当 ActiveXObject 托管在 Windows 桌面/边栏小工具中时,该 ActiveXObject 会被缓存,并且它的 DLL 文件被锁定(意味着它不能移动、删除或重命名)。问题是这样的;当小工具随后关闭时,DLL 仍被 Windows 边栏锁定,无法删除。这会导致一个重大问题,即无法在先前版本的小工具之上安装新版本的小工具,它在删除它的过程中失败,没有任何错误消息。
这对用户不是很友好,所以我正在寻找一种在小工具的卸载事件期间以某种方式“切断”与 ActiveX 控件的联系的方法。我希望有人能告诉我这是否可行,如果可以,请给我一些关于如何实现它的想法。
仅供参考,Windows 边栏小工具实际上只是 Internet Explorer 服务器窗口,因此假设 IE 表现出相同的行为可能是安全的。
编辑: Unlocker似乎做了很多我需要做的事情,那么我怎样才能在 .NET 中以编程方式实现同样的事情呢?
好的,这是一个相当复杂的问题。我以前见过这种行为,我不熟悉 Windows 桌面/边栏小工具,因为我不使用它。但是我设法想出了三种可能的攻击方法
1.来自 TechNet 的句柄
这不是我的想法,有另一个 StackOverflow 线程推荐这种方法。但是,我怀疑这是否会奏效。文件锁(此实用程序处理的内容)和“加载库”锁之间存在差异,我认为这是您在使用 ActiveX 时遇到的问题。
我稍微修改了该线程的代码,他们使用 Process.Kill() 来释放锁,我认为最好使用 handle.exe 来释放锁。
public struct LockInfo
{
public int PID;
public string Handle;
public LockInfo(int pid, string handle)
{
this.PID = pid;
this.Handle = handle;
}
}
static List<LockInfo> getLockingInfo(string fileName)
{
List<LockInfo> lockingProcesses = new List<LockInfo>();
Process tool = new Process();
tool.StartInfo.FileName = "handle.exe";
tool.StartInfo.Arguments = fileName;
tool.StartInfo.UseShellExecute = false;
tool.StartInfo.RedirectStandardOutput = true;
tool.Start();
tool.WaitForExit();
string outputTool = tool.StandardOutput.ReadToEnd();
// I;m not so hot with regex, so a bit of regex and a bit of manual splitting
string matchPattern = @"(?<=\s+pid:\s+)\b(\d+)\b(\s+)\b(\S+:)";
foreach (Match match in Regex.Matches(outputTool, matchPattern))
{
string[] temp = match.Value.Replace(":", "").Split(new char[] { ' ' }, StringSplitOptions.RemoveEmptyEntries);
if (temp.Length == 2)
{
lockingProcesses.Add(new LockInfo(int.Parse(temp[0].Trim()), temp[1].Trim()));
}
}
return lockingProcesses.Count > 0 ? lockingProcesses : null;
}
static bool closeFileHandle(List<LockInfo> lockingInfo)
{
if ((lockingInfo == null) || (lockingInfo.Count == 0))
{
throw new ArgumentException("lockingProcesses cannot be null or empty");
}
bool fileClosed = true;
foreach (LockInfo lockInfo in lockingInfo)
{
Process tool = new Process();
tool.StartInfo.FileName = "handle.exe";
tool.StartInfo.Arguments = string.Format("-c {0} -y -p {1}", lockInfo.Handle, lockInfo.PID.ToString());
tool.StartInfo.UseShellExecute = false;
tool.StartInfo.RedirectStandardOutput = true;
tool.Start();
tool.WaitForExit();
string outputTool = tool.StandardOutput.ReadToEnd();
if (outputTool.IndexOf("Handle closed") == -1)
{
fileClosed = false;
}
}
return fileClosed;
}
public static void Main()
{
//Path to locked file, make sure the full path is in quotes
string fileName = "\"" + @"C:\Your_Path\To_The\ActiveX.ocx" + "\"";
List<LockInfo> lockInfo = getLockingInfo(fileName);
if ((lockInfo != null) && (lockInfo.Count > 0))
{
closeFileHandle(lockInfo);
}
}
...
2.Win32风格
互联网上没有很多关于此的信息,而且似乎需要一些未记录的 api 调用才能顺利完成。
我这些 c++ 示例可能会有所帮助。
不幸的是,我无法让它无缝工作。我已经使用 MS Word 中加载的 ActiveX 测试了这种方法。然后我尝试解锁 ActiveX,它不是很稳定,经常导致 word 崩溃。我想我没有正确解读上述程序所需的 C++ 战伤。
连同这个C# 中的 CreateRemoteThread示例,我确实将这段代码放在一起。
public struct ProcessInfo
{
public Process Process;
public ProcessModule Module;
public ProcessInfo(Process process, ProcessModule module)
{
this.Process = process;
this.Module = module;
}
}
private static List<ProcessInfo> getProcessInfo(string fileName, bool partialMatch)
{
List<ProcessInfo> myProcesses = new List<ProcessInfo>();
Process[] runningProcesses = Process.GetProcesses();
int i = 0;
for (i = 0; i < runningProcesses.Length; i++)
{
Process currentProcess = runningProcesses[i];
try
{
if (!currentProcess.HasExited)
{
try
{
ProcessModuleCollection modules = currentProcess.Modules;
int j = 0;
for (j = 0; j < modules.Count; j++)
{
if (partialMatch)
{
if ((modules[j].FileName.ToLower().IndexOf(fileName.ToLower()) != -1))
{
myProcesses.Add(new ProcessInfo(currentProcess, modules[j]));
break;
}
}
else
{
if ((modules[j].FileName.ToLower().CompareTo(fileName.ToLower()) == 0))
{
myProcesses.Add(new ProcessInfo(currentProcess, modules[j]));
break;
}
}
}
}
catch (NotSupportedException)
{
// You are attempting to access the Modules property for a process that is running on a remote computer.
// This property is available only for processes that are running on the local computer.
}
catch (InvalidOperationException)
{
// The process Id is not available.
}
catch (Win32Exception)
{
// You are attempting to access the Modules property for either the system process or the idle process.
// These processes do not have modules.
}
}
}
catch (InvalidOperationException)
{
// There is no process associated with the object.
}
catch (Win32Exception)
{
// The exit code for the process could not be retrieved.
}
catch (NotSupportedException)
{
// You are trying to access the HasExited property for a process that is running on a remote computer.
// This property is available only for processes that are running on the local computer.
}
}
return myProcesses.Count > 0 ? myProcesses : null;
}
private static void forceRemoteCloseHandle(ProcessInfo processInfo)
{
// Open remote process for write
IntPtr hProcess = NativeMethods.OpenProcess(NativeMethods.PROCESS_CREATE_THREAD | NativeMethods.PROCESS_VM_OPERATION |
NativeMethods.PROCESS_VM_WRITE | NativeMethods.PROCESS_VM_READ, false, processInfo.Process.Id);
// Get the handle to CloseHandle in kernel32.dll
IntPtr hKernel32 = NativeMethods.LoadLibrary("kernel32.dll");
IntPtr hCloseHandle = NativeMethods.GetProcAddress(hKernel32, "CloseHandle");
uint temp = 0;
// Create the remote thread and point it to CloseHandle
IntPtr hCreateRemoteThread = NativeMethods.CreateRemoteThread((IntPtr)hProcess, (IntPtr)0, 0, hCloseHandle, (IntPtr)processInfo.Module.BaseAddress, 0, out temp);
// Wait for thread to end
NativeMethods.WaitForSingleObject(hCreateRemoteThread, 2000);
//Closes the remote thread handle
NativeMethods.CloseHandle(hCreateRemoteThread);
//Free up the kernel32.dll
if (hKernel32 != null)
NativeMethods.FreeLibrary(hKernel32);
//Close the process handle
NativeMethods.CloseHandle(hProcess);
}
private static void forceRemoteFreeLibrary(ProcessInfo processInfo)
{
// Open remote process for write
IntPtr hProcess = NativeMethods.OpenProcess(NativeMethods.PROCESS_CREATE_THREAD | NativeMethods.PROCESS_VM_OPERATION |
NativeMethods.PROCESS_VM_WRITE | NativeMethods.PROCESS_VM_READ, false, processInfo.Process.Id);
// Get the handle to FreeLibrary in kernel32.dll
IntPtr hKernel32 = NativeMethods.LoadLibrary("kernel32.dll");
IntPtr hFreeHandle = NativeMethods.GetProcAddress(hKernel32, "FreeLibrary");
// Create the remote thread and point it to FreeLibrary
uint temp = 0;
IntPtr hCreateRemoteThread = NativeMethods.CreateRemoteThread((IntPtr)hProcess, (IntPtr)0, 0, hFreeHandle, (IntPtr)processInfo.Module.BaseAddress, 0, out temp);
// Wait for thread to end
NativeMethods.WaitForSingleObject(hCreateRemoteThread, 2000);
//Closes the remote thread handle
NativeMethods.CloseHandle(hCreateRemoteThread);
//Free up the kernel32.dll
if (hKernel32 != null)
NativeMethods.FreeLibrary(hKernel32);
// Close the process handle
NativeMethods.CloseHandle(hProcess);
}
public static void Main()
{
string strFile = @"C:\Program Files\Microsoft Office\OFFICE11\MSCAL.OCX";
List<ProcessInfo> lockingProcesses = getProcessInfo(strFile, false);
foreach (ProcessInfo processInfo in lockingProcesses)
{
forceRemoteCloseHandle(processInfo);
// OR
forceRemoteFreeLibrary(processInfo);
}
// OR
foreach (ProcessInfo procInfo in lockingProcesses)
{
procInfo.Process.Kill();
}
}
internal static class NativeMethods
{
internal const int PROCESS_TERMINATE = 0x0001;
internal const int PROCESS_CREATE_THREAD = 0x0002;
internal const int PROCESS_VM_OPERATION = 0x0008;
internal const int PROCESS_VM_READ = 0x0010;
internal const int PROCESS_VM_WRITE = 0x0020;
internal const int PROCESS_QUERY_INFORMATION = 0x0400;
[DllImport("Kernel32.dll", CharSet = CharSet.Auto)]
internal static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
[DllImport("kernel32.dll", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
internal static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("Kernel32.dll", CharSet = CharSet.Auto)]
internal static extern int WaitForSingleObject(IntPtr hHandle, int dwMilliseconds);
[DllImport("kernel32", SetLastError = true)]
internal static extern IntPtr LoadLibrary(string lpFileName);
[DllImport("kernel32.dll", SetLastError = true)]
internal static extern bool FreeLibrary(IntPtr hModule);
[DllImport("kernel32")]
public static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, out uint lpThreadId);
[DllImport("Kernel32.dll", CharSet = CharSet.Auto)]
internal static extern int CloseHandle(IntPtr hPass);
}
...
3.只需使用解锁器
这是我最好的建议。来自 technet 的句柄无法处理加载的 dll/ocx 锁(在我的测试中)。Win32 混乱且无证。
Unlocker 提供命令行访问,因此您可以以与 handle.exe 完全相同的方式调用它。只需要一个 /? unlocker.exe 在命令提示符后查看开关。
还有一个便携式版本的 Unlocker 可用,因此您可以将其捆绑到您的部署中,而无需强制最终用户安装该应用程序。
如果一切都失败了,您可以联系 Unlocker 的作者,从他的自述文件中查看。
许可
如果您有兴趣以原始或修改的形式重新分发 Unlocker,或者希望在产品中使用 Unlocker 源代码,请发送电子邮件至 ccollomb@yahoo.com 并提供详细信息。
...
4. 使用 Process Hacker 共享库
我刚刚发现了这个出色的工具:Process Hacker,它是用 100% C# 代码编写的(尽管它确实通过 P/Invoke 底层使用了很多 WinAPI 函数)。
最好的一点是:它是开源的 (LGPL'd),并提供了两个开发人员可以在他们的解决方案中引用的库:ProcessHacker.Common ProcessHacker.Native。
我下载了源代码,只是一个警告,这是一个非常大的解决方案,因此可能需要一些时间来弄清楚究竟是什么/如何使用它。
它使用我在选项 2 中谈到的未记录的 API 函数 (ntdll.dl),并且可以做 Unlocker 可以做的所有事情以及更多。
不确定这是否适用于 ActiveX 对象,但它确实适用于 .NET 程序集。我将它用于必须平滑覆盖 DLL 的单元测试。使用的机制是卷影复制。
从应用程序外部关闭句柄似乎不是一个非常安全的选择。
这不是解决方案,也许是一个想法或方向......