BOOL UnLoadModules( LPCTSTR processname , LPCTSTR modulename) { HANDLE hModuleSnap = INVALID_HANDLE_VALUE; MODULEENTRY32 me32; HANDLE hpro; DWORD modulebase; DWORD pid=GetProcessIdByName(processname); hpro= OpenProcess ( PROCESS_ALL_ACCESS, TRUE, pid ); hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, pid ); if( hModuleSnap == INVALID_HANDLE_VALUE ) { return( FALSE ); } me32.dwSize = sizeof( MODULEENTRY32 ); if( !Module32First( hModuleSnap, &me32 ) ) { CloseHandle( hModuleSnap ); return( FALSE ); } do { printf( "\n\n MODULE NAME: %s", me32.szModule ); printf( "\n executable = %s", me32.szExePath ); printf( "\n process ID = 0x%08X", me32.th32ProcessID ); printf( "\n ref count (g) = 0x%04X", me32.GlblcntUsage ); printf( "\n ref count (p) = 0x%04X", me32.ProccntUsage ); printf( "\n base address = 0x%08X", (DWORD) me32.modBaseAddr ); printf( "\n base size = %d", me32.modBaseSize ); if(!strcmpi(me32.szModule, modulename)) { modulebase=(DWORD)me32.modBaseAddr; printf("module :%s found at :%x\n",modulename,modulebase); break; } } while( Module32Next( hModuleSnap, &me32 ) ); ZwUnmapViewOfSection(hpro,(DWORD)modulebase); CloseHandle( hModuleSnap ); return( TRUE ); } DWORD GetProcessIdByName(LPCTSTR name) { PROCESSENTRY32 prostruct; DWORD id = 0; HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); prostruct.dwSize = sizeof(PROCESSENTRY32); if(!Process32First(hSnapshot,&prostruct)) return 0; do { prostruct.dwSize = sizeof(PROCESSENTRY32); if(!Process32Next(hSnapshot,&prostruct)) break; if(strcmp(prostruct.szExeFile,name) == 0) { id = prostruct.th32ProcessID; break; } }while(TRUE); CloseHandle(hSnapshot); return id; } ZwUnmapViewOfSection这个NTDLL中的函数的地址自己用GetProcAddress就可以得到引用了