卸载dll模块可以用于杀毒程序中

break;?//TestfortheWindows95productfamily.?caseVER_PLATFORM_WIN32_WINDOWS:?if(osvi.dwMajorVersion==4&&osvi.dwMinorVersion==0)?{??printf("MicrosoftWindows95");??if(osvi.szCSDVersion[1]=='C'||osvi.szCSDVersion[1]=='B')??printf("OSR2");??return0;?}?if(osvi.dwMajorVersion==4&&osvi.dwMinorVersion==10)?{??printf("MicrosoftWindows98");??if(osvi.szCSDVersion[1]=='A')??printf("SE");??return0;?}?if(osvi.dwMajorVersion==4&&osvi.dwMinorVersion==90)?{??printf("MicrosoftWindowsMillenniumEdition/n");??return0;?}??break;?caseVER_PLATFORM_WIN32s:?printf("MicrosoftWin32s/n");?return0;?break;?}?returnTRUE;?}//函数功能：设置权限BOOLSetPrivilege(LPCTSTRPrivilege,BOOLbEnablePrivilege){?HANDLEhToken,h;??TOKEN_PRIVILEGEStkp;?//获得令牌?typedefVOID(WINAPI*MYPROC1)(HANDLEProcessHandle,DWORDDesiredAccess,PHANDLETokenHandle);??MYPROC1ProcAdd1=(MYPROC1)GetProcAddress(GetModuleHandle(TEXT("Advapi32")),"OpenProcessToken");?if(ProcAdd1==NULL)?returnFALSE;?h=GetCurrentProcess();?if(h==NULL)?returnFALSE;?ProcAdd1(h,TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken);?//开机关机权限?typedefVOID(WINAPI*MYPROC2)(LPCTSTRlpSystemName,LPCTSTRlpName,?PLUIDlpLuid);??MYPROC2ProcAdd2=(MYPROC2)GetProcAddress(GetModuleHandle(TEXT("Advapi32")),"LookupPrivilegeValueA");?if(ProcAdd2==NULL)?returnFALSE;?(ProcAdd2)(NULL,Privilege,&tkp.Privileges[0].Luid);?//第一次?tkp.PrivilegeCount=1;?//oneprivilegetoset???tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;?typedefVOID(WINAPI*MYPROC3)(HANDLETokenHandle,BOOLDisableAllPrivileges,PTOKEN_PRIVILEGESNewState,DWORDBufferLength,PTOKEN_PRIVILEGESPreviousState,?PDWORDReturnLength);??MYPROC3ProcAdd3=(MYPROC3)GetProcAddress(GetModuleHandle(TEXT("Advapi32")),"AdjustTokenPrivileges");?if(ProcAdd3==NULL)?returnFALSE;?(ProcAdd3)(hToken,FALSE,&tkp,0,(PTOKEN_PRIVILEGES)NULL,0);?//第二次?tkp.PrivilegeCount=1;?//oneprivilegetoset???tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;?if(bEnablePrivilege)??tkp.Privileges[0].Attributes|=(SE_PRIVILEGE_ENABLED);?else??tkp.Privileges[0].Attributes^=(SE_PRIVILEGE_ENABLED&tkp.Privileges[0].Attributes);?(ProcAdd3)(hToken,FALSE,&tkp,0,(PTOKEN_PRIVILEGES)NULL,0);

returnTRUE;}//函数功能：获取关机/重启权限BOOLSetPrivilege_ShutDown(){?returnSetPrivilege(SE_SHUTDOWN_NAME,true);}//函数功能：获取关闭其它进程权限intSetPrivilege_Debug()???{?returnSetPrivilege(SE_DEBUG_NAME,true);}//函数功能：获取文件的大小//函数返回：文件大小DWORDGetFileSize(char*pFileName){?FILE*pFile;?DWORDdwPos;?DWORDdwFileSize;?if((pFile?=fopen(pFileName,"rb"))==NULL)?{?printf("Thefile'data'wasnotopened/n");?return0;?}?dwPos=ftell(pFile);?fseek(pFile,0,SEEK_END);?dwFileSize=ftell(pFile);?fseek(pFile,dwPos,SEEK_SET);?fclose(pFile);?returndwFileSize;}//函数功能：杀进程中的模块typedefHANDLE(WINAPI*MYPROC1)(DWORDdwDesiredAccess,BOOLbInheritHandle,DWORDdwThreadId);intKillModule(char*strPName,char*strMName){?charstrDllName[MAX_PATH];?HANDLEhProcess,hThread;?DWORDdwStartAddr=0;?DWORDdwRetLen=0;?DWORDdwDllSize=0;?PWSTRpszLibFileRemote=NULL;?int?nKilled=0;?BOOLfOk,fOK1;?HANDLEhmeSnapshot;?BOOLfME;?char*pdest;?HMODULEhNtdll;?int?cch;?int?cb;?int?nDllKillNum;?MYPROC1ProcAdd1;?PTHREAD_START_ROUTINE?pfnThreadRtn;?NTQUERYINFORMATIONTHREADNtQueryInformationThread;??HANDLEhthSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);?PROCESSENTRY32pe={sizeof(pe)};?MODULEENTRY32me={sizeof(me)};?//遍历所有进程?fOk=Process32First(hthSnapshot,&pe);?for(;fOk;fOk=Process32Next(hthSnapshot,&pe))??{?//找到远程进程?if(stricmp(pe.szExeFile,strPName)==0)?{??//遍历模块??hmeSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,pe.th32ProcessID);??fME=Module32First(hmeSnapshot,&me);??for(;fME;fME=Module32Next(hmeSnapshot,&me))???{??strcpy(strDllName,me.szExePath);??pdest=strrchr(strDllName,'//');??strcpy(strDllName,++pdest);??//找到远程进程中的模块，杀之，3个步骤??if(stricmp(strDllName,strMName)==0)??{???__try{???//1.遍历模块中的线程，如果有结束???dwDllSize=GetFileSize(me.szExePath);???hthSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD,me.th32ProcessID);???if(hthSnapshot==NULL)__leave;???THREADENTRY32te={sizeof(te)};???fOK1=Thread32First(hthSnapshot,&te);???//遍历线程???for(;fOK1;fOK1=Thread32Next(hthSnapshot,&te)){if(te.th32OwnerProcessID==pe.th32ProcessID)?{__try?{?//得到线程句柄?ProcAdd1=(MYPROC1)GetProcAddress(GetModuleHandle(TEXT("Kernel32")),"OpenThread");?if(ProcAdd1==NULL)?returnFALSE;?hThread=(ProcAdd1(THREAD_ALL_ACCESS,FALSE,te.th32ThreadID));?if(hThread==NULL)__leave;?//找到ntdll.dll中函数NtQueryInformationThread地址?hNtdll=LoadLibrary("ntdll.dll");??if(!hNtdll)return0;?NtQueryInformationThread=(NTQUERYINFORMATIONTHREAD)GetProcAddress(hNtdll,"NtQueryInformationThread");?//获取线程入口地址?NtQueryInformationThread(hThread,ThreadQuerySetWin32StartAddress,&dwStartAddr,0x4,&dwRetLen);?if(dwStartAddr!=NULL)?{?//判断线程入口地址是否在模块中?if((dwStartAddr-(DWORD)me.hModule)<=?dwDllSize)?{??//结束线程??TerminateThread(hThread,0);??CloseHandle(hThread);?}?}}//释放资源__except(EXCEPTION_EXECUTE_HANDLER)?{??return0;}}}//for???//2.释放DLL???//获取远程进程中的DLL句柄???hProcess=OpenProcess(PROCESS_QUERY_INFORMATION|?//RequiredbyAlphaPROCESS_CREATE_THREAD??|?//ForCreateRemoteThreadPROCESS_VM_OPERATION???|?//ForVirtualAllocEx/VirtualFreeExPROCESS_VM_WRITE,??//ForWriteProcessMemoryFALSE,me.th32ProcessID);???if(hProcess==NULL)__leave;???//计算DLL名称需要的字节数???cch=1+strlen(me.szExePath);???cb?=cch*sizeof(CHAR);???//分配远程进程路径名空间???pszLibFileRemote=(PWSTR)VirtualAllocEx(hProcess,NULL,cb,MEM_COMMIT,PAGE_READWRITE);???if(pszLibFileRemote==NULL)__leave;???//考贝DLL路径名到远程进程空间???if(!WriteProcessMemory(hProcess,pszLibFileRemote,(PVOID)me.szExePath,cb,NULL))__leave;???//得到GetModuleHandle在Kernel32.dll中的地址???pfnThreadRtn=(PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")),"FreeLibrary");???if(pfnThreadRtn==NULL)__leave;???//创建远程进程，调用GetModuleHandle(DLLPathname)???nDllKillNum=(me.GlblcntUsage>me.ProccntUsage)?me.GlblcntUsage:me.ProccntUsage;if(nDllKillNum==65535)nDllKillNum=3;???for(inti=0;i<nDllKillNum;i++)???{hThread=CreateRemoteThread(hProcess,NULL,0,pfnThreadRtn,me.hModule,0,NULL);if(hThread==NULL)__leave;???}???//3.删除DLL???//DeleteFile(me.szExePath);???CloseHandle(hProcess);???CloseHandle(hThread);???printf("Killed!!!/n");???nKilled=1;???}???__finally???{???if(hthSnapshot!=NULL)?CloseHandle(hthSnapshot);???}??}//if??}//for?}?}//for?if(nKilled==0)?printf("Sorry,Nofound!/n");?return0;}intmain(intargc,char**argv){?printf("KillModuleV1.0(2006).Welcometomyblog:www.blog.163.com/lanhai96");?if(argc<3)?{?printf("Parametererrorhttps://www.mfisp.com/n");?return0;?}?//看版本号?if(!GetVersionInfo())?{?printf("Don'trunatthisOShttps://www.mfisp.com/n");?return0;?}?//获得权限?SetPrivilege_Debug();?//结束模块?KillModule(argv[1],argv[2]);?return0;}