NativeAPI 暂停进程
NativeAPI Suspend process
我尝试停止一些进程,我使用 ntdll 中的 NativeAPI。我写了一些 C 代码,它有效:
typedef LONG(NTAPI* NtSuspendProcess)(IN HANDLE ProcessHandle);
UINT __stdcall Suspend(VOID* processId)
{
HANDLE processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, (DWORD)processId);
NtSuspendProcess pfnNtSuspendProcess = (NtSuspendProcess)GetProcAddress(GetModuleHandle(L"ntdll"), "NtSuspendProcess");
pfnNtSuspendProcess(processHandle);
CloseHandle(processHandle);
return 0;
}
UINT __stdcall Resume(VOID* processId)
{
HANDLE processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, (DWORD)processId);
NtSuspendProcess pfnNtSuspendProcess = (NtSuspendProcess)GetProcAddress(
GetModuleHandle(L"ntdll"), "NtResumeProcess");
pfnNtSuspendProcess(processHandle);
CloseHandle(processHandle);
return 0;
}
但是,当我尝试使用 MASM 编写它时,我的进程并没有停止。我查看了寄存器 EAX 和 ECX,那里一切正常。我调用了 GetLastError,结果为零,因为 return 值。代码:
pauseProc proc pid:dword
push pid
push 0
push PROCESS_ALL_ACCESS
call OpenProcess@12
.IF eax == 0
PUSH MB_ICONERROR
PUSH 0
PUSH offset errorOpenProccess
PUSH 0
CALL MessageBoxA@16
.ENDIF
mov processHandle, eax
push offset NtModuleNameWStr
call GetModuleHandleW@4
; call GetLastError
.IF eax == 0
PUSH MB_ICONERROR
PUSH 0
PUSH offset errorGetModuleHandle
PUSH 0
CALL MessageBoxA@16
.ENDIF
push offset NtSuspendProcessAStr
push eax
call GetProcAddress@8
.IF eax == 0
PUSH MB_ICONERROR
PUSH 0
PUSH offset errorGetProcAddress
PUSH 0
CALL MessageBoxA@16
.ENDIF
push processHandle
call CloseHandle@4
; pfnNtSuspendProcess
ret
pauseProc endp
关于常量:
STANDARD_RIGHTS_REQUIRED equ 000F0000h
SYNCHRONIZE equ 00100000h
PROCESS_ALL_ACCESS equ (STANDARD_RIGHTS_REQUIRED or SYNCHRONIZE or 0FFFFh)
我用Windows10,因为我们需要写0FFFF。对于 Windows Vista 0FFFh 之前的版本。为什么进程不停止?
;Process pause
pauseProc proc pid:dword
push pid
push 0
push PROCESS_ALL_ACCESS
call OpenProcess@12
.IF eax == 0
PUSH MB_ICONERROR
PUSH 0
PUSH offset errorOpenProccess
PUSH 0
CALL MessageBoxA@16
.ENDIF
mov processHandle, eax
push offset NtModuleNameWStr
call GetModuleHandleW@4
; call GetLastError
.IF eax == 0
PUSH MB_ICONERROR
PUSH 0
PUSH offset errorGetModuleHandle
PUSH 0
CALL MessageBoxA@16
.ENDIF
push offset NtSuspendProcessAStr
push eax
call GetProcAddress@8
.IF eax == 0
PUSH MB_ICONERROR
PUSH 0
PUSH offset errorGetProcAddress
PUSH 0
CALL MessageBoxA@16
.ENDIF
;Call NtSuspendProcess from dll
push processHandle
call eax
push processHandle
call CloseHandle@4
; pfnNtSuspendProcess
ret
pauseProc endp
我尝试停止一些进程,我使用 ntdll 中的 NativeAPI。我写了一些 C 代码,它有效:
typedef LONG(NTAPI* NtSuspendProcess)(IN HANDLE ProcessHandle);
UINT __stdcall Suspend(VOID* processId)
{
HANDLE processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, (DWORD)processId);
NtSuspendProcess pfnNtSuspendProcess = (NtSuspendProcess)GetProcAddress(GetModuleHandle(L"ntdll"), "NtSuspendProcess");
pfnNtSuspendProcess(processHandle);
CloseHandle(processHandle);
return 0;
}
UINT __stdcall Resume(VOID* processId)
{
HANDLE processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, (DWORD)processId);
NtSuspendProcess pfnNtSuspendProcess = (NtSuspendProcess)GetProcAddress(
GetModuleHandle(L"ntdll"), "NtResumeProcess");
pfnNtSuspendProcess(processHandle);
CloseHandle(processHandle);
return 0;
}
但是,当我尝试使用 MASM 编写它时,我的进程并没有停止。我查看了寄存器 EAX 和 ECX,那里一切正常。我调用了 GetLastError,结果为零,因为 return 值。代码:
pauseProc proc pid:dword
push pid
push 0
push PROCESS_ALL_ACCESS
call OpenProcess@12
.IF eax == 0
PUSH MB_ICONERROR
PUSH 0
PUSH offset errorOpenProccess
PUSH 0
CALL MessageBoxA@16
.ENDIF
mov processHandle, eax
push offset NtModuleNameWStr
call GetModuleHandleW@4
; call GetLastError
.IF eax == 0
PUSH MB_ICONERROR
PUSH 0
PUSH offset errorGetModuleHandle
PUSH 0
CALL MessageBoxA@16
.ENDIF
push offset NtSuspendProcessAStr
push eax
call GetProcAddress@8
.IF eax == 0
PUSH MB_ICONERROR
PUSH 0
PUSH offset errorGetProcAddress
PUSH 0
CALL MessageBoxA@16
.ENDIF
push processHandle
call CloseHandle@4
; pfnNtSuspendProcess
ret
pauseProc endp
关于常量:
STANDARD_RIGHTS_REQUIRED equ 000F0000h
SYNCHRONIZE equ 00100000h
PROCESS_ALL_ACCESS equ (STANDARD_RIGHTS_REQUIRED or SYNCHRONIZE or 0FFFFh)
我用Windows10,因为我们需要写0FFFF。对于 Windows Vista 0FFFh 之前的版本。为什么进程不停止?
;Process pause
pauseProc proc pid:dword
push pid
push 0
push PROCESS_ALL_ACCESS
call OpenProcess@12
.IF eax == 0
PUSH MB_ICONERROR
PUSH 0
PUSH offset errorOpenProccess
PUSH 0
CALL MessageBoxA@16
.ENDIF
mov processHandle, eax
push offset NtModuleNameWStr
call GetModuleHandleW@4
; call GetLastError
.IF eax == 0
PUSH MB_ICONERROR
PUSH 0
PUSH offset errorGetModuleHandle
PUSH 0
CALL MessageBoxA@16
.ENDIF
push offset NtSuspendProcessAStr
push eax
call GetProcAddress@8
.IF eax == 0
PUSH MB_ICONERROR
PUSH 0
PUSH offset errorGetProcAddress
PUSH 0
CALL MessageBoxA@16
.ENDIF
;Call NtSuspendProcess from dll
push processHandle
call eax
push processHandle
call CloseHandle@4
; pfnNtSuspendProcess
ret
pauseProc endp