Detach a DLL from a remote thread

How to detach a DLL from another process.
To uninstall a DLL from another process, you must first escalate the permission of the process. The related operations are also very simple. I have encapsulated them into a function.
/*************************************** ******************************/
Bool bdebugprocess2 (handle hprocess, lpctstr privilegename)
{
Handle htoken;
Token_privileges tkp;

 
If (! Openprocesstoken (hprocess,
Token_adjust_privileges | token_query, & htoken ))
Return (false );
 

 
Lookupprivilegevalue (null, privilegename,
& Tkp. Privileges [0]. luid );
 
Tkp. privilegecount = 1; // One privilege to set
Tkp. Privileges [0]. Attributes = se_privilege_enabled;
 

 
Adjusttokenprivileges (htoken, false, & tkp, 0,
(Ptoken_privileges) null, 0 );

If (getlasterror () =! Error_success)
{
: MessageBox (null, "all applied permissions are successful", "successful", mb_ OK );
Return false;
}
Return true;
}
* Parameter description: hprocess the Process Handle that you want to escalate permissions to. to escalate the permissions of this process, you only need to pass the getcurrentprocess () function.
Privilegename: The permission you want to apply for. Generally, the se_debug_name parameter is passed, indicating that you want to operate on the memory space of other processes.

After improving the process permissions, we need to start our main operations. The operations are as follows:
1. First, you must call the OpenProcess function to obtain the handle of the host process. Note that the first parameter passed to this function should include process_create_thread, process_vm_operation, process_vm_write
. Here, we need to apply for the process_create_thread permission because we want to create a thread in other processes, that is, a remote thread. Then, we need to perform operations on the address space of the remote process.
Therefore, we need to apply for the process_vm_operation permission and process_vm_write to apply for the write operation permission on the address space of the process.
2. We need to write the dll path name to the address space of the remote thread. First, we need to calculate the long path of the dll path to determine how much space we need to apply for in the address space,
In this step, you can use strlen, lstrlen, and other functions. After knowing the DLL pathname length, we can apply for a space. Call the virtualallocex function to submit a specified space.
Then, call the writeprocessmemory function to write the DLL name into the space just submitted. After the preceding operations are completed, the DLL name exists in the address space of the remote thread.
3. Create a remote thread to uninstall the DLL. To uninstall a DLL, you can call the freelibraryandexitthread or freelibrary function. Both functions require a parameter that is
Handle. To obtain the DLL module and the handle, you need to call the getmodulehandle function. Therefore, you must first determine the function pointer of getmodulehandle, and then create a remote thread in the remote process.
Call getmodulehandle to obtain the DLL handle. Then we can create a remote thread to call freelibraryandexitthread or freelibrary to uninstall the DLL.
In this way, we are finished.

The complete operation code is as follows (Note: I really don't want to write it myself. I am too lazy to find it online. It's pretty good after reading it)
/*************************************** ***************************************/
Bool unloaddll (DWORD dwpid, char * strdllname)
{
// Obtain the handle of the host process. Pay attention to the parameters. Otherwise, an error will occur.
Handle hprocess = OpenProcess (process_create_thread | process_vm_operation | process_vm_write,
False, dwpid );
If (hprocess = NULL ){
: MessageBox (null, "unable to get Process Handle", "error", mb_ OK | mb_iconerror );
Return false;
}

DWORD dwsize = 0;
DWORD dwwritten = 0;
DWORD dwhandle = 0;

Dwsize = strlen (strdllname) + 1; // The length of the full path name of the DLL, which will be used for memory allocation

// Allocate memory to the host process and return a pointer
Lpvoid lpbuf = virtualallocex (hprocess, null, dwsize, mem_commit, page_readwrite );

// If the write fails in the host process space, an error will be reported directly.
If (! Writeprocessmemory (hprocess, lpbuf, (lpvoid) strdllname. getbuffer (dwsize), dwsize, & dwwritten )){
Virtualfreeex (hprocess, lpbuf, dwsize, mem_decommit );
Closehandle (hprocess );
MessageBox (null, "failed to write in target process", "error", mb_ OK | mb_iconerror );
Return false;
}

// Obtain the address of the getmodulehandlea Function
Lpvoid pfun = getprocaddress (getmodulehandle ("Kernel32"), "getmodulehandlea ");

// Create a remote thread in the host process. The thread function is getmodulehandlea, the parameter is the lpbuf pointer, and
// Remember that the full dll path we obtained is not
Handle hthread = createremotethread (hprocess, null, 0, (lpthread_start_routine) pfun,
Lpbuf, 0, null );
// If the creation thread fails, an error is reported and the system exits.
If (hthread = NULL ){
Closehandle (hprocess );
: MessageBox (null, "failed to create a remote thread in the target process", "error", mb_ OK | mb_iconerror );
Return false;
}

// Wait until getmodulehandle finishes running
Waitforsingleobject (hthread, infinite );
// Obtain the returned value of getmodulehandle
Getexitcodethread (hthread, & dwhandle );

// Release the space applied in the target process
Virtualfreeex (hprocess, lpbuf, dwsize, mem_decommit );
Closehandle (hthread );

// Make the target process call freelibraryandexit to uninstall the DLL. You can also use freelibrary, but I found that the former is better.
Pfun = getprocaddress (getmodulehandle ("Kernel32"), "freelibraryandexitthread ");
Hthread = createremotethread (hprocess, null, 0, (lpthread_start_routine) pfun,
(Lpvoid) dwhandle, 0, null );
// Wait until the execution of freelibraryandexitthread is complete
Waitforsingleobject (hthread, infinite );
Closehandle (hthread );
Closehandle (hprocess );

Return true; // operation successful

}
/*************************************** **************************************** ************/

The above function requires that the passed parameter be the ID of the process. However, in most cases, we only know the process name, and the process ID is obtained by the process name.
The function is as follows (Note: to use this function, you need to include the header file <tlhelp32.h> ):
DWORD getprocessidfromname (lpctstr name, processentry32 * BPE)
{
Processentry32 PE;
DWORD id = 0;
Handle hsnapshot = createconlhelp32snapshot (th32cs_snapprocess, 0 );
PE. dwsize = sizeof (processentry32 );
Bool pF = false;
For (pF = process32first (hsnapshot, & PE); PF; pF = process32next (hsnapshot, & PE ))
{
If (strcmp (PE. szexefile, name) = 0)
{
Id = PE. th32processid;
* BPE = PE;
Break;
}
}
Closehandle (hsnapshot );
Return ID;
}

Now, we can use these functions to write a tool dedicated to detaching other process DLL.