Hi.
I dont need special permissions or anything so I dont need the kernel driver.

I open my process with processhacker (without admin rights) and I right click the module I want to unload and then click unload. It unloads perfectly.


Right, so I have my own program that enumerates all the modules of given process (I am testing with its own procoss GetCurrentProcessId)
I find "themodule.dll" I want to unload and with the MODULEENTRY32 structure I use .hModule to get the handle id of the module.

Ive also tried getmodulehandle to retrieve the module handle and called the module by LoadLibrary to get the handle also.

But Im guessing what Im doing wrong is the way of unloading the module.
Im using freelibrary. But Its not unloading with this.

I would need some help to be pointed in the right direction please.

What OS are you using? unloading a module only works on Windows 7 and below and doesn't work on Windows 8 or WIndows 10.

Windows 10.
I realised that it didn't work after I posted this post.

My next idea is to enumerate all the thread IDs from a specific process and get all the info from a thread like process hacker and procexp does, giving the modulename.dll+baseaddress

Hi.
Re-openning this topic.

Is there a way to unload modules in windows 10? If there is why does the LdrUnloadDll api still exist? Lol.

I suspect the function is just a stub that performs no function. This is better than removing it. If removed a program that called it would likely crash.

Well thats sucks. Is there any way of unloading a remote module then after windows 7?
There should be, direct syscalls?