Delphi : force unload injected module

Question

i use this code to determine if a specific module has been injected to my application's process (i use it to prevent some Packet Sniffer Softwares)

 Var
 H:Cardinal;
 Begin
 H:= GetModuleHandle('WSock32.dll');
 if H >0 then FreeLibrary(H);
 end;

the problem is when i call Freelibrary it do nothing !

i don't wanna show message then terminate the application i just want to unload the injected module silently

thanks in advance

Answer 1

Well, first of all I'll attempt to answer the question as asked. And then, I'll try to argue that you are asking the wrong question.

---

Modules are reference counted. It's possible that there are multiple references to this module. So, keep calling FreeLibrary:

procedure ForceRemove(const ModuleName: string);
var
  hMod: HMODULE;
begin
  hMod := GetModuleHandle(PChar(ModuleName));
  if hMod=0 then 
    exit;
  repeat
  until not FreeLibrary(hMod);
end;

If you were paranoid you might choose to add an alternative termination of the loop to avoid looping indefinitely.

I don't really know that this will work in your scenario. For instance, it's quite plausible that your process links statically to WSock32. In which case no amount of calling FreeLibrary will kick it out. And even if you could kick it out, the fact that your process statically linked to it probably means it's going to fail pretty hard.

Even if you can kick it out, it seems likely that other code in your process will hold references to functions in the module. And so you'll just fail somewhere else. I can think of very few scenarios where it makes sense to kick a module out of your process with complete disregard for the other users of that module.

---

Now, let's step back and look at what you are doing. You are trying to remove a standard system DLL from your process because you believe that it is only present because your process is having its packets sniffed. That seems unlikely to be true.

Since you state that your process is subject to packet sniffing attack. That means that the process is communicating over TCP/IP. Which means that it probably uses system modules to carry out that communication. One of which is WSock32. So you very likely link statically to WSock32. How is your process going to work if you kill one of the modules used to supply its functionality?

Are you quite sure that the presence of WSock32 in your process indicates that your process is under attack? If a packet sniffer was going to inject a DLL into your process, why would it inject the WSock32 system DLL? Did you check whether or not your process, or one of its dependencies, statically links to WSock32?

I rather suspect that you've just mis-diagnosed what is happening.

---

Some other points:

• GetModuleHandle returns, and FreeLibrary accepts an HMODULE. For 32 bit that is compatible with Cardinal, but not for 64 bit. Use HMODULE.
• The not found condition for GetModuleHandle is that the return value is 0. Nowhere in the documentation is it stated that a value greater than 0 indicates success. I realise that Cardinal and HMODULE are unsigned, and so <>0 is the same as >0, but it really makes no sense to test >0. It leaves the programmer thinking, "what is so special about <0?"