/* 挂起进程 */
BOOL SuspendProcess(DWORD dwProcessID)
{
_NtSuspendProcess NtSuspendProcess;
HANDLE hProcess;
NTSTATUS Status;
NtSuspendProcess = (_NtSuspendProcess)GetProcAddress(
GetModuleHandle(_T("ntdll.dll")), "NtSuspendProcess");
if (NtSuspendProcess == NULL)
{
ODS(_T("NtSuspendProcess address error!"));
return FALSE;
}
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessID);
if (hProcess == NULL)
{
return FALSE;
}
Status = NtSuspendProcess(hProcess);
if (!NT_SUCCESS(Status))
{
CloseHandle(hProcess);
return FALSE;
}
CloseHandle(hProcess);
return TRUE;
}
DWORD CALLBACK CaptureAndSuspendProcess(LPVOID)
{
ImpersonateAnonymousToken(GetCurrentThread());
while (NtGetNextProcess(nullptr, MAXIMUM_ALLOWED, 0, 0, &g_hProcess) != 0)
{
}
NTSTATUS status = NtSuspendProcess(g_hProcess);
printf("Suspended process: %08X %p %d\n", status, g_hProcess, GetProcessId(g_hProcess));
RevertToSelf();
SetProcessId(GetProcessId(g_hProcess));
WCHAR cmdline[] = L"notepad.exe";
STARTUPINFO startInfo = {};
PROCESS_INFORMATION procInfo = {};
startInfo.cb = sizeof(startInfo);
if (CreateProcessWithLogonW(L"user", L"domain", L"password", LOGON_NETCREDENTIALS_ONLY,
nullptr, cmdline, CREATE_SUSPENDED, nullptr, nullptr, &startInfo, &procInfo))
{
printf("Created process %d\n", procInfo.dwProcessId);
}
else
{
printf("Create error: %d\n", GetLastError());
}
TerminateProcess(g_hProcess, 0);
ExitProcess(0);
return 0;
}
NTSTATUS kuhl_m_process_genericOperation(int argc, wchar_t * argv[], KUHL_M_PROCESS_GENERICOPERATION operation)
{
HANDLE hProcess;
NTSTATUS status = STATUS_NOT_FOUND;
DWORD pid = 0, access;
PCWCHAR szPid, szText;
switch(operation)
{
case KUHL_M_PROCESS_GENERICOPERATION_TERMINATE:
access = PROCESS_TERMINATE;
szText = L"NtTerminateProcess";
break;
case KUHL_M_PROCESS_GENERICOPERATION_SUSPEND:
access = PROCESS_SUSPEND_RESUME;
szText = L"NtSuspendProcess";
break;
case KUHL_M_PROCESS_GENERICOPERATION_RESUME:
access = PROCESS_SUSPEND_RESUME;
szText = L"NtResumeProcess";
break;
default:
return status;
}
if(kull_m_string_args_byName(argc, argv, L"pid", &szPid, NULL))
pid = wcstoul(szPid, NULL, 0);
if(pid)
{
if(hProcess = OpenProcess(access, FALSE, pid))
{
switch(operation)
{
case KUHL_M_PROCESS_GENERICOPERATION_TERMINATE:
status = NtTerminateProcess(hProcess, STATUS_SUCCESS);
break;
case KUHL_M_PROCESS_GENERICOPERATION_SUSPEND:
status = NtSuspendProcess(hProcess);
break;
case KUHL_M_PROCESS_GENERICOPERATION_RESUME:
status = NtResumeProcess(hProcess);
break;
}
if(NT_SUCCESS(status))
kprintf(L"%s of %u PID : OK !\n", szText, pid);
else PRINT_ERROR(L"%s 0x%08x\n", szText, status);
CloseHandle(hProcess);
}
else PRINT_ERROR_AUTO(L"OpenProcess");
}
else PRINT_ERROR(L"pid (/pid:123) is missing");
return status;
}
BOOL NTPauseResumeThreadList(const char* filename, BOOL bResumeThread){
_NtSuspendProcess NtSuspendProcess = 0;
_NtResumeProcess NtResumeProcess = 0;
//
// Obtain our function imports.
//
NtSuspendProcess = (_NtSuspendProcess) GetProcAddress( GetModuleHandle( "ntdll" ), "NtSuspendProcess" );
NtResumeProcess = (_NtResumeProcess) GetProcAddress( GetModuleHandle( "ntdll" ), "NtResumeProcess" );
HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, NULL);
if (!ImprovePrivilege())
{
return FALSE;
}
PROCESSENTRY32 pEntry;
pEntry.dwSize = sizeof (pEntry);
BOOL hRes = Process32First(hSnapShot, &pEntry);
DWORD dwExitCode = 0;
while (hRes){
if (strcmp(pEntry.szExeFile, filename) == 0){
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, (DWORD) pEntry.th32ProcessID);
if (hProcess != NULL){
if (bResumeThread){
if( NtResumeProcess){
printf("Resume Process:%d\n", pEntry.th32ProcessID);
NtResumeProcess( hProcess);
}
}else{
if( NtSuspendProcess ){
printf("Suspend Process:%d\n", pEntry.th32ProcessID);
NtSuspendProcess( hProcess );
}
}
CloseHandle(hProcess);
CloseHandle(hSnapShot);
return TRUE;
}
}
hRes = Process32Next(hSnapShot, &pEntry);
}
CloseHandle(hSnapShot);
return FALSE;
}
static bool InternalSuspendResumeProcess(DWORD pid, bool suspend)
{
// http://stackoverflow.com/questions/11010165/how-to-suspend-resume-a-process-in-windows
LONG NTAPI NtSuspendProcess(IN HANDLE h);
static auto ntfunc = GETPROC(NtSuspendProcess, ntdll);
if (ntfunc)
{
scoped_handle hProcess{ ::OpenProcess(PROCESS_SUSPEND_RESUME, FALSE, pid) };
if (hProcess)
if (ntfunc(hProcess.get()) == 0) // STATUS_SUCCESS = 0
return true;
}
scoped_handle hSnapshot{ ::CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0) };
if (!hSnapshot)
return false;
::THREADENTRY32 entry{ sizeof(entry) };
if (!::Thread32First(hSnapshot.get(), &entry))
return false;
do
{
if (entry.th32OwnerProcessID == pid)
{
scoped_handle hThread{ ::OpenThread(THREAD_SUSPEND_RESUME, FALSE, entry.th32ThreadID) };
if (suspend)
::SuspendThread(hThread.get());
else
::ResumeThread(hThread.get());
return ::GetLastError() == ERROR_SUCCESS;
}
}
while (::Thread32Next(hSnapshot.get(), &entry));
return false;
}
NTSTATUS PhCommandModeStart(
VOID
)
{
static PH_COMMAND_LINE_OPTION options[] =
{
{ PH_COMMAND_OPTION_HWND, L"hwnd", MandatoryArgumentType }
};
NTSTATUS status;
PPH_STRING commandLine;
if (!NT_SUCCESS(status = PhGetProcessCommandLine(NtCurrentProcess(), &commandLine)))
return status;
PhParseCommandLine(
&commandLine->sr,
options,
sizeof(options) / sizeof(PH_COMMAND_LINE_OPTION),
PH_COMMAND_LINE_IGNORE_UNKNOWN_OPTIONS,
PhpCommandModeOptionCallback,
NULL
);
PhDereferenceObject(commandLine);
if (PhEqualString2(PhStartupParameters.CommandType, L"process", TRUE))
{
SIZE_T i;
SIZE_T processIdLength;
HANDLE processId;
HANDLE processHandle;
if (!PhStartupParameters.CommandObject)
return STATUS_INVALID_PARAMETER;
processIdLength = PhStartupParameters.CommandObject->Length / 2;
for (i = 0; i < processIdLength; i++)
{
if (!PhIsDigitCharacter(PhStartupParameters.CommandObject->Buffer[i]))
break;
}
if (i == processIdLength)
{
ULONG64 processId64;
if (!PhStringToInteger64(&PhStartupParameters.CommandObject->sr, 10, &processId64))
return STATUS_INVALID_PARAMETER;
processId = (HANDLE)processId64;
}
else
{
PVOID processes;
PSYSTEM_PROCESS_INFORMATION process;
if (!NT_SUCCESS(status = PhEnumProcesses(&processes)))
return status;
if (!(process = PhFindProcessInformationByImageName(processes, &PhStartupParameters.CommandObject->sr)))
{
PhFree(processes);
return STATUS_NOT_FOUND;
}
processId = process->UniqueProcessId;
PhFree(processes);
}
if (PhEqualString2(PhStartupParameters.CommandAction, L"terminate", TRUE))
{
if (NT_SUCCESS(status = PhOpenProcessPublic(&processHandle, PROCESS_TERMINATE, processId)))
{
status = NtTerminateProcess(processHandle, STATUS_SUCCESS);
NtClose(processHandle);
}
}
else if (PhEqualString2(PhStartupParameters.CommandAction, L"suspend", TRUE))
{
if (NT_SUCCESS(status = PhOpenProcessPublic(&processHandle, PROCESS_SUSPEND_RESUME, processId)))
{
status = NtSuspendProcess(processHandle);
NtClose(processHandle);
}
}
else if (PhEqualString2(PhStartupParameters.CommandAction, L"resume", TRUE))
{
if (NT_SUCCESS(status = PhOpenProcessPublic(&processHandle, PROCESS_SUSPEND_RESUME, processId)))
{
status = NtResumeProcess(processHandle);
NtClose(processHandle);
}
}
else if (PhEqualString2(PhStartupParameters.CommandAction, L"priority", TRUE))
{
UCHAR priority;
if (!PhStartupParameters.CommandValue)
return STATUS_INVALID_PARAMETER;
if (PhEqualString2(PhStartupParameters.CommandValue, L"idle", TRUE))
priority = PROCESS_PRIORITY_CLASS_IDLE;
else if (PhEqualString2(PhStartupParameters.CommandValue, L"normal", TRUE))
priority = PROCESS_PRIORITY_CLASS_NORMAL;
else if (PhEqualString2(PhStartupParameters.CommandValue, L"high", TRUE))
priority = PROCESS_PRIORITY_CLASS_HIGH;
else if (PhEqualString2(PhStartupParameters.CommandValue, L"realtime", TRUE))
priority = PROCESS_PRIORITY_CLASS_REALTIME;
else if (PhEqualString2(PhStartupParameters.CommandValue, L"abovenormal", TRUE))
priority = PROCESS_PRIORITY_CLASS_ABOVE_NORMAL;
else if (PhEqualString2(PhStartupParameters.CommandValue, L"belownormal", TRUE))
priority = PROCESS_PRIORITY_CLASS_BELOW_NORMAL;
else
return STATUS_INVALID_PARAMETER;
if (NT_SUCCESS(status = PhOpenProcessPublic(&processHandle, PROCESS_SET_INFORMATION, processId)))
{
PROCESS_PRIORITY_CLASS priorityClass;
priorityClass.Foreground = FALSE;
priorityClass.PriorityClass = priority;
status = NtSetInformationProcess(processHandle, ProcessPriorityClass, &priorityClass, sizeof(PROCESS_PRIORITY_CLASS));
NtClose(processHandle);
}
}
else if (PhEqualString2(PhStartupParameters.CommandAction, L"iopriority", TRUE))
{
ULONG ioPriority;
if (!PhStartupParameters.CommandValue)
return STATUS_INVALID_PARAMETER;
if (PhEqualString2(PhStartupParameters.CommandValue, L"verylow", TRUE))
ioPriority = 0;
else if (PhEqualString2(PhStartupParameters.CommandValue, L"low", TRUE))
ioPriority = 1;
else if (PhEqualString2(PhStartupParameters.CommandValue, L"normal", TRUE))
ioPriority = 2;
else if (PhEqualString2(PhStartupParameters.CommandValue, L"high", TRUE))
ioPriority = 3;
else
return STATUS_INVALID_PARAMETER;
if (NT_SUCCESS(status = PhOpenProcessPublic(&processHandle, PROCESS_SET_INFORMATION, processId)))
{
status = PhSetProcessIoPriority(processHandle, ioPriority);
NtClose(processHandle);
}
}
else if (PhEqualString2(PhStartupParameters.CommandAction, L"pagepriority", TRUE))
{
ULONG64 pagePriority64;
ULONG pagePriority;
if (!PhStartupParameters.CommandValue)
return STATUS_INVALID_PARAMETER;
PhStringToInteger64(&PhStartupParameters.CommandValue->sr, 10, &pagePriority64);
pagePriority = (ULONG)pagePriority64;
if (NT_SUCCESS(status = PhOpenProcessPublic(&processHandle, PROCESS_SET_INFORMATION, processId)))
{
status = NtSetInformationProcess(
processHandle,
ProcessPagePriority,
&pagePriority,
sizeof(ULONG)
);
NtClose(processHandle);
}
}
else if (PhEqualString2(PhStartupParameters.CommandAction, L"injectdll", TRUE))
{
if (!PhStartupParameters.CommandValue)
return STATUS_INVALID_PARAMETER;
if (NT_SUCCESS(status = PhOpenProcessPublic(
&processHandle,
ProcessQueryAccess | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE,
processId
)))
{
LARGE_INTEGER timeout;
timeout.QuadPart = -5 * PH_TIMEOUT_SEC;
status = PhInjectDllProcess(
processHandle,
PhStartupParameters.CommandValue->Buffer,
&timeout
);
NtClose(processHandle);
}
}
else if (PhEqualString2(PhStartupParameters.CommandAction, L"unloaddll", TRUE))
{
if (!PhStartupParameters.CommandValue)
return STATUS_INVALID_PARAMETER;
if (NT_SUCCESS(status = PhOpenProcessPublic(
&processHandle,
ProcessQueryAccess | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE,
processId
)))
{
PVOID baseAddress;
if (NT_SUCCESS(status = PhpGetDllBaseRemote(
processHandle,
&PhStartupParameters.CommandValue->sr,
&baseAddress
)))
{
LARGE_INTEGER timeout;
timeout.QuadPart = -5 * PH_TIMEOUT_SEC;
status = PhUnloadDllProcess(
processHandle,
baseAddress,
&timeout
);
}
NtClose(processHandle);
}
}
}
else if (PhEqualString2(PhStartupParameters.CommandType, L"service", TRUE))
{
SC_HANDLE serviceHandle;
SERVICE_STATUS serviceStatus;
if (!PhStartupParameters.CommandObject)
return STATUS_INVALID_PARAMETER;
if (PhEqualString2(PhStartupParameters.CommandAction, L"start", TRUE))
{
if (!(serviceHandle = PhOpenService(
PhStartupParameters.CommandObject->Buffer,
SERVICE_START
)))
return PhGetLastWin32ErrorAsNtStatus();
if (!StartService(serviceHandle, 0, NULL))
status = PhGetLastWin32ErrorAsNtStatus();
CloseServiceHandle(serviceHandle);
}
else if (PhEqualString2(PhStartupParameters.CommandAction, L"continue", TRUE))
{
if (!(serviceHandle = PhOpenService(
PhStartupParameters.CommandObject->Buffer,
SERVICE_PAUSE_CONTINUE
)))
return PhGetLastWin32ErrorAsNtStatus();
if (!ControlService(serviceHandle, SERVICE_CONTROL_CONTINUE, &serviceStatus))
status = PhGetLastWin32ErrorAsNtStatus();
CloseServiceHandle(serviceHandle);
}
else if (PhEqualString2(PhStartupParameters.CommandAction, L"pause", TRUE))
{
if (!(serviceHandle = PhOpenService(
PhStartupParameters.CommandObject->Buffer,
SERVICE_PAUSE_CONTINUE
)))
return PhGetLastWin32ErrorAsNtStatus();
if (!ControlService(serviceHandle, SERVICE_CONTROL_PAUSE, &serviceStatus))
status = PhGetLastWin32ErrorAsNtStatus();
CloseServiceHandle(serviceHandle);
}
else if (PhEqualString2(PhStartupParameters.CommandAction, L"stop", TRUE))
{
if (!(serviceHandle = PhOpenService(
PhStartupParameters.CommandObject->Buffer,
SERVICE_STOP
)))
return PhGetLastWin32ErrorAsNtStatus();
if (!ControlService(serviceHandle, SERVICE_CONTROL_STOP, &serviceStatus))
status = PhGetLastWin32ErrorAsNtStatus();
CloseServiceHandle(serviceHandle);
}
else if (PhEqualString2(PhStartupParameters.CommandAction, L"delete", TRUE))
{
if (!(serviceHandle = PhOpenService(
PhStartupParameters.CommandObject->Buffer,
DELETE
)))
return PhGetLastWin32ErrorAsNtStatus();
if (!DeleteService(serviceHandle))
status = PhGetLastWin32ErrorAsNtStatus();
CloseServiceHandle(serviceHandle);
}
}
else if (PhEqualString2(PhStartupParameters.CommandType, L"thread", TRUE))
{
ULONG64 threadId64;
HANDLE threadId;
HANDLE threadHandle;
if (!PhStartupParameters.CommandObject)
return STATUS_INVALID_PARAMETER;
if (!PhStringToInteger64(&PhStartupParameters.CommandObject->sr, 10, &threadId64))
return STATUS_INVALID_PARAMETER;
threadId = (HANDLE)threadId64;
if (PhEqualString2(PhStartupParameters.CommandAction, L"terminate", TRUE))
{
if (NT_SUCCESS(status = PhOpenThreadPublic(&threadHandle, THREAD_TERMINATE, threadId)))
{
status = NtTerminateThread(threadHandle, STATUS_SUCCESS);
NtClose(threadHandle);
}
}
else if (PhEqualString2(PhStartupParameters.CommandAction, L"suspend", TRUE))
{
if (NT_SUCCESS(status = PhOpenThreadPublic(&threadHandle, THREAD_SUSPEND_RESUME, threadId)))
{
status = NtSuspendThread(threadHandle, NULL);
NtClose(threadHandle);
}
}
else if (PhEqualString2(PhStartupParameters.CommandAction, L"resume", TRUE))
{
if (NT_SUCCESS(status = PhOpenThreadPublic(&threadHandle, THREAD_SUSPEND_RESUME, threadId)))
{
status = NtResumeThread(threadHandle, NULL);
NtClose(threadHandle);
}
}
}
return status;
}
