Unload dll modul from process
-
Hey everyone, is it possible, unload any dll module (not my) from any strong system process e.g. rundll32 or svchost. How can I do it ? Sorry for my english and thanks for advice Mila
I do not know of a way of telling another process to unload its dynamicly linked binaries. In fact if you could tell any arbitrary binary to load and unload dynamic bindings outside of the process that could be an exploit (tell it to unload svchost, put the malicious version in, tell it to load it). Why do you want to unload rundll32 or svchost? Instead of asking a specific question maybe you should step back and see what you are really trying to solve.
-
I do not know of a way of telling another process to unload its dynamicly linked binaries. In fact if you could tell any arbitrary binary to load and unload dynamic bindings outside of the process that could be an exploit (tell it to unload svchost, put the malicious version in, tell it to load it). Why do you want to unload rundll32 or svchost? Instead of asking a specific question maybe you should step back and see what you are really trying to solve.
I'm trying write some little application whereby I can unloading and deleting malicious modules - dll's like keyloggers or adware components. Part of that pests are loaded when starts OS and are modules of e.g. rundll32.exe. What can I do, to delete thats dll's ? Mila
-
I'm trying write some little application whereby I can unloading and deleting malicious modules - dll's like keyloggers or adware components. Part of that pests are loaded when starts OS and are modules of e.g. rundll32.exe. What can I do, to delete thats dll's ? Mila
Unfortunately Windows has a habbit of locking files mapped into memory. Why it does this I'm not sure since it shouldn't matter what happens to the binary after it is read into memory. One thing I've been meaning to look into is how to hook into the pre-boot and boot process. For instance when a kernel patch is applied to the OS you have the very same problem (you can't copy the new kernel bins while the kernel is running). What happens is you tell the boot loader to copy and configure files before the kernel is fully loaded. Especially with some classes of malware you really need a "true" single user mode where one can make manipulations to the system by hand without fully initalizing the kernel. I like the fact that anti-virus software is starting to key into the fact that malware and spyware are just as bad as any virus (in fact one could term them as trojans). I'm not trying to discourage you but some of this stuff is real harry stuff requiring knowledge of the internals to fight.
-
Unfortunately Windows has a habbit of locking files mapped into memory. Why it does this I'm not sure since it shouldn't matter what happens to the binary after it is read into memory. One thing I've been meaning to look into is how to hook into the pre-boot and boot process. For instance when a kernel patch is applied to the OS you have the very same problem (you can't copy the new kernel bins while the kernel is running). What happens is you tell the boot loader to copy and configure files before the kernel is fully loaded. Especially with some classes of malware you really need a "true" single user mode where one can make manipulations to the system by hand without fully initalizing the kernel. I like the fact that anti-virus software is starting to key into the fact that malware and spyware are just as bad as any virus (in fact one could term them as trojans). I'm not trying to discourage you but some of this stuff is real harry stuff requiring knowledge of the internals to fight.
Tom Larsen wrote: Unfortunately Windows has a habbit of locking files mapped into memory. Why it does this I'm not sure since it shouldn't matter what happens to the binary after it is read into memory. That's because windows creates a file mapping to the executables instead of reading it all into memory in one sweep. "After all it's just text at the end of the day. - Colin Davies "For example, when a VB programmer comes to my house, they may say 'does your pool need cleaning, sir ?' " - Christian Graus
-
Tom Larsen wrote: Unfortunately Windows has a habbit of locking files mapped into memory. Why it does this I'm not sure since it shouldn't matter what happens to the binary after it is read into memory. That's because windows creates a file mapping to the executables instead of reading it all into memory in one sweep. "After all it's just text at the end of the day. - Colin Davies "For example, when a VB programmer comes to my house, they may say 'does your pool need cleaning, sir ?' " - Christian Graus
-
If you want to know how to map a file, look up the methods CreateFileMapping and MapViewOfFile in the Win32 API. But Tom was right about your original question, you can't tell a process to unload dll's. "After all it's just text at the end of the day. - Colin Davies "For example, when a VB programmer comes to my house, they may say 'does your pool need cleaning, sir ?' " - Christian Graus