can't eject a dll, event match case.

[ghggn]

oepn an app(wechat.exe), and it's dll list show like this(windows Resource Monitor)

then i inject a dll into this app by pid

it success and in windows Resource Monitor we can find it .

but
i cant eject this dll anymore .

[nefarius]

Try just the dll name, without the path.

[ghggn]

i already do that , you can see the last pic , i use dll name only and full path . there has two command and all failed .

[nefarius]

Ah, correct. Odd, I'll see if I can reproduce and fix 🤞

[ghggn]

I eject a dll which injected by another process, that is ListaryHook64.dll in the above screenshot, and I can successfully eject it.
I also modified the source code to output the name and path of the dll when ejecting, and there is no wxhelper in list.
This is the link of wxhelper source code, if you are interested, maybe it will make help for solve the problem!
https://github.com/ttttupup/wxhelper

[nefarius]

@ghggn does it work with an earlier version? Like v1.1.12?

[ghggn]

it not work too

[nefarius]

@ghggn please try the latest master build.

[ghggn]

still not work

[nefarius]

OK thx for the feedback, will continue investigating.

[nefarius]

still not work

I recommend you step through here with the debugger and see what kind of strings you're getting back in the comparison.

[bot-1450]

Well I think ghggn tried the latest release (which hasn't been updated yet) rather than building the latest code. The latest code not only fails eject but also inject. I studied it a little. It is really difficult to setup the software mentioned. Never mind, finally reproduced.

The different behaviors root from that we use snapshot CreateToolhelp32Snapshot/Module32FirstW/Module32NextW (which was used by EjectLib before the most recent commits) to enumerate the modules, while Performance Monitor uses EnumProcessModulesEx directly. Also it uses GetModuleBaseNameW/GetModuleFileNameExW instead of szModule/szExePath to retrieve certain names.

I will fix this and make new PR later.

BTW, I happen to notice GetModuleFileNameExW says:

Retrieves the fully qualified path for the file containing the specified module.

So, when someone tries to use a relative path, since we simply append it rather than qualifying it, the comparison fails. (For example comparing A\..\B.dll against B.dll will fail doubtlessly.)

Injector/Injector/Injector.cpp

Lines 240 to 243 in 8e7314c

	// Convert path to loader to path to module
	std::tstring ModulePath(&LoaderPath[0]);
	ModulePath = ModulePath.substr(0, ModulePath.rfind( _T("\\") ) + 1);
	ModulePath.append(ModuleName);

After turning Tool Help Library (tlhelp32) into Process Status API (psapi) this should also be fixed together.