c++中历程的挂起

c++中进程的挂起

NtTerminateProcess 、NtResumeProcess 、NtSuspendProcess

这三个函数是微软内核api

可以在线查询

*++Module Name:NtSuspendProcess.cppAbstract:This utility [Suspend|Resume] processes.Author:Michael Wookey 6-Jun-2003 ([email]ntutils@wookey.org[/email])Notes:NtSuspendProcess.exe [Suspend|Resume] pidCompiler:VC7Build:cl NtSuspendProcess.cpp// Add Unicode Suppert, [2/23/2010 dnybz([email]cnfreebsd@163.com[/email])]--*/#define STRICT#define WIN32_LEAN_AND_MEAN#include <windows.h>#include <stdlib.h>#include <stdio.h>#include <tchar.h>//// The native functions exported from ntdll.//typedef LONG ( NTAPI *_NtSuspendProcess )( IN HANDLE ProcessHandle );typedef LONG ( NTAPI *_NtResumeProcess )( IN HANDLE ProcessHandle );bool EnableDebugPrivilege()   {   HANDLE hToken;   LUID sedebugnameValue;   TOKEN_PRIVILEGES tkp;   if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)){      return   FALSE;   }   if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue)) {      CloseHandle(hToken);      return false;   }   tkp.PrivilegeCount = 1;   tkp.Privileges[0].Luid = sedebugnameValue;   tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;   if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL)) {      CloseHandle(hToken);      return false;   }   return true;   }int _tmain( int argc, _TCHAR* argv[] ){HANDLE ProcessHandle = 0;_NtSuspendProcess NtSuspendProcess = 0;_NtResumeProcess NtResumeProcess = 0;//// Make sure we have enough arguments.//if( 3 > argc ){   printf( "usage [Suspend|Resume] pid\n" );   return 0;}//// Obtain our function imports.//NtSuspendProcess = (_NtSuspendProcess)    GetProcAddress( GetModuleHandle( _T("ntdll") ), "NtSuspendProcess" );NtResumeProcess = (_NtResumeProcess)    GetProcAddress( GetModuleHandle( _T("ntdll") ), "NtResumeProcess" );//// Attempt to open the target process.//EnableDebugPrivilege();ProcessHandle = OpenProcess( PROCESS_ALL_ACCESS, FALSE, _tstoi( argv[2] ));//// Suspend or Resume the process. Note that these alter the process'// suspend count, so freezing the process twice will require thawing// the process twice to restore.//if( ! ProcessHandle ){   printf( "Unable to open process id %d\n", _tstoi( argv[2] ));}else{   if( ! lstrcmpi( argv[1], _T("Suspend") ))   {    if( NtSuspendProcess )    {     NtSuspendProcess( ProcessHandle );    }   }   else if( ! lstrcmpi( argv[1], _T("Resume") ))   {    if( NtResumeProcess )    {     NtResumeProcess( ProcessHandle );    }   }   else   {    printf( "usage [Suspend|Resume] pid\n" );   }}//// Close our process handle.//if( ProcessHandle ){   CloseHandle( ProcessHandle );}return 0;}/* EOF */

1楼ghevinn昨天 18:03

[code=cpp]n// susp.cpp : 定义控制台应用程序的入口点。n//nn#include "stdafx.h"n#include "windows.h"nn#include <iostream>nusing namespace std;ntypedef DWORD (WINAPI* PFNNtSuspendProcess)(HANDLE hProcess);nnint _tmain(int argc, _TCHAR* argv[])n{ntHANDLE hProcess = OpenProcess(PROCESS_SUSPEND_RESUME, FALSE, _wtoi(argv[1]));nntHMODULE hNtdll =(HMODULE)GetModuleHandle(L"ntdll.dll");nntPFNNtSuspendProcess NtSuspendProcess = (PFNNtSuspendProcess)GetProcAddress(hNtdll, "NtSuspendProcess");//NtResumeProcessntDWORD dwRet = NtSuspendProcess(hProcess);nntPFNNtSuspendProcess NtResumeProcess1 = (PFNNtSuspendProcess)GetProcAddress(hNtdll, "NtResumeProcess");//NtResumeProcessntDWORD dwRet1 = NtResumeProcess1(hProcess);nntwcout<<L"cdddddddd"<<endl;ntreturn 0;n}n[/code]