Hi :

I want to free a dll in a process , but i cannot free it with the FreeLibraryA API. Can anyone tell me how to do it ,or can any tool can do it ?


thanks very much !

Don't know if there is a tool to free dlls in other processes, however if you want to do it yourself you can try to inject a thread in the target process, and this thread will have to make a call to freelibrary. The problem is that you must already know the dll handle, using freelibrary on it may cause some crash
AndreaGeddon

Thank you very much!

you can use icesword to free any dll as you want :

http://www.xfocus.net/tools/200505/IceSword.rar

but it do this in ring 0. i want to do it in ring 3.


i know your idea to free it . but i cannot free this dll wiht freelibrary api .


we can find the moudle in PEB chain , and i don't know if i can remove the dll's node in this chain ;
i also found the UnmapViewOfFile function can free dll.

but i have no time to test these ideas, i will try it later .

thanks you again.

if you have any good links for it ,please tell me . :D

good nice icesword, i often use it and i didnt know it cann free dlls :P
However why you cant use FreeLibrary to free the dll? If it has been loaded normally then Freelibrary must work, you just need its module handle, that in practice is its base mapping address. If you cannot free it because it has not been mapped normally, but has been loaded manually by the program (like some packers that just read the dll, allocate memory and map it) then you must find the memory were this "dll" is and you can use VirtualFree / VirtualFreeEx. If still does not help you then you should provide more detailed information of your problem
Bye!
AndreaGeddon

Thanks for your replay.


yes, this dll is not a usually library , it is a com dll, it regedits it in :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks

sorry for my poor English , and you can find information for this kind dll.

I use UnmapViewOfFile to free it , this api can free the dll's memory , but the bcaz the dll's thread is running , and then the process must except . i don't know if there is other problems , hard to free the dll in my option.

You can download the new version IceSword 1.6 . The author said the new version is better.

I can find the dll's base address in the process' Peb chain. and can free normal dll use UnmapViewOfFile with the dll's base address.

wait, you should be able to free it with FreeLibrary, but the problem is that the system needs it because it is a shell extension. You should first delete the CLSID value from the registry key, then you can try with freelibrary. Note that calling freelibrary only ONE time does not ensure that the dll is freed, you just decrement the reference count of the dll, so you should try calling freelibrary more times until it is freed. I am not sure that this would work, probably the system has still the callback registered in memory and will crash if you are able to unload the dll, usually these kind of things require a reboot for deletion (you could use pending filedelete / rename operations)
Bye
AndreaGeddon

I will try your idea, delete the clsid first . but i think it will crash even i free the dll . when the IceSword free the dll in Explorer process, IE will also crash , but some processs don't crash . I will go home tomorrow , we have a country holiday for 7 days . :D

I find a software can free these dll , and revesed it , then i find the way : JUST Kill the Explorer.exe process. Then All has done.


Thanks all above too !