Process Hacker and Windows discussion

 
shackles
Member
Posts: 16
OS: windows

How to unload a module the way processhacker does (wihout kernel mode driver)

Sat Dec 10, 2016 7:20 pm

Hi.
I dont need special permissions or anything so I dont need the kernel driver.

I open my process with processhacker (without admin rights) and I right click the module I want to unload and then click unload. It unloads perfectly.


Right, so I have my own program that enumerates all the modules of given process (I am testing with its own procoss GetCurrentProcessId)
I find "themodule.dll" I want to unload and with the MODULEENTRY32 structure I use .hModule to get the handle id of the module.

Ive also tried getmodulehandle to retrieve the module handle and called the module by LoadLibrary to get the handle also.

But Im guessing what Im doing wrong is the way of unloading the module.
Im using freelibrary. But Its not unloading with this.

I would need some help to be pointed in the right direction please.
 
User avatar
dmex
Admin
Posts: 1217
Location: Australia

Re: How to unload a module the way processhacker does (wihout kernel mode driver)

Sun Dec 11, 2016 6:38 am

What OS are you using? unloading a module only works on Windows 7 and below and doesn't work on Windows 8 or WIndows 10.
 
shackles
Member
Posts: 16
OS: windows

Re: How to unload a module the way processhacker does (wihout kernel mode driver)

Sun Dec 11, 2016 10:29 am

Windows 10.
I realised that it didn't work after I posted this post.

My next idea is to enumerate all the thread IDs from a specific process and get all the info from a thread like process hacker and procexp does, giving the modulename.dll+baseaddress
 
shackles
Member
Posts: 16
OS: windows

Re: How to unload a module the way processhacker does (wihout kernel mode driver)

Mon Mar 20, 2017 5:24 pm

Hi.
Re-openning this topic.

Is there a way to unload modules in windows 10? If there is why does the LdrUnloadDll api still exist? Lol.
 
LMiller7
New User
Posts: 2
OS: Windows 7 32 bit
Location: Regina Saskatchewan Canada

Re: How to unload a module the way processhacker does (wihout kernel mode driver)

Mon Mar 20, 2017 8:33 pm

I suspect the function is just a stub that performs no function. This is better than removing it. If removed a program that called it would likely crash.
 
shackles
Member
Posts: 16
OS: windows

Re: How to unload a module the way processhacker does (wihout kernel mode driver)

Wed Mar 29, 2017 6:44 pm

Well thats sucks. Is there any way of unloading a remote module then after windows 7?
There should be, direct syscalls?

Who is online

Users browsing this forum: Yandex and 5 guests