Can't unload an injected dll with loadlibrary (C++)

Question

Today I got an LoadLibraryA injector that works perfectly but it doesn't let delete the dll after injection (loadlibrary things) and I tried doing FreeLibraryAndExitThread but it didnt work.

The code I tried: FreeLibraryAndExitThread(hThread, 0);

The injection code:

            const char* procName = "notepad.exe";
            DWORD procID = 0;

            while (!procID)
            {
                procID = GetProcID(procName);
                Sleep(30);
            }

            HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, 0, procID);

            if (hProc && hProc != INVALID_HANDLE_VALUE)
            {
                void* loc = VirtualAllocEx(hProc, 0, MAX_PATH, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

                if (loc)
                {
                    WriteProcessMemory(hProc, loc, dllPath, strlen(dllPath) + 1, 0);
                }

                HANDLE hThread = CreateRemoteThread(hProc, 0, 0, (LPTHREAD_START_ROUTINE)LoadLibraryA, loc, 0, 0);

                if (hThread)
                {
                    CloseHandle(hThread);
                }

                if (hProc)
                {
                    CloseHandle(hProc);
                }
                
                FreeLibraryAndExitThread(hThread, 0);

                return 0;
            }

btw sorry for stupid questions, I'm new to cpp and didn't find an solution in internet that does work.

Please make a [mcve]. `FreeLibraryAndExitThread` should be called with the `hLibModule` (returned by `LoadLibrary`, `LoadLibraryEx`, `GetModuleHandle` or `GetModuleHandleEx`). I don't think `CreateRemoteThread` returns a compatible handle. — Ted Lyngmo, Jun 30 '20 at 19:09
So if I switch to LoadLibrary or LoadLibraryEx I can unload the dll? — Daniel TG, Jun 30 '20 at 19:14
You can't just switch functions. `CreateRemoteThread` creates a thread, `LoadLibrary` loads a `DLL`. I've never done DLL injection, so I'm not sure where the library gets loaded in your scenario. — Ted Lyngmo, Jun 30 '20 at 19:17
You're welcome. With a [mcve] I (and many others) would probably be spending even more time on it. — Ted Lyngmo, Jun 30 '20 at 19:28
I believe `FreeLibraryAndExitThread` must be called from within the client process. — 500 - Internal Server Error, Jun 30 '20 at 20:14
`FreeLibraryAndExitThread()` is not what you need in this situation anyway, even if called in the remote process. — Remy Lebeau, Jun 30 '20 at 21:30

score 1 · Answer 1 · answered Jun 30 '20 at 21:25

You are not unloading the DLL correctly.

You are misusing FreeLibraryAndExitThread(). It expects an HMODULE of a loaded DLL to unload, but you are giving it the HANDLE of the remote thread instead - which you have already closed via CloseHandle() beforehand. And in any case, FreeLibraryAndExitThread() terminates the calling thread, which is not what you want to do in this situation.

You need to wait for LoadLibrary() to fully complete. After creating the remote thread, wait on the thread HANDLE using WaitForSingleObject() or related function.

After that, you can then inject a call to FreeLibrary() into the context of the remote process, passing it the HMODULE that LoadLibrary() returned - which you currently do not have. When using LoadLibrary() as a thread procedure, the thread's exit code will contain the returned HMODULE. If your target is a 32-bit process, you can use GetExitCodeThread() to retrieve that HMODULE. But things get more complicated if your target is a 64-bit process, since the thread's exit code will truncate the HMODULE value.

See CreateRemoteThread on LoadLibrary and get the HMODULE back.

score 0 · Answer 2 · answered Jun 30 '20 at 21:52

0

I am not really sure what do you want but you can't do it because you closed the handle:

if (hThread)
{
     CloseHandle(hThread);
} 
...

FreeLibraryAndExitThread(hThread, 0);

answered Jun 30 '20 at 21:52

seukaiwokeo

23
7

Can't unload an injected dll with loadlibrary (C++)

2 Answers2