KernelMode.info

A forum for reverse engineering, OS internals and malware analysis
https://www.kernelmode.info/forum/

delete dll as gmer

https://www.kernelmode.info/forum/viewtopic.php?f=10&t=2320

Page 1 of 1

delete dll as gmer

PostPosted:Sun Dec 30, 2012 11:50 am
by kenox
Hello


I am sorry for my bad english

When i try delete dll with a command the system return 'access denied'.
I try to use gmer for remove dll and it succeeded delete the dll

how does it ?

thank you

Re: delete dll as gmer

PostPosted:Tue Jan 01, 2013 6:31 pm
by Dmitry Varshavsky
1. Close all opened handles
2. Unmap all of mapped views for this file

Re: delete dll as gmer

PostPosted:Sat Jan 12, 2013 11:13 am
by kenox
thank you.

What function can i use ?

I use RtlCreateUserThread with LdrUnloadDll

this does not work.

My code is
Code: Select all
PVOID searchDllProcess(const wchar_t* nameDll,DWORD pid)
{
    HANDLE snapshotModule = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,pid);
    MODULEENTRY32 structmodsnapshot = {0};

    structmodsnapshot.dwSize = sizeof(MODULEENTRY32);

    if(snapshotModule == INVALID_HANDLE_VALUE)return NULL;
    if(Module32First( snapshotModule , &structmodsnapshot ) == FALSE)return NULL;

    while(Module32Next(snapshotModule , &structmodsnapshot))
    {
        if(!wcscmp(structmodsnapshot.szModule,nameDll))
        {
            CloseHandle(snapshotModule);
			return (PVOID)structmodsnapshot.modBaseAddr;
        }
    }
    CloseHandle(snapshotModule);
    return NULL;
}


...
PVOID addrDllParametre = searchDllProcess(nameDll,pid);
...
addrUnloadDll = (PVOID)GetProcAddress(GetModuleHandle(L"ntdll.dll"),"LdrUnloadDll");
...
RtlCreateUserThread(handleProcess,NULL,false,0,0,0,(PUSER_THREAD_START_ROUTINE)addrUnloadDll,addrDllParametre,&hThread,NULL);
can you help me please.

Re: delete dll as gmer

PostPosted:Sat Jan 12, 2013 1:20 pm
by Eric_71
you can force removal using NtUnmapViewOfSection ( at your own risk for the process )
Code: Select all
NtUnmapViewOfSection
(
    IN HANDLE ProcessHandle,
    IN PVOID  BaseAddress
);

Re: delete dll as gmer

PostPosted:Sun Jan 13, 2013 3:30 pm
by EP_X0FF
@kenox

Which exactly dll you want to unload and why you want to do this. Start from this.

Unloading 3rd party dlls is unsafe.

Re: delete dll as gmer

PostPosted:Thu Jan 24, 2013 4:54 pm
by kenox
I have not exactly a dll, I want unload the dll which inject in my process by the malwares.

I have testing NtUnmapViewOfSection, my process to crash.

Re: delete dll as gmer

PostPosted:Thu Jan 24, 2013 5:37 pm
by EP_X0FF
kenox wrote:I have testing NtUnmapViewOfSection, my process to crash.
And why it should not. You are unmapped memory that can be accessed by multiple program threads. Of course it will crash. What you want to do:
1) "unload dll as gmer"
2) unmap dll
3) disable loading of unknown dlls

Re: delete dll as gmer

PostPosted:Thu Jan 24, 2013 6:24 pm
by kenox
I want unload the dll of all process.

"unload dll as gmer"

Re: delete dll as gmer

PostPosted:Fri Jan 25, 2013 3:43 am
by EP_X0FF
http://msdn.microsoft.com/ru-ru/library ... s.85).aspx

Everything else is unsafe.
Thread closed.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/