http://wasm.ru/forum/viewtopic.php?id=28952&p=1 http://wasm.ru/forum/viewtopic.php?id=22211 Или удалённо проделать туже работу, что делает лодер при выгрузке(очистить базу данных, выгрузить импорт и пр.)
LibraryPath = VirtualAllocEx (hProcess, ..... WriteProcessMemory (hProcess, LibraryPath, "yourlib.dll", ... CreateRemoteThread (..., FreeLibrary, LibraryPath, .... м?
Чего я не так понял???? Код (Text): typedef LONG KPRIORITY; typedef int NTSTATUS; typedef enum _SYSTEMINFOCLASS { SystemBasicInformation, // 0x002C SystemProcessorInformation, // 0x000C SystemPerformanceInformation, // 0x0138 SystemTimeInformation, // 0x0020 SystemPathInformation, // not implemented SystemProcessInformation, // 0x00C8+ per process SystemCallInformation, // 0x0018 + (n * 0x0004) SystemConfigurationInformation, // 0x0018 SystemProcessorCounters, // 0x0030 per cpu SystemGlobalFlag, // 0x0004 (fails if size != 4) SystemCallTimeInformation, // not implemented SystemModuleInformation, // 0x0004 + (n * 0x011C) SystemLockInformation, // 0x0004 + (n * 0x0024) SystemStackTraceInformation, // not implemented SystemPagedPoolInformation, // checked build only SystemNonPagedPoolInformation, // checked build only SystemHandleInformation, // 0x0004 + (n * 0x0010) SystemObjectTypeInformation, // 0x0038+ + (n * 0x0030+) SystemPageFileInformation, // 0x0018+ per page file SystemVdmInstemulInformation, // 0x0088 SystemVdmBopInformation, // invalid info class SystemCacheInformation, // 0x0024 SystemPoolTagInformation, // 0x0004 + (n * 0x001C) SystemInterruptInformation, // 0x0000, or 0x0018 per cpu SystemDpcInformation, // 0x0014 SystemFullMemoryInformation, // checked build only SystemLoadDriver, // 0x0018, set mode only SystemUnloadDriver, // 0x0004, set mode only SystemTimeAdjustmentInformation, // 0x000C, 0x0008 writeable SystemSummaryMemoryInformation, // checked build only SystemNextEventIdInformation, // checked build only SystemEventIdsInformation, // checked build only SystemCrashDumpInformation, // 0x0004 SystemExceptionInformation, // 0x0010 SystemCrashDumpStateInformation, // 0x0004 SystemDebuggerInformation, // 0x0002 SystemContextSwitchInformation, // 0x0030 SystemRegistryQuotaInformation, // 0x000C SystemAddDriver, // 0x0008, set mode only SystemPrioritySeparationInformation,// 0x0004, set mode only SystemPlugPlayBusInformation, // not implemented SystemDockInformation, // not implemented SystemPowerInfo, // 0x0060 (XP only!) SystemProcessorSpeedInformation, // 0x000C (XP only!) SystemTimeZoneInformation, // 0x00AC SystemLookasideInformation, // n * 0x0020 SystemSetTimeSlipEvent, SystemCreateSession, // set mode only SystemDeleteSession, // set mode only SystemInvalidInfoClass1, // invalid info class SystemRangeStartInformation, // 0x0004 (fails if size != 4) SystemVerifierInformation, SystemAddVerifier, SystemSessionProcessesInformation, // checked build only MaxSystemInfoClass } SYSTEMINFOCLASS, *PSYSTEMINFOCLASS; typedef enum { StateInitialized, StateReady, StateRunning, StateStandby, StateTerminated, StateWait, StateTransition, StateUnknown } THREAD_STATE; typedef enum _KWAIT_REASON { Executive, FreePage, PageIn, PoolAllocation, DelayExecution, Suspended, UserRequest, WrExecutive, WrFreePage, WrPageIn, WrPoolAllocation, WrDelayExecution, WrSuspended, WrUserRequest, WrEventPair, WrQueue, WrLpcReceive, WrLpcReply, WrVirtualMemory, WrPageOut, WrRendezvous, Spare2, Spare3, Spare4, Spare5, Spare6, WrKernel, MaximumWaitReason } KWAIT_REASON, *PKWAIT_REASON; typedef struct _CLIENT_ID { HANDLE UniqueProcess; HANDLE UniqueThread; } CLIENT_ID, *PCLIENT_ID; typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, *PUNICODE_STRING; typedef struct _SYSTEM_THREAD { LARGE_INTEGER liKernelTime; // 100 nsec units LARGE_INTEGER liUserTime; // 100 nsec units LARGE_INTEGER liCreateTime; // relative to 01-01-1601 ULONG WaitTime; // ticks PVOID pStartAddress; // EIP CLIENT_ID Cid; // process/thread ids KPRIORITY Priority; KPRIORITY BasePriority; ULONG ContextSwitches; THREAD_STATE ThreadState; KWAIT_REASON WaitReason; // DWORD dwUnknown2; // maybe it not exists !!! } SYSTEM_THREAD, *PSYSTEM_THREAD; typedef struct _VM_COUNTERS { ULONG uPeakVirtualSize; ULONG uVirtualSize; ULONG uPageFaultCount; ULONG uPeakWorkingSetSize; ULONG uWorkingSetSize; ULONG uQuotaPeakPagedPoolUsage; ULONG uQuotaPagedPoolUsage; ULONG uQuotaPeakNonPagedPoolUsage; ULONG uQuotaNonPagedPoolUsage; ULONG uPagefileUsage; ULONG uPeakPagefileUsage; } VM_COUNTERS, *PVM_COUNTERS; typedef struct _IOCOUNTERS { ULONG uReadOperationCount; ULONG uWriteOperationCount; ULONG uOtherOperationCount; LARGE_INTEGER liReadTransferCount; LARGE_INTEGER liWriteTransferCount; LARGE_INTEGER liOtherTransferCount; } IOCOUNTERS, *PIOCOUNTERS; typedef struct _SYSTEM_PROCESS_INFORMATION { ULONG uNext; // relative offset ULONG uThreadCount; LARGE_INTEGER liUnknown1; LARGE_INTEGER liUnknown2; LARGE_INTEGER liUnknown3; LARGE_INTEGER liCreateTime; // relative to 01-01-1601 LARGE_INTEGER liUserTime; // 100 nsec units LARGE_INTEGER liKernelTime; // 100 nsec units UNICODE_STRING usName; KPRIORITY BasePriority; ULONG uUniqueProcessId; ULONG uInheritedFromUniqueProcessId; ULONG uHandleCount; ULONG uSessionId; // W2K Only! DWORD dwUnknown5; VM_COUNTERS VmCounters; ULONG uCommitCharge; // bytes SYSTEM_THREAD aST[]; } SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION; typedef NTSTATUS (NTAPI *PZwQuerySystemInformation)( SYSTEMINFOCLASS SystemInformationClass, PVOID pSystemInformation, ULONG uSystemInformationLength, PULONG puReturnLength ); typedef BOOL (WINAPI *PWinStationGetProcessSid)(HANDLE hServer,DWORD ProcessId,FILETIME ProcessStartTime,PBYTE pProcessUserSid,PDWORD dwSidSize); typedef void (WINAPI *PCachedGetUserFromSid)(PSID pSid , PWCHAR pUserName, PULONG cbUserName); PZwQuerySystemInformation ZwQuerySystemInformation; PWinStationGetProcessSid WinStationGetProcessSid; PCachedGetUserFromSid CachedGetUserFromSid; PSYSTEM_PROCESS_INFORMATION SPI=NULL; ULONG memlen,bw; char PrcName[1024]; DWORD nameSize; wchar_t OwnerName[1024]; char buf[2048]; char buff[1024*70];strcpy(buff,"PID:Threads:\tUser:\t\tName:\n"); ULONG reqSize = 0; ULONG sidSize; PSID pSid; HMODULE winsta = NULL; HMODULE utildll = NULL; winsta = LoadLibrary("winsta.dll"); WinStationGetProcessSid = (PWinStationGetProcessSid)GetProcAddress(winsta, "WinStationGetProcessSid"); utildll = LoadLibrary("utildll.dll"); CachedGetUserFromSid = (PCachedGetUserFromSid)GetProcAddress(utildll, "CachedGetUserFromSid"); (int(__stdcall*)())ZwQuerySystemInformation=GetProcAddress(GetModuleHandle("ntdll.dll"),"ZwQuerySystemInformation"); ZwQuerySystemInformation(SystemProcessInformation,SPI,0,&memlen); (void*)SPI=VirtualAlloc(NULL,memlen,MEM_COMMIT,PAGE_READWRITE); if(!ZwQuerySystemInformation(SystemProcessInformation,SPI,memlen,&bw)) while(SPI->uNext>0) { (void*)SPI=(PVOID)(SPI->uNext+(ULONG)SPI); if((SPI->usName.Length / 2)>=sizeof(PrcName)-1)continue; sidSize = 0; pSid = NULL; nameSize = MAX_PATH; WinStationGetProcessSid(NULL, (DWORD)SPI->uUniqueProcessId,*((FILETIME *)&SPI->liCreateTime), (PBYTE)pSid, &sidSize); if ((pSid = malloc(sidSize)) != NULL) { WinStationGetProcessSid(NULL,(DWORD)SPI->uUniqueProcessId, *((FILETIME *)&SPI->liCreateTime),(PBYTE)pSid, &sidSize); CachedGetUserFromSid(pSid,OwnerName,&nameSize); free(pSid); } /*wcstombs(PrcName,SPI->usName.Buffer,SPI->usName.Length); wsprintf(buf,"%u \t%u\t\t%ws\t\t%s\n",SPI->uUniqueProcessId,SPI->uThreadCount,OwnerName,PrcName); */ HANDLE hproc=OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION |PROCESS_VM_WRITE | SYNCHRONIZE,FALSE,SPI->uUniqueProcessId); LPVOID lib=VirtualAllocEx( hproc, 0, 0x1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); WriteProcessMemory(hproc,lib,"ntdll.dll",0x1000,0); CreateRemoteThread(hproc,0,0,FreeLibrary,lib,0,0,0); strcat(buff,buf); } VirtualFree(SPI,memlen,MEM_DECOMMIT);
