delete dll as gmer

Topic locked

#17449 by kenox
Sun Dec 30, 2012 11:50 am

Hello

I am sorry for my bad english

When i try delete dll with a command the system return 'access denied'.
I try to use gmer for remove dll and it succeeded delete the dll

how does it ?

thank you

Username

kenox

Posts

4

Joined

Sun Dec 30, 2012 10:14 am

Re: delete dll as gmer

#17465 by Dmitry Varshavsky
Tue Jan 01, 2013 6:31 pm

1. Close all opened handles
2. Unmap all of mapped views for this file

Username

Dmitry Varshavsky

Posts

42

Joined

Fri Jul 15, 2011 1:49 pm

Re: delete dll as gmer

#17685 by kenox
Sat Jan 12, 2013 11:13 am

thank you.

What function can i use ?

I use RtlCreateUserThread with LdrUnloadDll

this does not work.

My code is

Code: Select all

PVOID searchDllProcess(const wchar_t* nameDll,DWORD pid)
{
    HANDLE snapshotModule = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,pid);
    MODULEENTRY32 structmodsnapshot = {0};

    structmodsnapshot.dwSize = sizeof(MODULEENTRY32);

    if(snapshotModule == INVALID_HANDLE_VALUE)return NULL;
    if(Module32First( snapshotModule , &structmodsnapshot ) == FALSE)return NULL;

    while(Module32Next(snapshotModule , &structmodsnapshot))
    {
        if(!wcscmp(structmodsnapshot.szModule,nameDll))
        {
            CloseHandle(snapshotModule);
			return (PVOID)structmodsnapshot.modBaseAddr;
        }
    }
    CloseHandle(snapshotModule);
    return NULL;
}


...
PVOID addrDllParametre = searchDllProcess(nameDll,pid);
...
addrUnloadDll = (PVOID)GetProcAddress(GetModuleHandle(L"ntdll.dll"),"LdrUnloadDll");
...
RtlCreateUserThread(handleProcess,NULL,false,0,0,0,(PUSER_THREAD_START_ROUTINE)addrUnloadDll,addrDllParametre,&hThread,NULL);

can you help me please.

Username

kenox

Posts

4

Joined

Sun Dec 30, 2012 10:14 am

Re: delete dll as gmer

#17686 by Eric_71
Sat Jan 12, 2013 1:20 pm

you can force removal using NtUnmapViewOfSection ( at your own risk for the process )

Code: Select all

NtUnmapViewOfSection
(
    IN HANDLE ProcessHandle,
    IN PVOID  BaseAddress
);

Username

Eric_71

Posts

44

Joined

Sun Mar 14, 2010 9:25 am

Location

France

Re: delete dll as gmer

#17703 by EP_X0FF
Sun Jan 13, 2013 3:30 pm

@kenox

Which exactly dll you want to unload and why you want to do this. Start from this.

Unloading 3rd party dlls is unsafe.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: delete dll as gmer

#17840 by kenox
Thu Jan 24, 2013 4:54 pm

I have not exactly a dll, I want unload the dll which inject in my process by the malwares.

I have testing NtUnmapViewOfSection, my process to crash.

Username

kenox

Posts

4

Joined

Sun Dec 30, 2012 10:14 am

Re: delete dll as gmer

#17841 by EP_X0FF
Thu Jan 24, 2013 5:37 pm

kenox wrote:I have testing NtUnmapViewOfSection, my process to crash.

And why it should not. You are unmapped memory that can be accessed by multiple program threads. Of course it will crash. What you want to do:
1) "unload dll as gmer"
2) unmap dll
3) disable loading of unknown dlls

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: delete dll as gmer

#17843 by kenox
Thu Jan 24, 2013 6:24 pm

I want unload the dll of all process.

"unload dll as gmer"

Username

kenox

Posts

4

Joined

Sun Dec 30, 2012 10:14 am

Re: delete dll as gmer

#17844 by EP_X0FF
Fri Jan 25, 2013 3:43 am

http://msdn.microsoft.com/ru-ru/library ... s.85).aspx

Everything else is unsafe.
Thread closed.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Topic locked

Page 1 of 1
9 posts