procedure TForm1.Button1Click(Sender: TObject); var dwProcessID, dwBaseOfDll: LongWord; wstrExeFileName, wstrDllName: WideString; var hProcess: THandle; p: Pointer; hThread: THandle; dwThreadID: LongWord; hFileHandle: THandle; byValue: Byte; dwTmp: LongWord; wszBuffer: array[0..1023] of WideChar; dwLen: LongWord; pszLibFileRemote: Pointer; begin //获取mOasisRuntime.dll的路径 if not GetProcessID('radstudio_10_4_esd_99797b.tmp', dwProcessID, wstrExeFileName) then Exit; if not GetModuleBase(dwProcessID, 'mOasisRuntime.dll', dwBaseOfDll, wstrDllName) then Exit; if not WideFileExists(wstrDllName) then Exit; //从进程卸载该Dll hProcess := OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessID); if hProcess = 0 then Exit; p := GetProcAddress(GetModuleHandle(kernel32), 'FreeLibrary'); hThread := CreateRemoteThread(hProcess, nil, 0, p, Pointer(dwBaseOfDll), 0, dwThreadID); WaitForSingleObject(hThread, INFINITE); CloseHandle(hProcess); //修改该Dll文件 hFileHandle := CreateFileW(PWideChar(wstrDllName), GENERIC_WRITE, 0, nil, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0); if hFileHandle = INVALID_HANDLE_VALUE then Exit; SetFilePointer(hFileHandle, 1495017, nil, FILE_BEGIN); byValue := $EB; WriteFile(hFileHandle, byValue, 1, dwTmp, 0); CloseHandle(hFileHandle); //重新加载该Dll hProcess := OpenProcess(PROCESS_CREATE_THREAD or PROCESS_QUERY_INFORMATION or PROCESS_VM_OPERATION or PROCESS_VM_READ or PROCESS_VM_WRITE, FALSE, dwProcessID); if hProcess = 0 then Exit; lstrcpyW(wszBuffer, PWideChar(wstrDllName)); dwLen := (1 + Length(wstrDllName)) * sizeof(WCHAR); pszLibFileRemote := VirtualAllocEx(hProcess, nil, dwLen, MEM_COMMIT, PAGE_READWRITE); if pszLibFileRemote = nil then begin CloseHandle(hProcess); Exit; end; dwTmp := 0; if not WriteProcessMemory(hProcess, pszLibFileRemote, @wszBuffer[0], dwLen, dwTmp) then begin CloseHandle(hProcess); Exit; end; p := GetProcAddress(GetModuleHandle(kernel32), 'LoadLibraryW'); hThread := CreateRemoteThread(hProcess, nil, 0, p, pszLibFileRemote, 0, dwThreadID); WaitForSingleObject(hThread, INFINITE); VirtualFreeEx(hProcess, pszLibFileRemote, dwLen, MEM_RELEASE); CloseHandle(hProcess); ShowMessage('ok'); end;
//http://altd.embarcadero.com/download/radstudio/10.4/radstudio_10_4_99797b.iso
大神老陈 给的方法