MFC task manager-process suspension and restoration-NtSuspendProcess & NtResumeProcess

Http://hi.baidu.com/xbbsh/blog/item/b73d3125462201084c088db1.html

--------------------------------------------------

MFC task manager-process suspension and recovery-NtSuspendProcess & NtResumeProcess2009-08-11

. H

Pubilc:

Typedef DWORD (WINAPI * NtSuspendProcess) (HANDLE ProcessHandle );
Typedef DWORD (WINAPI * NtResumeProcess) (HANDLE hProcess );

NtSuspendProcess m_NtSuspendProcess;
NtResumeProcess m_NtResumeProcess;

. Cpp:

Void CPage2: OnBnClickedResume ()
{
// TODO: add the control notification handler code here
Int nIdx = m_list2.GetNextItem (-1, LVNI_SELECTED );
CString process = m_list2.GetItemText (nIdx, 1 );

DWORD processID = _ ttol (process. GetBuffer (0 ));

HANDLE hProcess = OpenProcess (PROCESS_SUSPEND_RESUME, // use this (P... _ S...) flag when paused
FALSE, (DWORD) processID );
If (hProcess)
{
HMODULE h_module = LoadLibrary (L "ntdll. dll ");
M_NtResumeProcess = (NtResumeProcess) GetProcAddress (h_module, "NtResumeProcess ");
M_NtResumeProcess (hProcess );
}
}

It's too late to go to bed .......

--------------------------------------------------

. H

# Pragma once

# Include <windows. h>
# Include <tlhelp32.h>
# Include <stdio. h>

# Include <string>
# Include <tchar. h>

// # Include <ntifs. h>
# Include <Psapi. h>
# Pragma comment (lib, "Psapi. lib ")

Void ErrorExit (LPTSTR lpszFunction );

//--------------------------------------------------
// Pause the for cpu

// Method 1 cannot close this program, or the process will exit
Long DbgUiConnectToDbg_ntdll ();

// Long (* DbgUiConnectToDbg) (); // duplicate definitions are reported.
Long DbgUiDebugActiveProcess_ntdll (HANDLE ProcessHandle); // pause
Long DbgUiStopDebugging_ntdll (HANDLE ProcessHandle); // restore

// Method 2 closes the program
DWORD NtSuspendProcess_ntdll (HANDLE hProcess); // pause
DWORD NtResumeProcess_ntdll (HANDLE hProcess); // restore

// Call this
Void LoadNtDllFun ();

//--------------------------------------------------

Class win_proc_public
{
Public:
Win_proc_public (void );
~ Win_proc_public (void );
Public:

Std: string GetExeFullName (HANDLE hProcess)
{
Std: string r = "";

// HANDLE hProcess = 0;
Char lpImageFileName [2049] = {0 };
DWORD nSize = 2048;

// HProcess = getm
DWORD len = GetProcessImageFileName (hProcess, lpImageFileName, nSize );

If (len <1)
{
// You cannot exit directly because some permissions are not available.
// ErrorExit ("GetExeFullName :");
}

// Len = GetModuleFileNameEx (hProcess, lpImageFileName, nSize );

R = lpImageFileName;
R = DosDevicePath2LogicalPath (r. c_str ());

Return r;
}//

// Convert "\ Device \ HarddiskVolume2" to "D :\"
// DosDevicePath2LogicalPath code Excerpt from: ms-help: // MS. MSDNQTR. v80.chs/MS. MSDN. v80/MS. WIN32COM. v10.en/fileio/fs/queues
Std: string DosDevicePath2LogicalPath (LPCTSTR lpszDosPath)
{
Std: string strResult = "";

// Translate path with device name to drive letters.
TCHAR szTemp [MAX_PATH];
SzTemp [0] = '\ 0 ';

If (lpszDosPath = NULL |! GetLogicalDriveStrings (_ countof (szTemp)-1, szTemp ))
{
Return strResult;
}

TCHAR szName [MAX_PATH];
TCHAR szDrive [3] = TEXT (":");
BOOL bFound = FALSE;
TCHAR * p = szTemp;

Do {
// Copy the drive letter to the template string
* SzDrive = * p;

// Look up each device name
If (QueryDosDevice (szDrive, szName, _ countof (szName )))
{
UINT uNameLen = (UINT) _ tcslen (szName );

If (uNameLen <MAX_PATH)
{
BFound = _ tcsnicmp (lpszDosPath, szName, uNameLen) = 0;

If (bFound)
{
// Reconstruct pszFilename using szTemp
// Replace device path with DOS path
TCHAR szTempFile [MAX_PATH];
_ Stprintf (szTempFile, TEXT ("% s"), szDrive, lpszDosPath + uNameLen );
StrResult = szTempFile;
}
}
}
// Go to the next NULL character.
While (* p ++ );
} While (! BFound & * p); // end of string

Return strResult;
}//

Void mainaaa ()
{
GetProcessList ();
}

BOOL GetProcessList ()
{
HANDLE hProcessSnap;
HANDLE hProcess;
PROCESSENTRY32 pe32;
DWORD dwPriorityClass;

HProcessSnap = createconlhelp32snapshot (TH32CS_SNAPPROCESS, 0 );
If (hProcessSnap = INVALID_HANDLE_VALUE)
{
Return (FALSE );
}

Pe32.dwSize = sizeof (PROCESSENTRY32 );

If (! Process32First (hProcessSnap, & pe32 ))
{
CloseHandle (hProcessSnap );
Return (FALSE );
}

Do
{
Printf ("\ n"
"============================================== ================ ");
Printf ("\ nPROCESS NAME: % 5 s", pe32.szExeFile );
Printf ("\ n"
"-----------------------------------------------------");

DwPriorityClass = 0;
HProcess = OpenProcess (PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID );
// HProcess = OpenProcess (PROCESS_QUERY_INFORMATION, FALSE, pe32.th32ProcessID );
If (hProcess = NULL)
{
Printf ("erro ");
}
Else
{
DwPriorityClass = GetPriorityClass (hProcess );
If (! DwPriorityClass)
Printf ("erro ");

//--------------------------------------------------
// The full path of the clq add program

// Char szFilePath [1, 256] = {0 };
/// HANDLE hProcess = OpenProcess (PROCESS_QUERY_INFORMATION, FALSE, pe32.th32ProcessID );
// If (GetProcessImageFileName (hProcess, szFilePath, MAX_PATH )! = 0)
//{
/// Mystring strFilePath = CCommon: DosDevicePath2LogicalPath (szFilePath );
//}

Std: string exename = GetExeFullName (hProcess );
Printf ("\ n path = % s", exename. c_str ());
//--------------------------------------------------

// CloseHandle (hProcess );
}

Printf ("\ n process ID = % d", pe32.th32ProcessID );
Printf ("\ n thread count = % d", pe32.cntThreads );
Printf ("\ n parent process ID = % d", pe32.th32ParentProcessID );
Printf ("\ n Priority Base = % d", pe32.pcPriClassBase );
If (dwPriorityClass)
Printf ("\ n Priority Class = % d", dwPriorityClass );

} While (Process32Next (hProcessSnap, & pe32 ));

CloseHandle (hProcessSnap );
Return (TRUE );

}//

Public:
Static void test1 ()
{
Win_proc_public proc;
Proc. mainaaa ();

Test2 (4008 );
}//

Static void test2 (DWORD pid)
{

HANDLE hProcess = OpenProcess (PROCESS_ALL_ACCESS, false, pid );
// If (! GetProcessTimes (hProcess, & creation_time, & exit_time, & kernel_time, & user_time ))
//{
// Return-1;
//}

If (hProcess = NULL) return;

LoadNtDllFun ();
// DbgUiConnectToDbg_ntdll ();
// Long r = DbgUiDebugActiveProcess_ntdll (hProcess); // pause // The program cannot be stopped after the call; otherwise, the program to be stopped will be forcibly exited (equivalent to stopping the debugger ?)

//: Sleep (5*60*1000 );

// R = DbgUiStopDebugging_ntdll (hProcess); // resume running

NtSuspendProcess_ntdll (hProcess); // pause
NtResumeProcess_ntdll (hProcess); // restore

}//
};
--------------------------------------------------

. Cpp

# Include "win_proc_public.h"

Win_proc_public: win_proc_public (void)
{
}

Win_proc_public ::~ Win_proc_public (void)
{
}

//--------------------------------------------------
// Pause the for cpu

// Method 1
Long (_ stdcall * DbgUiConnectToDbg_p) (); // duplicate definitions are reported in. h.
Long (_ stdcall * DbgUiDebugActiveProcess_p) (HANDLE ProcessHandle); // pause
Long (_ stdcall * DbgUiStopDebugging_p) (HANDLE ProcessHandle); // restore
// Method 2
// NtResumeProcess
DWORD (WINAPI * NtResumeProcess_p) (HANDLE hProcess); // pause
DWORD (WINAPI * NtSuspendProcess_p) (HANDLE hProcess); // restore

Void LoadNtDllFun ()
{
HMODULE dllhandle;
// Dwret: dword;
// ProcessHandle: dword;
// Begin
Dllhandle = LoadLibrary ("ntdll. dll ");
If (dllhandle! = 0)
{
DbgUiConnectToDbg_p = (long (_ stdcall *) () GetProcAddress (dllhandle, "DbgUiConnectToDbg ");
DbgUiDebugActiveProcess_p = (long (_ stdcall *) (HANDLE) GetProcAddress (dllhandle, "DbgUiDebugActiveProcess ");
DbgUiStopDebugging_p = (long (_ stdcall *) (HANDLE) GetProcAddress (dllhandle, "DbgUiStopDebugging ");

// MyDbgUiConnectToDbg;
// ProcessHandle: = OpenProcess (process_all_access, False, findprocess ("winlogon.exe "));
/// Messagebox (0, pchar (inttohex (ProcessHandle, 8), "aa", 0 );
// Dwret: = MyDbgUiDebugActiveProcess (ProcessHandle );
// If dwret <> 0 then messagebox (0, pchar ("protection failed"), "prompt", 0) else
// Messagebox (0, pchar ("Protection successful, let's end it! ")," Prompt ", 0)

NtResumeProcess_p = (DWORD (_ stdcall *) (HANDLE) GetProcAddress (dllhandle, "NtResumeProcess ");
NtSuspendProcess_p = (DWORD (_ stdcall *) (HANDLE) GetProcAddress (dllhandle, "NtSuspendProcess ");

}

// CloseHandle (dllhandle );
}//

Long DbgUiConnectToDbg_ntdll ()
{
Return DbgUiConnectToDbg_p ();
}//

Long DbgUiDebugActiveProcess_ntdll (HANDLE ProcessHandle)
{
Return DbgUiDebugActiveProcess_p (ProcessHandle );
}//

Long DbgUiStopDebugging_ntdll (HANDLE ProcessHandle)
{
Return DbgUiStopDebugging_p (ProcessHandle );
}//

DWORD NtResumeProcess_ntdll (HANDLE hProcess) // pause
{
Return NtResumeProcess_p (hProcess );
}

DWORD NtSuspendProcess_ntdll (HANDLE hProcess) // restore
{
Return NtSuspendProcess_p (hProcess );
}

/*
This is also said to be
HANDLE hProcess = OpenProcess (PROCESS_ALL_ACCESS, FALSE, processID );
If (hProcess)
{
HINSTANCE h_module = LoadLibrary ("ntdll. dll ");
NtProcess mProcess = (NtProcess) GetProcAddress (h_module, "NtResumeProcess"); // NtResumeProcess NtSuspendProcess
MProcess (hProcess );
}
ProcessID is the process PID Number.
Choose sleep or recovery.
*/

//--------------------------------------------------