
|
| hey, instead of FreeLibAndExThr, use FreeLibrary().
|
|
| Back to top |
|
|
Zand
Master Cheater
![]() Reputation: 0
Joined: 21 Jul 2006
Posts: 424
|
| Posted: Wed Jan 07, 2009 11:38 am Post subject: |
|
|
You can hack it up, making it possible for the DLL to unload itself - using something along the lines of
| Code: | _asm{
push hDll
push ExitThreadAddress
jmp dword ptr [FreeLibrary]
} |
Credits to Darawk
|
|
| Back to top |
|
|
tombana
Master Cheater
![]() Reputation: 2
Joined: 14 Jun 2007
Posts: 456
Location: The Netherlands
|
| Posted: Wed Jan 07, 2009 11:53 am Post subject: |
|
|
| Zand wrote: | You can hack it up, making it possible for the DLL to unload itself - using something along the lines of
| Code: | _asm{
push hDll
push ExitThreadAddress
jmp dword ptr [FreeLibrary]
} |
Credits to Darawk |
That will execute FreeLibrary with ExitThread as the return address, so that's exactly what FreeLibraryAndExitThread does, but I don't think it's the solution here since it's not it's own library. If the dll has a thread he should probably terminate it first and then call FreeLibrary till FreeLibrary returns 0.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
