MFC Task Manager Tasks manager----Process suspend and resume--ntsuspendprocess&&ntresumeprocess

Source: Internet
Author: User
Tags erro



----suspend and resume of the MFC Task Manager Task Manager Process--ntsuspendprocess&&ntresumeprocess2009-08-11 1:13

. h


typedef DWORD (WINAPI *ntsuspendprocess) (HANDLE processhandle);
typedef DWORD (WINAPI *ntresumeprocess) (HANDLE hprocess);

Ntsuspendprocess m_ntsuspendprocess;
Ntresumeprocess m_ntresumeprocess;

. CPP:

void Cpage2::onbnclickedresume ()
TODO: Add control notification Handler code here
int Nidx=m_list2. GetNextItem ( -1,lvni_selected);
CString Process=m_list2. GetItemText (nidx,1);

DWORD processid= _ttol (process. GetBuffer (0));

HANDLE hprocess = OpenProcess (Process_suspend_resume,//Pause with this (P.). _s. _r. ) flag
FALSE, (DWORD) ProcessID);
if (hprocess)
Hmodule h_module=loadlibrary (L "Ntdll.dll");
M_ntresumeprocess= (ntresumeprocess) GetProcAddress (H_module, "ntresumeprocess");
M_ntresumeprocess (hprocess);

It's too late to go to bed ....


. h

#pragma once

#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>

#include <string>
#include <tchar.h>

#include <ntifs.h>
#include <Psapi.h>
#pragma comment (lib, "Psapi.lib")

void Errorexit (LPTSTR lpszfunction);

For CPU Pause

Method 1 Do not close this program, otherwise the process will exit
Long Dbguiconnecttodbg_ntdll ();

Long (*dbguiconnecttodbg) ();//This will report a duplicate definition
Long Dbguidebugactiveprocess_ntdll (HANDLE processhandle);//Pause
Long Dbguistopdebugging_ntdll (HANDLE processhandle);//Recovery

Method 2 to close the program
DWORD Ntsuspendprocess_ntdll (HANDLE hprocess);//Pause
DWORD Ntresumeprocess_ntdll (HANDLE hprocess);//Recovery

To call this first
void Loadntdllfun ();


Class Win_proc_public
Win_proc_public (void);
~win_proc_public (void);

std::string getexefullname (HANDLE hprocess)
std::string r = "";

HANDLE hprocess = 0;
Char lpimagefilename[2049] = {0};
DWORD nSize = 2048;

hprocess = Getm
DWORD len = Getprocessimagefilename (hprocess, Lpimagefilename, nSize);

if (Len < 1)
Cannot exit directly because some permissions are not possible
Errorexit ("Getexefullname:");

Len = Getmodulefilenameex (hprocess, Lpimagefilename, nSize);

R = lpimagefilename;
R = Dosdevicepath2logicalpath (R.c_str ());

return R;

Convert "\device\harddiskvolume2" to "D:\"
Dosdevicepath2logicalpath code excerpt from: Ms-help://ms. Msdnqtr.v80.chs/ms. Msdn.v80/ms. Win32com.v10.en/fileio/fs/obtaining_a_file_name_from_a_file_handle.htm
std::string Dosdevicepath2logicalpath (LPCTSTR lpszdospath)
std::string strresult = "";

Translate path with device name to drive letters.
TCHAR Sztemp[max_path];
Sztemp[0] = ' + ';

if (Lpszdospath==null | |!) GetLogicalDriveStrings (_countof (sztemp)-1, sztemp))
return strresult;

TCHAR Szname[max_path];
TCHAR szdrive[3] = TEXT (":");
BOOL bfound = FALSE;
tchar* p = sztemp;

Copy the drive letter to the template string
*szdrive = *p;

Look up each device name
if (Querydosdevice (szdrive, SzName, _countof (szName)))
UINT Unamelen = (UINT) _tcslen (szName);

if (Unamelen < MAX_PATH)
Bfound = _tcsnicmp (Lpszdospath, szName, unamelen) = = 0;

if (bfound)
Reconstruct pszFileName using sztemp
Replace device path with DOS path
TCHAR Sztempfile[max_path];
_stprintf (Sztempfile, TEXT ("%s%s"), szdrive, Lpszdospath+unamelen);
strresult = Sztempfile;
Go to the next NULL character.
while (*p++);
} while (!bfound && *p); End of string

return strresult;

void Mainaaa ()
Getprocesslist ();

BOOL getprocesslist ()
HANDLE Hprocesssnap;
HANDLE hprocess;
DWORD Dwpriorityclass;

Hprocesssnap = CreateToolhelp32Snapshot (th32cs_snapprocess, 0);
if (Hprocesssnap = = INVALID_HANDLE_VALUE)
return (FALSE);

pe32.dwsize = sizeof (PROCESSENTRY32);

if (! Process32First (Hprocesssnap, &pe32))
return (FALSE);

printf ("\ n")
"=====================================================" );
printf ("\nprocess NAME:%5s", pe32.szexefile);
printf ("\ n"
"-----------------------------------------------------" );

Dwpriorityclass = 0;
hprocess = OpenProcess (process_all_access, FALSE, Pe32.th32processid);
hprocess = OpenProcess (process_query_information, FALSE, Pe32.th32processid);
if (hprocess = = NULL)
printf ("Erro");
Dwpriorityclass = Getpriorityclass (hprocess);
if (!dwpriorityclass)
printf ("Erro");

CLQ Add Program full path

Char szfilepath[256] = {0};
if (Getprocessimagefilename (Hprocess,szfilepath,max_path)!=0)
MyString strFilePath = Ccommon::D osdevicepath2logicalpath (Szfilepath);

std::string exename = Getexefullname (hprocess);
printf ("\ n Path =%s", exename.c_str ());

CloseHandle (hprocess);

printf ("\ n Process ID =%d", pe32.th32processid);
printf ("\ n Thread count =%d", pe32.cntthreads);
printf ("\ n Parent Process ID =%d", pe32.th32parentprocessid);
printf ("\ n Priority Base =%d", pe32.pcpriclassbase);
if (Dwpriorityclass)
printf ("\ n Priority Class =%d", dwpriorityclass);

} while (Process32Next (Hprocesssnap, &pe32));

return (TRUE);


static void Test1 ()
win_proc_public proc;

Test2 (4008);

static void Test2 (DWORD pid)

HANDLE hprocess = OpenProcess (Process_all_access, FALSE, PID);
if (! Getprocesstimes (hprocess, &creation_time, &exit_time, &kernel_time, &user_time))

if (hprocess = = NULL) return;

Loadntdllfun ();
Dbguiconnecttodbg_ntdll ();
Long R = Dbguidebugactiveprocess_ntdll (hprocess);//pause//Call cannot stop the program or the program is stopped will be forced to quit (equivalent to the debugger stopped?)

:: Sleep (5*60*1000);

R = Dbguistopdebugging_ntdll (hprocess);//Resume operation

Ntsuspendprocess_ntdll (hprocess);//Pause
Ntresumeprocess_ntdll (hprocess);//Recovery


. cpp

#include "win_proc_public.h"

Win_proc_public::win_proc_public (void)

Win_proc_public::~win_proc_public (void)

For CPU Pause

Method 1
Long (__stdcall *dbguiconnecttodbg_p) ();//In. h This will report duplicate definitions
Long (__stdcall *dbguidebugactiveprocess_p) (HANDLE processhandle);//Pause
Long (__stdcall *dbguistopdebugging_p) (HANDLE processhandle);//Recovery
Method 2
DWORD (WINAPI *ntresumeprocess_p) (HANDLE hprocess);//Pause
DWORD (WINAPI *ntsuspendprocess_p) (HANDLE hprocess);//Recovery

void Loadntdllfun ()
Hmodule Dllhandle;
Dllhandle = LoadLibrary ("Ntdll.dll");
if (Dllhandle! = 0)
Dbguiconnecttodbg_p = (Long (__stdcall *) ()) GetProcAddress (Dllhandle, "dbguiconnecttodbg");
Dbguidebugactiveprocess_p = (Long (__stdcall *) (HANDLE)) GetProcAddress (Dllhandle, "dbguidebugactiveprocess");
Dbguistopdebugging_p = (Long (__stdcall *) (HANDLE)) GetProcAddress (Dllhandle, "dbguistopdebugging");

Processhandle:=openprocess (Process_all_access, False, findprocess ("Winlogon.exe"));
MessageBox (0,pchar (Inttohex (processhandle,8)), "AA", 0);
Dwret:=mydbguidebugactiveprocess (ProcessHandle);
If Dwret<>0 then MessageBox (0,pchar ("Protection failed"), "hint", 0) Else
MessageBox (0,pchar ("protect success, come to end me!" ")," hint ", 0)

ntresumeprocess_p = (DWORD (__stdcall *) (HANDLE)) GetProcAddress (Dllhandle, "ntresumeprocess");
ntsuspendprocess_p = (DWORD (__stdcall *) (HANDLE)) GetProcAddress (Dllhandle, "ntsuspendprocess");


CloseHandle (Dllhandle);

Long Dbguiconnecttodbg_ntdll ()
return dbguiconnecttodbg_p ();

Long Dbguidebugactiveprocess_ntdll (HANDLE processhandle)
Return dbguidebugactiveprocess_p (ProcessHandle);

Long Dbguistopdebugging_ntdll (HANDLE processhandle)
Return dbguistopdebugging_p (ProcessHandle);

DWORD Ntresumeprocess_ntdll (HANDLE hprocess)//Pause
Return ntresumeprocess_p (hprocess);

DWORD Ntsuspendprocess_ntdll (HANDLE hprocess)//Recovery
Return ntsuspendprocess_p (hprocess);

This is also said to be
HANDLE hprocess = OpenProcess (process_all_access, FALSE, ProcessID);
if (hprocess)
HInstance H_module = LoadLibrary ("Ntdll.dll");
NTProcess mprocess = (ntprocess) GetProcAddress (H_module, "ntresumeprocess"); Ntresumeprocess ntsuspendprocess
Mprocess (hprocess);
Where ProcessID is the process PID number
Sleep or resume, as you choose


Task Manager----The suspend and resume--ntsuspendprocess&&ntresumeprocess of a process

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.