Http://hi.baidu.com/xbbsh/blog/item/b73d3125462201084c088db1.html
--------------------------------------------------
----suspend and resume of the MFC Task Manager Task Manager Process--ntsuspendprocess&&ntresumeprocess2009-08-11 1:13
. h
PUBILC:
typedef DWORD (WINAPI *ntsuspendprocess) (HANDLE processhandle);
typedef DWORD (WINAPI *ntresumeprocess) (HANDLE hprocess);
Ntsuspendprocess m_ntsuspendprocess;
Ntresumeprocess m_ntresumeprocess;
. CPP:
void Cpage2::onbnclickedresume ()
{
TODO: Add control notification Handler code here
int Nidx=m_list2. GetNextItem ( -1,lvni_selected);
CString Process=m_list2. GetItemText (nidx,1);
DWORD processid= _ttol (process. GetBuffer (0));
HANDLE hprocess = OpenProcess (Process_suspend_resume,//Pause with this (P.). _s. _r. ) flag
FALSE, (DWORD) ProcessID);
if (hprocess)
{
Hmodule h_module=loadlibrary (L "Ntdll.dll");
M_ntresumeprocess= (ntresumeprocess) GetProcAddress (H_module, "ntresumeprocess");
M_ntresumeprocess (hprocess);
}
}
It's too late to go to bed ....
--------------------------------------------------
. h
#pragma once
#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>
#include <string>
#include <tchar.h>
#include <ntifs.h>
#include <Psapi.h>
#pragma comment (lib, "Psapi.lib")
void Errorexit (LPTSTR lpszfunction);
//--------------------------------------------------
For CPU Pause
Method 1 Do not close this program, otherwise the process will exit
Long Dbguiconnecttodbg_ntdll ();
Long (*dbguiconnecttodbg) ();//This will report a duplicate definition
Long Dbguidebugactiveprocess_ntdll (HANDLE processhandle);//Pause
Long Dbguistopdebugging_ntdll (HANDLE processhandle);//Recovery
Method 2 to close the program
DWORD Ntsuspendprocess_ntdll (HANDLE hprocess);//Pause
DWORD Ntresumeprocess_ntdll (HANDLE hprocess);//Recovery
To call this first
void Loadntdllfun ();
//--------------------------------------------------
Class Win_proc_public
{
Public
Win_proc_public (void);
~win_proc_public (void);
Public
std::string getexefullname (HANDLE hprocess)
{
std::string r = "";
HANDLE hprocess = 0;
Char lpimagefilename[2049] = {0};
DWORD nSize = 2048;
hprocess = Getm
DWORD len = Getprocessimagefilename (hprocess, Lpimagefilename, nSize);
if (Len < 1)
{
Cannot exit directly because some permissions are not possible
Errorexit ("Getexefullname:");
}
Len = Getmodulefilenameex (hprocess, Lpimagefilename, nSize);
R = lpimagefilename;
R = Dosdevicepath2logicalpath (R.c_str ());
return R;
}//
Convert "\device\harddiskvolume2" to "D:\"
Dosdevicepath2logicalpath code excerpt from: Ms-help://ms. Msdnqtr.v80.chs/ms. Msdn.v80/ms. Win32com.v10.en/fileio/fs/obtaining_a_file_name_from_a_file_handle.htm
std::string Dosdevicepath2logicalpath (LPCTSTR lpszdospath)
{
std::string strresult = "";
Translate path with device name to drive letters.
TCHAR Sztemp[max_path];
Sztemp[0] = ' + ';
if (Lpszdospath==null | |!) GetLogicalDriveStrings (_countof (sztemp)-1, sztemp))
{
return strresult;
}
TCHAR Szname[max_path];
TCHAR szdrive[3] = TEXT (":");
BOOL bfound = FALSE;
tchar* p = sztemp;
bo=
Copy the drive letter to the template string
*szdrive = *p;
Look up each device name
if (Querydosdevice (szdrive, SzName, _countof (szName)))
{
UINT Unamelen = (UINT) _tcslen (szName);
if (Unamelen < MAX_PATH)
{
Bfound = _tcsnicmp (Lpszdospath, szName, unamelen) = = 0;
if (bfound)
{
Reconstruct pszFileName using sztemp
Replace device path with DOS path
TCHAR Sztempfile[max_path];
_stprintf (Sztempfile, TEXT ("%s%s"), szdrive, Lpszdospath+unamelen);
strresult = Sztempfile;
}
}
}
Go to the next NULL character.
while (*p++);
} while (!bfound && *p); End of string
return strresult;
}//
void Mainaaa ()
{
Getprocesslist ();
}
BOOL getprocesslist ()
{
HANDLE Hprocesssnap;
HANDLE hprocess;
PROCESSENTRY32 pe32;
DWORD Dwpriorityclass;
Hprocesssnap = CreateToolhelp32Snapshot (th32cs_snapprocess, 0);
if (Hprocesssnap = = INVALID_HANDLE_VALUE)
{
return (FALSE);
}
pe32.dwsize = sizeof (PROCESSENTRY32);
if (! Process32First (Hprocesssnap, &pe32))
{
CloseHandle (HPROCESSSNAP);
return (FALSE);
}
Do
{
printf ("\ n")
"=====================================================" );
printf ("\nprocess NAME:%5s", pe32.szexefile);
printf ("\ n"
"-----------------------------------------------------" );
Dwpriorityclass = 0;
hprocess = OpenProcess (process_all_access, FALSE, Pe32.th32processid);
hprocess = OpenProcess (process_query_information, FALSE, Pe32.th32processid);
if (hprocess = = NULL)
{
printf ("Erro");
}
Else
{
Dwpriorityclass = Getpriorityclass (hprocess);
if (!dwpriorityclass)
printf ("Erro");
//--------------------------------------------------
CLQ Add Program full path
Char szfilepath[256] = {0};
HANDLE hprocess=openprocess (PROCESS_QUERY_INFORMATION,FALSE,PE32.TH32PROCESSID);
if (Getprocessimagefilename (Hprocess,szfilepath,max_path)!=0)
//{
MyString strFilePath = Ccommon::D osdevicepath2logicalpath (Szfilepath);
//}
std::string exename = Getexefullname (hprocess);
printf ("\ n Path =%s", exename.c_str ());
//--------------------------------------------------
CloseHandle (hprocess);
}
printf ("\ n Process ID =%d", pe32.th32processid);
printf ("\ n Thread count =%d", pe32.cntthreads);
printf ("\ n Parent Process ID =%d", pe32.th32parentprocessid);
printf ("\ n Priority Base =%d", pe32.pcpriclassbase);
if (Dwpriorityclass)
printf ("\ n Priority Class =%d", dwpriorityclass);
} while (Process32Next (Hprocesssnap, &pe32));
CloseHandle (HPROCESSSNAP);
return (TRUE);
}//
Public
static void Test1 ()
{
win_proc_public proc;
PROC.MAINAAA ();
Test2 (4008);
}//
static void Test2 (DWORD pid)
{
HANDLE hprocess = OpenProcess (Process_all_access, FALSE, PID);
if (! Getprocesstimes (hprocess, &creation_time, &exit_time, &kernel_time, &user_time))
//{
return-1;
//}
if (hprocess = = NULL) return;
Loadntdllfun ();
Dbguiconnecttodbg_ntdll ();
Long R = Dbguidebugactiveprocess_ntdll (hprocess);//pause//Call cannot stop the program or the program is stopped will be forced to quit (equivalent to the debugger stopped?)
:: Sleep (5*60*1000);
R = Dbguistopdebugging_ntdll (hprocess);//Resume operation
Ntsuspendprocess_ntdll (hprocess);//Pause
Ntresumeprocess_ntdll (hprocess);//Recovery
}//
};
--------------------------------------------------
. cpp
#include "win_proc_public.h"
Win_proc_public::win_proc_public (void)
{
}
Win_proc_public::~win_proc_public (void)
{
}
//--------------------------------------------------
For CPU Pause
Method 1
Long (__stdcall *dbguiconnecttodbg_p) ();//In. h This will report duplicate definitions
Long (__stdcall *dbguidebugactiveprocess_p) (HANDLE processhandle);//Pause
Long (__stdcall *dbguistopdebugging_p) (HANDLE processhandle);//Recovery
Method 2
Ntresumeprocess
DWORD (WINAPI *ntresumeprocess_p) (HANDLE hprocess);//Pause
DWORD (WINAPI *ntsuspendprocess_p) (HANDLE hprocess);//Recovery
void Loadntdllfun ()
{
Hmodule Dllhandle;
Dwret:dword;
Processhandle:dword;
Begin
Dllhandle = LoadLibrary ("Ntdll.dll");
if (Dllhandle! = 0)
{
Dbguiconnecttodbg_p = (Long (__stdcall *) ()) GetProcAddress (Dllhandle, "dbguiconnecttodbg");
Dbguidebugactiveprocess_p = (Long (__stdcall *) (HANDLE)) GetProcAddress (Dllhandle, "dbguidebugactiveprocess");
Dbguistopdebugging_p = (Long (__stdcall *) (HANDLE)) GetProcAddress (Dllhandle, "dbguistopdebugging");
mydbguiconnecttodbg;
Processhandle:=openprocess (Process_all_access, False, findprocess ("Winlogon.exe"));
MessageBox (0,pchar (Inttohex (processhandle,8)), "AA", 0);
Dwret:=mydbguidebugactiveprocess (ProcessHandle);
If Dwret<>0 then MessageBox (0,pchar ("Protection failed"), "hint", 0) Else
MessageBox (0,pchar ("protect success, come to end me!" ")," hint ", 0)
ntresumeprocess_p = (DWORD (__stdcall *) (HANDLE)) GetProcAddress (Dllhandle, "ntresumeprocess");
ntsuspendprocess_p = (DWORD (__stdcall *) (HANDLE)) GetProcAddress (Dllhandle, "ntsuspendprocess");
}
CloseHandle (Dllhandle);
}//
Long Dbguiconnecttodbg_ntdll ()
{
return dbguiconnecttodbg_p ();
}//
Long Dbguidebugactiveprocess_ntdll (HANDLE processhandle)
{
Return dbguidebugactiveprocess_p (ProcessHandle);
}//
Long Dbguistopdebugging_ntdll (HANDLE processhandle)
{
Return dbguistopdebugging_p (ProcessHandle);
}//
DWORD Ntresumeprocess_ntdll (HANDLE hprocess)//Pause
{
Return ntresumeprocess_p (hprocess);
}
DWORD Ntsuspendprocess_ntdll (HANDLE hprocess)//Recovery
{
Return ntsuspendprocess_p (hprocess);
}
/*
This is also said to be
HANDLE hprocess = OpenProcess (process_all_access, FALSE, ProcessID);
if (hprocess)
{
HInstance H_module = LoadLibrary ("Ntdll.dll");
NTProcess mprocess = (ntprocess) GetProcAddress (H_module, "ntresumeprocess"); Ntresumeprocess ntsuspendprocess
Mprocess (hprocess);
}
Where ProcessID is the process PID number
Sleep or resume, as you choose
*/
Http://www.cnblogs.com/-clq/archive/2012/03/15/2397533.html
Task Manager----The suspend and resume--ntsuspendprocess&&ntresumeprocess of a process