Use a self-deleted DLL to install an application

Utility? Rundll32.exe? Introduction?
? ?
? ?
? Generally, the DLL code is loaded to the memory before it can be executed. How to execute the code exported from a DLL instead of creating, loading, and calling the code? DLL? ? EXE? What about files? The method is as follows: slave? Windows? 95? Start with each? Windows? The operating system version comes with a system utility: rundll32.exe. Can I use it to execute something like below? Any function output by DLL (but not all :? ?
? ?
? Rundll32.exe? Dllname, exportedfnname? ARGs?
? ?
? Exportedfnname? Is the name of the DLL output function. In writing? Rundll32? Used? DLL, the output function can be declared as follows :?
? ?
? Extern? "C "? _ Declspec (dllexport )? Void? Callback? Functionname? (?
? Hwnd? Hwnd ,?
? Hinstance? Hinstance ,?
? Lptstr? Lpcmdline ,?
? Int? Ncmdshow?
? )?
? {? ...? }? ? ?
? ?
? ?
? Rundll32.exe? The function is called Based on the function parameter list, but according to experience, there is only one actually used parameter value, that is? Is this parameter received and run? Rundll32.exe? The input parameter value __declspec (dllexport) is the output function; extern? "C "? Give the output function name a modifier, for example, _ functionname @ 16? (The function name is forced to contain the size of function parameters. For details, see? Msdn? ). Rundll32.exe? Load the specified? DLL? And call through? ARGs? Parameter passed? Lpcmdline? . Related? Rundll32.exe? See? Msdn? Database related information (q164787 ):? ?
? ?
? Http://support.microsoft.com/default.aspx? SCID = KB; en-US; 164787?
? ?
? Can it be deleted by itself? DLL? ?
? ?
? The following is a Demo code for self-deleting dll :?
? ?
? # Include? <Windows. h>?
? Hmodule? G_hmoddll ;?
? ?
? Extern? "C "? Bool? Winapi? Dllmain (hinstance? Hinstdll ,? DWORD? Reason ,? Lpvoid )?
? {?
? If? (Reason? ==? Dll_process_attach )?
? G_hmoddll? =? Hinstdll ;?
? Return? True ;?
? }?
? ?
? Extern? "C "? _ Declspec (dllexport )? Void? Callback? Magicdel (hwnd ,?
? Hinstance ,?
? Lptstr? Lpcmdline ,?
? INT )?
? {?
? //? 2 seconds delayed?
? Sleep (2000 );?
? //? Delete the executable file that created the process?
? Deletefile (lpcmdline );?
? ?
? //? Delete DLL yourself?
? Char? Filenamedll [max_path];?
? Getmodulefilename (g_hmoddll ,? Filenamedll ,? Sizeof (filenamedll ));?
? ?
? _ ASM?
? {?
? Lea? Eax ,? Filenamedll?
? Push? 0?
? Push? 0?
? Push? Eax?
? Push? Exitprocess?
? Push? G_hmoddll?
? Push? Deletefile? // The return value needs to be manually saved when JMP calls a function.
? Push? Freelibrary?
? RET?
? }?
? }? ?
? ?
? ?
? The above code first deletes an object and then deletes it from itself. Dllmain? Is the DLL entry function. When the dynamic link library is loaded for the first time, the function is called. In this case, the module handle is assigned to the global variable? G_hmoddll, so that you can use it to obtain it later? DLL? The object name. In? Magicdel? In the function, what is the lpcmdline? Is the name of the executable file to be deleted by the DLL (for example, the file name of the uninstall program ). It is easy to delete it-use? Sleep? Is there a latency so that the executable process can exit and call it? Deletefile. To master? Magicdel? Implementation details, you can pass the executable program process handle to magicdel and in the call? Deletefile? Do a wait before to see what will happen? ?
? Want to make? DLL? Some tips are required for self-deletion. Rundll32? Call? Loadmodule? Yes? DLL? The address space to load to it. If? DLL? Rundll32? Will exit, resulting in? DLL? Released (not deleted ). To solve this problem, we can execute the following code :? ?
? ?
? Freelibrary (DLL? Module? Handle );?
? ? ? ? ? ? ? Deletefile (DLL? Filename );?
? ? ? ? ? ? ? Exitprocess (0 );? ?
? ?
? ?
? Magicdel? Functions cannot be called directly in this order, because? Freelibary? The code page will be invalid. To this end ,? Magicdel? Press equivalent Assembly commands into the stack and execute them, followed by? RET? Command, finally called? Exitproccess? To prevent the process from continuing to run. My reference? Gary? Nebbit? In? Windows? Development Magazine (WDJ) "tech? An assembly code block is written in the tips topic. If you use? Visual? Studio? Use the default option to generate the DLL. The final binary file is about? 40 K. Because we plan? DLL? As the resource of an executable program, the smaller the size, the better. Therefore, we must take it down. Will the idea be useless? C? The runtime code is deleted from the DLL as follows :? ?
? In this example? Visual? Studio. NET? 2003? Chinese edition Compilation? DLL, first set the project's compilation/link options :?
? Project (p) |? [Project name]? Attribute (p )...? |? Linker? |? Input? |? Ignore all default libraries: Yes (/nodefalib Lib? /Nodefaultlib? To filter out runtime codes. ?
? ?
? Because? DLL? Entry? Point) is usually provided by the Runtime Library (default? Dllmain), so after completing the first step of setting, you must explicitly set? DLL entry point is set? Dllmain :?
? Project (p) |? [Project name]? Attribute (p )...? |? Linker? |? Advanced? |? Entry Point: dllmain. ?
? What if the compilation result is generated at this time? DLL, the compiler will report the following two? External symbols that cannot be parsed (? Unresolved? Externals? )? Error :? ?
? Error? Lnk2019 :? External symbols that cannot be parsed? ___ Security_cookie? In the function? _ Magicdel @ 16? ?
? Error? Lnk2019 :? External symbols that cannot be parsed? Security_check_cookie @ 4? In the function? _ Magicdel @ 16? ?
? The solution is to perform the next step. ?
? ?
? ?
? Project (p) |? [Project name]? Attribute (p )...? |? C/C ++? |? Code Generation? |? Buffer Zone Security Check: No ,?
? This setting does not set? /Gs? Mark passed to the compiler to get rid? Unresolved? Externals? Error. ?
? Okay, now compile and generate? DLL, the final? DLL? Size? 3 K. What is the actual file size? 2.5 k. ?
? ?
? ?
? ?
? Can an executable program be deleted automatically?
? ?
? ?
? The main idea used here is to delete a user? DLL? As a resource, it is saved in the executable program to be self-deleted, and then re-created as needed. At the same time,? Rundll32.exe? The process implements deletion. ?
? Below are the header files and resource files used to store dll as resources. The resource type value must be greater? 256? Yes. This is reserved for user-defined types. In addition, there is an optional method? DLL? Binary files are directly stored in the source as byte Arrays :?
? ?
? ?
? Include a file in the resource?
? //? Selfdelete. h?
? # Define? Rc_binarytype? 256?
? # Define? Id_magicdel_dll? 100?
? ?
? //? Selfdelete. RC?
? # Include? "Selfdelete. H "?
? Id_magicdel_dll? Rc_binarytype? Magicdel. dll? ?
? ?
? ?
? The following is the key code of the executable program :?
? ?
? # Include? <Windows. h>?
? # Include? "Selfdelete. H "?
? Void? Writeresourcetofile (hinstance? Hinstance ,?
? Int? Idresource ,?
? Char? Const? * Filename )?
? {?
? //? Access Binary resources?
? Hrsrc? Hresinfo? =? Findresource (hinstance ,? Makeintresource (idresource ),?
? Makeintresource (rc_binarytype ));?
? Hglobal? Hgres? =? Loadresource (hinstance ,? Hresinfo );?
? Void? * Pvres? =? Lockresource (hgres );?
? DWORD? Cbres? =? Sizeofresource (hinstance ,? Hresinfo );?
? ?
? //? Write binary resources to files?
? Handle? Hfile? =? Createfile (filename ,? Generic_write ,? 0 ,? 0 ,? Create_always ,?
? File_attribute_normal ,? 0 );?
? DWORD? Cbwritten ;?
? Writefile (hfile ,? Pvres ,? Cbres ,? & Cbwritten ,? 0 );?
? Closehandle (hfile );?
? }?
? ?
? Void? Selfdelete (hinstance? Hinstance )?
? {?
? Writeresourcetofile (hinstance ,? Id_magicdel_dll ,? "Magicdel. dll ");?
? ?
? //? Generate a command line?
? //? 1 .? Search? Rundll32.exe?
? Char? CommandLine [max_path? *? 3];?
? Getwindowsdirectory (CommandLine ,? Sizeof (CommandLine ));?
? Lstrcat (CommandLine ,? "// Rundll32.exe ");?
? If? (Getfileattributes (CommandLine )? ==? Invalid_file_attributes )?
? {?
? Getsystemdirectory (CommandLine ,? Sizeof (CommandLine ));?
? Lstrcat (CommandLine ,? "// Rundll32.exe ");?
? }?
? //? 2 .? ADD? Rundll32.exe? Parameter?
? Lstrcat (CommandLine ,? "? Magicdel. dll, _ magicdel @ 16? ");?
? //? 3 .? Add this file name?
? Char? Thisname [max_path];?
? Getmodulefilename (hinstance ,? Thisname ,? Sizeof (thisname ));?
? Lstrcat (CommandLine ,? Thisname );?
? //? Execute Command Line? ?
? Process_information? Procinfo ;?
? Startupinfo? Startinfo ;? ?
? Memset (& startinfo ,? 0 ,? Sizeof (startinfo ));?
? Startinfo. dwflags? =? Startf_forceofffeedback ;?
? CreateProcess (0 ,? CommandLine ,? 0 ,? 0 ,? False ,? Normal_priority_class ,? 0 ,? 0 ,?
? & Startinfo ,? & Procinfo );?
? }?
? ?
? Int? Winapi? Winmain (hinstance? Hinstance ,? ?
? ? ? ? Hinstance? Hprevinstance ,?
? ? ? ? Lpstr? Lpcmdline ,? ?
? ? ? ? Int? Ncmdshow )?
? {?
? Selfdelete (hinstance );?
? }?
? ?
? ?
? ?
? Writeresourcetofile? The function is to access binary resources so that they can be rebuilt on the disk? DLL. Windows? Resource? API? Provides a pointer to raw data. ?
? Selfdelete? The role is to re-create the DLL and generate the following command line to start? Rundll32.exe :? ?
? ? ? ? ? ? ? Path/rundll32.exe? Magicdel. dll, _ magicdel @ 16? Path/executablename? ? ? ? ? ? ?
? Rundll32.exe? Located in? Windows? Directory or? System? Directory, so? Selfdelete? Check whether its location is correct. When? CreateProcess? When the command is run, must I set it?
? STARTF_FORCE-OFFFEEDBACK? Flag to prevent? Windows? Running? Rundll32.exe? Displays the active hourglass or cursor. After this operation, the user will not feel that a new process is running. After the new process exits, DLL? And the original executable files are gone. ?
? To make the self-deleted executable programs independent? C? Runtime DLL, the executable program must be statically linked to the Runtime library code. To do this, modify the project compilation options :?
? Project (p) |? [Project name]? Attribute (p )...? |? C/C ++? |? Code Generation? |? Runtime Database: [single thread (/ml)]? Or? [Multithreading (/mt)] (or any option value that does not contain this DLL )?
? This auto-deletion technology is available in all? Windows? Both versions work very stably. In practical use, the uninstallation program first places its own copy? Windows? Temporary (temp) directory, so that all program files and related directories can be deleted, and finally it is deleted by the user? DLL? Delete yourself.