Logic, Analysis, and Computation

宠辱不惊 静观窗前花开花落 去留无意 闲看天上云卷云舒

导航

<2024年11月>
272829303112
3456789
10111213141516
17181920212223
24252627282930
1234567

统计

公告

如需转载, 请注明出处。

常用链接

留言簿

随笔分类

随笔档案

文章档案

I/O performance

搜索

最新评论

re: 利用NtUnmapViewOfSection强制卸载模块 [未登录] 小学毕业生 2014-07-28 18:19
NtUnmapViewOfSection可以再Ring3下使用。
我用VB做给你看
Private Declare Function NtUnmapViewOfSection Lib "ntdll.dll" (ByVal ProcessHandle As Long ,ByVal BaseAddress As Long)As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long ,ByVal bInheritHandle As Boolean, ByVal dwProcessId As Long)As Long
Private Declare Function GetModuleHandleA Lib "kernel32" (ByVal lpModuleFileName As String) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Sub UnloadNtdll(ByVal PID As Long)
Dim hProc As Long
hProc = OpenProcess(&h8 Or &H400, False, PID)
If hProc = 0 Then Exit Sub
NtUnmapViewOfSection hProc, GetModuleHandleA("ntdll.dll")
CloseHandle hProc
End Sub