Learning notes Uninstalling DLL modules in a remote target process(2007-07-23 23:51:02)
reproduced
Learn notes uninstalling DLL modules in a remote target process 2007/7/23
1. The first thing to do is to end the thread in the DLL module
Using CreateToolhelp32Snapshot(th32cs_snapthread,0); Create a snapshot of the system thread and then use Thread32first () and
Thread32next () traverses all threads in the system. Saves the traversed thread to the THREADENTRY32 structure, It then determines whether the TH32OWNERPROCESSID member in the structure is equal to the target process ID to determine whether the thread is the target process. Then use the function Openthread () Open the thread. However, the Openthread function is not defined in VC6. This function exists in Kernel32.dll. You need to define it yourself: The third parameter specifies the ID of the thread to open (obtained from the THREADENTRY32 structure)
typedef HANDLE (Winapi*openthread) (DWORD Dwflag, BOOL bInheritHandle, DWORD dwThreadID);
The function is then available using the GetProcAddress function to get the address of the Openthread function from the Kernel32.dll.
Openthread openthread= (Openthread) GetProcAddress (GetModuleHandle ("Kernel32"), "Openthread");
Open thread get thread handle with Openthread function
HANDLE Hthread=openthread (Thread_all_access,false,thread.th32threadid);
You can call Ntqueryinformationthread after you have a handle to the threadFunction gets the entry address of the thread
function NtqueryinformationthreadIt is not defined in VC6 and needs to be defined and then used.
NtqueryinformationthreadThe first parameter of the function is the thread handle, the second argument is an enumeration value and the enumeration type is undefined in VC6, and it also needs to be defined by itself
NtqueryinformationthreadDefinition of a function
typedef DWORD (callback* Ntqueryinformationthread) (Handle,dword,pvoid,dword,pdword);
Get NtqueryinformationthreadAddress of the function: NtqueryinformationthreadFunctions exist in Ntdll.dll, and Ntdll.dll, like Kernel32.dll, make a copy of the system at the beginning of each process so that they can be used directly
GetProcAddress function gets its address
NtqueryinformationthreadNtqueryinformationthread= (Ntqueryinformationthread) GetProcAddress (GetModuleHandle ("Ntdll.dll"), "Ntqueryinformationthread");
Define NtqueryinformationthreadThe enumeration type to use:
typedef enum _THREAD_INFORMATION_CLASS
{
Threadbasicinformation,
Threadtimes,
ThreadPriority,
Threadbasepriority,
Threadaffinitymask,
Threadimpersonationtoken,
ThreaddescriptortableentRy
ThreadenablealignmentfauLtfixup,
Threadeventpair,
Threadquerysetwin32startAddress,
Threadzerotlscell,
Threadperformancecount,
Threadamilastthread,
Threadidealprocessor,
Threadpriorityboost,
Threadsettlsarrayaddress,
Threadisiopending,
Threadhidefromdebugger
}thread_information_class,*pthread_information_class;
Ntqueryinformationthread this placeThe function will use the 9th value of this enumeration type Threadquerysetwin32startAddress
You can not define this enumeration type and directly ntqueryinformationthread theThe second parameter of the function is set to a value of 9.
About NtqueryinformationthreadThe details of the function don't know much
The usage here is:
Ntqueryinformationthread(Hthread,threadquerysetwin32startAddress,&start,0x4,null);
The first argument is a thread handle, obtained by the Openthread function, and the second argument is the enumeration value.
The third parameter is a pointer to a DWORD variable that is used to receive the thread's entry address. The fourth parameter can only be 0x4 for the time being. The fifth parameter is also a DWORD variable pointer, but can be set to null here
The method that determines whether the entry address of the thread is in a DLL module is:
With Ntqueryinformationthreadfunction gets the thread entry address-the DLL module handle (which needs to be converted to a DWORD value first)
The resulting difference is compared to the size of the DLL module file if the difference is exactly less than or equal to the size of the DLL module file
Indicates that the thread entry address is in the DLL module.
The module handle is required here, and the fetch for it is discussed later.
Finally, you can call TerminateThread (hthread,0), and the function ends the thread
After all the threads in the DLL module are terminated with the above method, the DLL module can be unloaded.
2. To unload a DLL module, you first need to get the handle of the DLL module
Can be obtained through the GetModuleHandle function
You can also create a snapshot by CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,PROCESSID);
Method of Module32first and Module32next traversal module get
Let's start with the GetModuleHandle function. This method requires the CreateRemoteThread function to create a thread in the remote process. Let the thread call the GetModuleHandle function in Kernel32.dll. But that's not going to work. Because the GetModuleHandle function needs to be parameterized with the DLL module file name. Since it is the remote thread that calls the GetModuleHandle function. The DLL module file name must also be Writes to the address space of the target process. Finally, the CreateRemoteThread function is used to create the thread execution GetModuleHandle function to get the DLL handle
Because the GetModuleHandle function is executed remotely with the CreateRemoteThread function. The return value (that is, the DLL handle) cannot be obtained directly from the GetModuleHandle function. You must then use the GetExitCodeThread function after the WaitForSingleObject function to get the thread's exit code. If the thread returns correctly. The exit code is a thread function (GetModuleHandle) return value and then use the same method to call the FreeLibrary function with the CreateRemoteThread remote create thread to unload the DLL
(Note: This method has not been successfully tested and is theoretically feasible.)
Now look at the second method, by CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,PROCESSID) to create a snapshot of the process module, Then use Module32first and Module32next to traverse all modules in the process. The Module32first and Module32next functions Save the traversal results to the MODULEENTRY32 structure. By querying the Szexepath or szmodule in the structure To determine if it is the target module that we want to unload. Where Szexepath saves the file name of the module including the full path and Szmodule only includes the module filename without the path
3. Two key issues solved, the rest is how to unload the DLL module problem
The FreeLibrary function is required to unload the DLL module. Because the module in the remote process is unloaded, the remote process must be allowed to execute the function.
So the CreateRemoteThread function will be used again to create the remote thread
Here's how it's implemented:
First get the address of the FreeLibrary function from the Kernel32.dll module
LPVOID pfunc= (lpthread_start_routine) GetProcAddress (Pkernel32, "FreeLibrary");//Where PKERNEL32 is the handle of Kernel32.dll
and finally call
HANDLE hthread = CreateRemoteThread (process, NULL, 0, (lpthread_start_routine) PFunc,(LPVOID) Module->hmodule, 0, &dwid/* used to receive a new thread id*/);
The fifth parameter is the module handle we obtained in the previous step
Explain it. Because a process can call the LoadLibrary function multiple times to mount a DLL module (calling a LoadLibrary function system adds a reference count to the DLL module does not mean that there will be multiple identical DLL modules in the process) In order to prevent this situation. It is best to use a loop for the unload operation. Also obtains the execution of FreeLibrary function by using GetExitCodeThread method
Until the returned result is false. This means that the uninstallation of the module has been completed.
4. Also attach a bit about CreateToolhelp32SnapshotData for the function
CreateToolhelp32SnapshotThe function establishes a snapshot [snapshot] for the specified process, the heap [heap] used by the process, modules [module], threads [thread].
Prototype:
HANDLE WINAPI CreateToolhelp32Snapshot(DWORD Dwflags,dword Th32processid);
Parameters:
DwFlags
[input] Specifies the system content contained in the snapshot, which can use one of the following values (variables).
Th32cs_inherit-declares that the snapshot handle is inheritable.
Th32cs_snapall-Contains all the processes and threads in the system in the snapshot.
Th32cs_snapheaplist-Contains all the heaps of the process specified in Th32processid in the snapshot.
Th32cs_snapmodule-Contains all the modules of the process specified in Th32processid in the snapshot.
Th32cs_snapprocess-Contains all the processes in the system in the snapshot.
Th32cs_snapthread-Contains all the threads in the system in the snapshot.
Th32processid
[input] Specifies the ID of the process to be snapped. If the parameter is 0, the snapshot current process is taken. This parameter is only valid if Th32cs_snapheaplist or Th32cs_snapmoudle is set, and in other cases the parameter is ignored and all processes are snapped.
return value:
The call succeeds, returns a handle to the snapshot, and the call fails, returning Invaid_handle_value.
5. New Issues
New problems found in this study. Some programs always load a lot of related DLL modules at the beginning
For example, when QQGame.exe starts, it loads up to 109 modules. Some are common like Ntdll.dll Kernel32.dll Gdi32.dll Ole32.dll and so on. There are also some QQGame.exe of their own DLL modules that accomplish some of the QQGAME.EXE's special functions. But QQGAME.EXE did not immediately invoke something in some module. For example, a QQGAME.EXE module in HelpDll.dll. I We can use such a module to launch our virus. We can copy the DLL module file to a hidden directory. Then write a new DLL module yourself. The module should have the function. 1 First to load the real DLL module that we copied. 2 Load or start our virus program. 3 Do it immediately after you've done both of these jobs. Unloading. Finally, put the well-written DLL file into the previous HelpDll.dll directory to overwrite the real DLL file. So our virus will start up with QQGame.exe.
The above example is a successful test. I don't know if other processes or modules will support such a way
Source: >
From for notes (Wiz)
Learning notes Uninstalling DLL modules in a remote target process (GO)
