hi
some point :
Neither NtSuspendThread /PsSuspendProcess or PsSuspendThread are exported by the kernel ( i check with IDA-PRO)
this can be one method : get PID/TID from CreateProcessNotifyRoutine and wait in it so send TID to user mode part and suspend in there ( maybe this fail : user mode need Open Handle so we halt create thread in middle and thread is not created i on that point i think ?) all of this need check
CreateProcessNotifyRoutine is called in thread creation ( check to see if this is first thread )
and create thread and callback is called in one thread so wait on callback stop create thread
so you cant use this function
but i check how Process hacker do this it was strange for me this code :
Code: Select all PsSuspendProcess_I = KphGetSystemRoutineAddress(L"PsSuspendProcess");
...
PVOID KphGetSystemRoutineAddress(
__in PWSTR SystemRoutineName
)
{
UNICODE_STRING systemRoutineName;
PAGED_CODE();
RtlInitUnicodeString(&systemRoutineName, SystemRoutineName);
return MmGetSystemRoutineAddress(&systemRoutineName);
}
and MmGetSystemRoutineAddress can only be used for routines exported by the kernel or HAL but PsSuspendProcess is not exported
so how wj32 do this ? :!:
