something about remove virus dll

c++ / delphi package - dll injection and api hooking
Post Reply
cde
Posts: 8
Joined: Sat Oct 09, 2004 10:48 am

something about remove virus dll

Post by cde »

Dear Madshi,
  1. When we find some dlls or bad modules loaded by someprocess in other session or currentsession,can we remove it via Madshi' collection?

    In Delphi's TThread, we can use TThread.suspended to judge the state
    of Tthread,but it seem to has no such property or similer property in IThread.

    Another small problem,there is a "ProcessHandleToid" function in "madRemote" package not "ProcessHandleToPid" . Sample of "http://help.madshi.net/ProcessHandleToId.htm" has
    a clerical error :D
Best regards
cch
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

You can use madCodeHook's UninjectLibrary to unload a dll from another process. That works even for a different session (if you have enough privileges). The question is, though, whether just unloading the dll is good enough to get rid of the virus. But that's another question...

Code: Select all

function IsThreadSuspended(threadHandle: dword) : boolean;
var i1 : integer;
begin
  result := false;
  i1 := integer(SuspendThread(threadHandle));
  if i1 <> -1 then begin
    ResumeThread(threadHandle);
    result := i1 > 0;
  end;
end;
You can call this like "IsThreadSuspended(IThread.Handle.Handle)".

About the documentation error: Thanks - I'll fix that.
Post Reply