Eject DLL From External Process in C#

Question

So. I am sorry for asking for source but after trying to make this for awhile I am lost for ideas and am asking for how in the world you can eject a dll from an external process in c#. So any help would be much appreciated. Some of the methods I have tried are remote threads, noping the entire address. By the way here is my inject code if that helps.

public static void Eject(string moduleName)
{
    Process[] ProcessList = System.Diagnostics.Process.GetProcessesByName(gamename);
    if (ProcessList.Length > 0)
    {
        Process MYPROCESS = ProcessList[0];
        IntPtr BaseAddress = IntPtr.Zero;
        foreach (System.Diagnostics.ProcessModule Module in MYPROCESS.Modules)
        {
            if (Module.ModuleName.Contains(moduleName))
                BaseAddress = Module.BaseAddress;
        }
        if (BaseAddress != IntPtr.Zero)
        {
            IntPtr libaddy = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
            CreateRemoteThread(procHandle, IntPtr.Zero, 0, libaddy, BaseAddress, 0, IntPtr.Zero);
        }
    }
}

Eject? Are you sure you don't mean *inject*? What are you trying to do exactly? — Ron Beyer, Nov 08 '18 at 19:34
(There are probably working examples of this here on SA). How does the code you present fail? Is this your actual code? If so, you should test the results of all of these API functions - perhaps there's a clue why it isn't working. — 500 - Internal Server Error, Nov 08 '18 at 19:37
You guys don't understand. I do mean eject. What I am trying to do is once I have injected a dll into a program I then want to remove it from that same process again. And I know for a fact this is possible. The reason I showed source was so someone maybe could help me ejecting the dll that was injected with my current method. And they're no errors on the injection nor the ejection the ejections simply does not work. — Asbj1477, Nov 08 '18 at 20:01
https://stackoverflow.com/questions/8832381/can-i-unload-a-dll-from-another-process-win32 — xxbbcc, Nov 08 '18 at 20:09
Thanks man. Have tried something similar but might as well try this in some way. — Asbj1477, Nov 08 '18 at 20:14
OP, I think people are confused because you named the method in your example `Eject`. That's the code you are using for *in*jection, correct? I suggest you rename it, then add an `Eject` method showing us the code you have tried so far. That will make your question much clearer. — John Wu, Nov 09 '18 at 07:54

score 0 · Answer 1 · answered Apr 17 '20 at 22:38

There are many caveats to DLL ejection. If you have hooks installed or the code is actively executing it will cause problems. If the DLL is just sitting there doing nothing you won't have any issues.

Get the module base address, this will work as the handle
VirtuaAllocEx to get memory in which to write the module handle
GetProcAddress to get the address of FreeLibrary
CreateRemoteThread to call FreeLibrary, passing the address of the handle as an argument

This code may not be perfect, but should be 99% good to go:

public static IntPtr GetModuleBaseAddress(Process proc, string modName)
{
    IntPtr addr = IntPtr.Zero;

    foreach (ProcessModule m in proc.Modules)
    {
        if (m.ModuleName == modName)
        {
            addr = m.BaseAddress;
            break;
        }
    }
    return addr;
}

IntPtr moduleAddress = GetModuleBaseAddress(proc, "modname");

IntPtr loc = VirtualAllocEx(proc.Handle, IntPtr.Zero, 4, AllocationType.Commit | AllocationType.Reserve, MemoryProtection.ReadWrite);

IntPtr bytesRead = IntPtr.Zero;

bool result = WriteProcessMemory(proc.Handle, loc, moduleAddress.ToInt32(), 4, out bytesRead);

if (!result || bytesRead.Equals(0))
{
    return false;
}

IntPtr freelibraryAddr = GetProcAddress(GetModuleHandle("kernel32.dll"), "FreeLibrary");

IntPtr hThread = CreateRemoteThread(proc.Handle, IntPtr.Zero, 0, freelibraryAddr, loc, 0, out _);

Eject DLL From External Process in C#

1 Answers1