Http://hi.baidu.com/xbbsh/blog/item/b73d3125462201084c088db1.html
--------------------------------------------------
MFC task manager-process suspension and recovery-NtSuspendProcess & NtResumeProcess2009-08-11
. H
Pubilc:
Typedef DWORD (WINAPI * NtSuspendProcess) (HANDLE ProcessHandle );
Typedef DWORD (WINAPI * NtResumeProcess) (HANDLE hProcess );
NtSuspendProcess m_NtSuspendProcess;
NtResumeProcess m_NtResumeProcess;
. Cpp:
Void CPage2: OnBnClickedResume ()
{
// TODO: add the control notification handler code here
Int nIdx = m_list2.GetNextItem (-1, LVNI_SELECTED );
CString process = m_list2.GetItemText (nIdx, 1 );
DWORD processID = _ ttol (process. GetBuffer (0 ));
HANDLE hProcess = OpenProcess (PROCESS_SUSPEND_RESUME, // use this (P... _ S...) flag when paused
FALSE, (DWORD) processID );
If (hProcess)
{
HMODULE h_module = LoadLibrary (L "ntdll. dll ");
M_NtResumeProcess = (NtResumeProcess) GetProcAddress (h_module, "NtResumeProcess ");
M_NtResumeProcess (hProcess );
}
}
It's too late to go to bed .......
--------------------------------------------------
. H
# Pragma once
# Include <windows. h>
# Include <tlhelp32.h>
# Include <stdio. h>
# Include <string>
# Include <tchar. h>
// # Include <ntifs. h>
# Include <Psapi. h>
# Pragma comment (lib, "Psapi. lib ")
Void ErrorExit (LPTSTR lpszFunction );
//--------------------------------------------------
// Pause the for cpu
// Method 1 cannot close this program, or the process will exit
Long DbgUiConnectToDbg_ntdll ();
// Long (* DbgUiConnectToDbg) (); // duplicate definitions are reported.
Long DbgUiDebugActiveProcess_ntdll (HANDLE ProcessHandle); // pause
Long DbgUiStopDebugging_ntdll (HANDLE ProcessHandle); // restore
// Method 2 closes the program
DWORD NtSuspendProcess_ntdll (HANDLE hProcess); // pause
DWORD NtResumeProcess_ntdll (HANDLE hProcess); // restore
// Call this
Void LoadNtDllFun ();
//--------------------------------------------------
Class win_proc_public
{
Public:
Win_proc_public (void );
~ Win_proc_public (void );
Public:
Std: string GetExeFullName (HANDLE hProcess)
{
Std: string r = "";
// HANDLE hProcess = 0;
Char lpImageFileName [2049] = {0 };
DWORD nSize = 2048;
// HProcess = getm
DWORD len = GetProcessImageFileName (hProcess, lpImageFileName, nSize );
If (len <1)
{
// You cannot exit directly because some permissions are not available.
// ErrorExit ("GetExeFullName :");
}
// Len = GetModuleFileNameEx (hProcess, lpImageFileName, nSize );
R = lpImageFileName;
R = DosDevicePath2LogicalPath (r. c_str ());
Return r;
}//
// Convert "\ Device \ HarddiskVolume2" to "D :\"
// DosDevicePath2LogicalPath code Excerpt from: ms-help: // MS. MSDNQTR. v80.chs/MS. MSDN. v80/MS. WIN32COM. v10.en/fileio/fs/queues
Std: string DosDevicePath2LogicalPath (LPCTSTR lpszDosPath)
{
Std: string strResult = "";
// Translate path with device name to drive letters.
TCHAR szTemp [MAX_PATH];
SzTemp [0] = '\ 0 ';
If (lpszDosPath = NULL |! GetLogicalDriveStrings (_ countof (szTemp)-1, szTemp ))
{
Return strResult;
}
TCHAR szName [MAX_PATH];
TCHAR szDrive [3] = TEXT (":");
BOOL bFound = FALSE;
TCHAR * p = szTemp;
Do {
// Copy the drive letter to the template string
* SzDrive = * p;
// Look up each device name
If (QueryDosDevice (szDrive, szName, _ countof (szName )))
{
UINT uNameLen = (UINT) _ tcslen (szName );
If (uNameLen <MAX_PATH)
{
BFound = _ tcsnicmp (lpszDosPath, szName, uNameLen) = 0;
If (bFound)
{
// Reconstruct pszFilename using szTemp
// Replace device path with DOS path
TCHAR szTempFile [MAX_PATH];
_ Stprintf (szTempFile, TEXT ("% s"), szDrive, lpszDosPath + uNameLen );
StrResult = szTempFile;
}
}
}
// Go to the next NULL character.
While (* p ++ );
} While (! BFound & * p); // end of string
Return strResult;
}//
Void mainaaa ()
{
GetProcessList ();
}
BOOL GetProcessList ()
{
HANDLE hProcessSnap;
HANDLE hProcess;
PROCESSENTRY32 pe32;
DWORD dwPriorityClass;
HProcessSnap = createconlhelp32snapshot (TH32CS_SNAPPROCESS, 0 );
If (hProcessSnap = INVALID_HANDLE_VALUE)
{
Return (FALSE );
}
Pe32.dwSize = sizeof (PROCESSENTRY32 );
If (! Process32First (hProcessSnap, & pe32 ))
{
CloseHandle (hProcessSnap );
Return (FALSE );
}
Do
{
Printf ("\ n"
"============================================== ================ ");
Printf ("\ nPROCESS NAME: % 5 s", pe32.szExeFile );
Printf ("\ n"
"-----------------------------------------------------");
DwPriorityClass = 0;
HProcess = OpenProcess (PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID );
// HProcess = OpenProcess (PROCESS_QUERY_INFORMATION, FALSE, pe32.th32ProcessID );
If (hProcess = NULL)
{
Printf ("erro ");
}
Else
{
DwPriorityClass = GetPriorityClass (hProcess );
If (! DwPriorityClass)
Printf ("erro ");
//--------------------------------------------------
// The full path of the clq add program
// Char szFilePath [1, 256] = {0 };
/// HANDLE hProcess = OpenProcess (PROCESS_QUERY_INFORMATION, FALSE, pe32.th32ProcessID );
// If (GetProcessImageFileName (hProcess, szFilePath, MAX_PATH )! = 0)
//{
/// Mystring strFilePath = CCommon: DosDevicePath2LogicalPath (szFilePath );
//}
Std: string exename = GetExeFullName (hProcess );
Printf ("\ n path = % s", exename. c_str ());
//--------------------------------------------------
// CloseHandle (hProcess );
}
Printf ("\ n process ID = % d", pe32.th32ProcessID );
Printf ("\ n thread count = % d", pe32.cntThreads );
Printf ("\ n parent process ID = % d", pe32.th32ParentProcessID );
Printf ("\ n Priority Base = % d", pe32.pcPriClassBase );
If (dwPriorityClass)
Printf ("\ n Priority Class = % d", dwPriorityClass );
} While (Process32Next (hProcessSnap, & pe32 ));
CloseHandle (hProcessSnap );
Return (TRUE );
}//
Public:
Static void test1 ()
{
Win_proc_public proc;
Proc. mainaaa ();
Test2 (4008 );
}//
Static void test2 (DWORD pid)
{
HANDLE hProcess = OpenProcess (PROCESS_ALL_ACCESS, false, pid );
// If (! GetProcessTimes (hProcess, & creation_time, & exit_time, & kernel_time, & user_time ))
//{
// Return-1;
//}
If (hProcess = NULL) return;
LoadNtDllFun ();
// DbgUiConnectToDbg_ntdll ();
// Long r = DbgUiDebugActiveProcess_ntdll (hProcess); // pause // The program cannot be stopped after the call; otherwise, the program to be stopped will be forcibly exited (equivalent to stopping the debugger ?)
//: Sleep (5*60*1000 );
// R = DbgUiStopDebugging_ntdll (hProcess); // resume running
NtSuspendProcess_ntdll (hProcess); // pause
NtResumeProcess_ntdll (hProcess); // restore
}//
};
--------------------------------------------------
. Cpp
# Include "win_proc_public.h"
Win_proc_public: win_proc_public (void)
{
}
Win_proc_public ::~ Win_proc_public (void)
{
}
//--------------------------------------------------
// Pause the for cpu
// Method 1
Long (_ stdcall * DbgUiConnectToDbg_p) (); // duplicate definitions are reported in. h.
Long (_ stdcall * DbgUiDebugActiveProcess_p) (HANDLE ProcessHandle); // pause
Long (_ stdcall * DbgUiStopDebugging_p) (HANDLE ProcessHandle); // restore
// Method 2
// NtResumeProcess
DWORD (WINAPI * NtResumeProcess_p) (HANDLE hProcess); // pause
DWORD (WINAPI * NtSuspendProcess_p) (HANDLE hProcess); // restore
Void LoadNtDllFun ()
{
HMODULE dllhandle;
// Dwret: dword;
// ProcessHandle: dword;
// Begin
Dllhandle = LoadLibrary ("ntdll. dll ");
If (dllhandle! = 0)
{
DbgUiConnectToDbg_p = (long (_ stdcall *) () GetProcAddress (dllhandle, "DbgUiConnectToDbg ");
DbgUiDebugActiveProcess_p = (long (_ stdcall *) (HANDLE) GetProcAddress (dllhandle, "DbgUiDebugActiveProcess ");
DbgUiStopDebugging_p = (long (_ stdcall *) (HANDLE) GetProcAddress (dllhandle, "DbgUiStopDebugging ");
// MyDbgUiConnectToDbg;
// ProcessHandle: = OpenProcess (process_all_access, False, findprocess ("winlogon.exe "));
/// Messagebox (0, pchar (inttohex (ProcessHandle, 8), "aa", 0 );
// Dwret: = MyDbgUiDebugActiveProcess (ProcessHandle );
// If dwret <> 0 then messagebox (0, pchar ("protection failed"), "prompt", 0) else
// Messagebox (0, pchar ("Protection successful, let's end it! ")," Prompt ", 0)
NtResumeProcess_p = (DWORD (_ stdcall *) (HANDLE) GetProcAddress (dllhandle, "NtResumeProcess ");
NtSuspendProcess_p = (DWORD (_ stdcall *) (HANDLE) GetProcAddress (dllhandle, "NtSuspendProcess ");
}
// CloseHandle (dllhandle );
}//
Long DbgUiConnectToDbg_ntdll ()
{
Return DbgUiConnectToDbg_p ();
}//
Long DbgUiDebugActiveProcess_ntdll (HANDLE ProcessHandle)
{
Return DbgUiDebugActiveProcess_p (ProcessHandle );
}//
Long DbgUiStopDebugging_ntdll (HANDLE ProcessHandle)
{
Return DbgUiStopDebugging_p (ProcessHandle );
}//
DWORD NtResumeProcess_ntdll (HANDLE hProcess) // pause
{
Return NtResumeProcess_p (hProcess );
}
DWORD NtSuspendProcess_ntdll (HANDLE hProcess) // restore
{
Return NtSuspendProcess_p (hProcess );
}
/*
This is also said to be
HANDLE hProcess = OpenProcess (PROCESS_ALL_ACCESS, FALSE, processID );
If (hProcess)
{
HINSTANCE h_module = LoadLibrary ("ntdll. dll ");
NtProcess mProcess = (NtProcess) GetProcAddress (h_module, "NtResumeProcess"); // NtResumeProcess NtSuspendProcess
MProcess (hProcess );
}
ProcessID is the process PID Number.
Choose sleep or recovery.
*/
//--------------------------------------------------