A forum for reverse engineering, OS internals and malware analysis 

Process Force Suspend ?

Ask your beginner questions here.

Process Force Suspend ?

 #24693  by binstory1523
 Mon Dec 22, 2014 6:51 am
Hi, this is a student who lives in South Korea
I'll take you to one question
PC Hunter, POWER Tool look like I have a feature called the Process Force Suspend think a rootkit that part only battling alone is going to make a bunch of separate sounds like there 's nothing NtProcessSuspend relevant examples Do you ever minute you help ??

Re: Process Force Suspend ?

 #24695  by Vrtule
 Mon Dec 22, 2014 7:50 am
Hello,

if you want to suspend a process from usermode, you may use the NtSuspendProcess system call. It is exported by the ntdll.dll library. Well, you can also call it from kernelmode but the routine seems not to be exported, so some tricks are needed to do that.

The prototype is as follows:
Code: Select all
NTSTATUS NTAPI NtSuspendProcess(HANDLE ProcessHandle);
The handle must have the PROCESS_SUSPEND_RESUME access right at least. To obtain the handle, you may use the OpenProcess (usermode) or ZwOpenProcess function (both usermode and kernelmode).

Best regards
Vrtule

P.S.
To resume a process suspended by the way described above, use the NtResumeProcess routine. It has exactly the same prototype as the suspend one, it is also exported by ntdll.dll and the process handle also needs the PROCESS_SUSPEND_RESUME access right.

P.P.S
In most cases, NtXxx functions are neither part of any static library (.lib) file nor declared in any header file. I want to say you won't get them by installing WIndows SDK or similar packages. Use GetModuleHandle and GetProcAddress APIs to obtain their addresses.

Re: Process Force Suspend ?

 #24697  by Vrtule
 Mon Dec 22, 2014 8:12 am
Did not tested the code. But it should show you how to use the routines.
Code: Select all
...
typedef NTSTATUS (NTAPI NTSUSPENDPROCESS)(HANDLE ProcessHandle);
typedef NTSTATUS (NTAPI NTRESUMEPROCESS)(HANDLE ProcessHandle);
...
HMODULE hNtdll = GetModuleHandleW(L"ntdll.dll");
NTSUSPENDPROCESS *_NtSuspendProcess = NULL;
NTRESUMEPROCESS *_NtResumeProcess = NULL;
HANDLE hProcess = NULL;
NTSTATUS status = 0xC0000001; // STATUS_UNSUCCESSFUL

if (hNtdll != NULL) {
  printf("Searching for NtSuspendProcess...");
  _NtSuspendProcess = GetProcAddress(hNtdll, "NtSuspendProcess");
  if (_NtSuspendProcess != NULL) {
    printf("0x%p\n", _NtSuspendProcess);
    printf("Searching for NtResumeProcess...");
    _NtResumeProcess = GetProcAddress(hNtDll, "NtResumeProcess");
    if (_NtResumeProcess != NULL) {
      printf("0x%p\n", _NtResumeProcess);
      printf("Opening the target process...");
      hProcess = OpenProcess(PROCESS_SUSPEND_RESUME, FALSE, ProcessId);
      if (hProcess != NULL) {
        printf("OK\n");
        printf("Suspending the process...");
        status = _NtSuspendProcess(hProcess);
        if (status >= 0) { // if (NT_SUCCESS(status)) {
          printf("OK\n");
          printf("Waiting for 10 seconds...");
          Sleep(10000);
          printf("DONE\n");
          printf("Resuimng the process...");
          status = _NtResumeProcess(hProcess);
          if (status >= 0) { // NT_SUCCESS(status)
            printf("OK\n");
          } else printf("ERROR (NTSTATUS 0x%x)\n", status);
        } else printf("ERROR (NTSTATUS 0x%x)\n", status);

        CloseHandle(hProcess);
      } else printf("ERROR %u\n", GetLastError());
    } else printf("ERROR %u\n", GetLastError());
  } else printf("ERROR %u\n", GetLastError());
} else printf("NTDLL.DLL was not found in our address space. This should never happen!\n");

Re: Process Force Suspend ?

 #24698  by EP_X0FF
 Mon Dec 22, 2014 8:24 am
binstory1523 wrote:Hi, this is a student who lives in South Korea
PC Hunter, POWER Tool look like I have a feature called the Process Force Suspend
Since this BSOD generator is result of copy-paste from various sources, last time I looked it, it was doing the following:

force APC for each thread in process
PsSuspendThread for each thread in process

Re: Process Force Suspend ?

 #24713  by binstory1523
 Tue Dec 23, 2014 7:57 am
Vrtule wrote:Did not tested the code. But it should show you how to use the routines.
Code: Select all
...
typedef NTSTATUS (NTAPI NTSUSPENDPROCESS)(HANDLE ProcessHandle);
typedef NTSTATUS (NTAPI NTRESUMEPROCESS)(HANDLE ProcessHandle);
...
HMODULE hNtdll = GetModuleHandleW(L"ntdll.dll");
NTSUSPENDPROCESS *_NtSuspendProcess = NULL;
NTRESUMEPROCESS *_NtResumeProcess = NULL;
HANDLE hProcess = NULL;
NTSTATUS status = 0xC0000001; // STATUS_UNSUCCESSFUL

if (hNtdll != NULL) {
  printf("Searching for NtSuspendProcess...");
  _NtSuspendProcess = GetProcAddress(hNtdll, "NtSuspendProcess");
  if (_NtSuspendProcess != NULL) {
    printf("0x%p\n", _NtSuspendProcess);
    printf("Searching for NtResumeProcess...");
    _NtResumeProcess = GetProcAddress(hNtDll, "NtResumeProcess");
    if (_NtResumeProcess != NULL) {
      printf("0x%p\n", _NtResumeProcess);
      printf("Opening the target process...");
      hProcess = OpenProcess(PROCESS_SUSPEND_RESUME, FALSE, ProcessId);
      if (hProcess != NULL) {
        printf("OK\n");
        printf("Suspending the process...");
        status = _NtSuspendProcess(hProcess);
        if (status >= 0) { // if (NT_SUCCESS(status)) {
          printf("OK\n");
          printf("Waiting for 10 seconds...");
          Sleep(10000);
          printf("DONE\n");
          printf("Resuimng the process...");
          status = _NtResumeProcess(hProcess);
          if (status >= 0) { // NT_SUCCESS(status)
            printf("OK\n");
          } else printf("ERROR (NTSTATUS 0x%x)\n", status);
        } else printf("ERROR (NTSTATUS 0x%x)\n", status);

        CloseHandle(hProcess);
      } else printf("ERROR %u\n", GetLastError());
    } else printf("ERROR %u\n", GetLastError());
  } else printf("ERROR %u\n", GetLastError());
} else printf("NTDLL.DLL was not found in our address space. This should never happen!\n");

Not that I ever result is an example to work from any program testing
Why can not I I will ignore the memory block
I want to test a program that is XIGNCODE3
Are we to really force the process to stop while the memory block is formed?

Re: Process Force Suspend ?

 #24714  by EP_X0FF
 Tue Dec 23, 2014 8:16 am
Use google translate. Your post is meaningless.

Re: Process Force Suspend ?

 #24715  by binstory1523
 Tue Dec 23, 2014 8:28 am
EP_X0FF wrote:Use google translate. Your post is meaningless.
ZwSuspnedProcess operate in a different way with NtSuspendProcess?
I would like to try again to challenge Zw Process Suspend method. :(

Re: Process Force Suspend ?

 #24716  by EP_X0FF
 Tue Dec 23, 2014 9:01 am
binstory1523 wrote:
EP_X0FF wrote:Use google translate. Your post is meaningless.
ZwSuspnedProcess operate in a different way with NtSuspendProcess?
I would like to try again to challenge Zw Process Suspend method. :(
Where? In driver or in user mode app?

Re: Process Force Suspend ?

 #24720  by binstory1523
 Tue Dec 23, 2014 12:00 pm
EP_X0FF wrote:
binstory1523 wrote:
EP_X0FF wrote:Use google translate. Your post is meaningless.
ZwSuspnedProcess operate in a different way with NtSuspendProcess?
I would like to try again to challenge Zw Process Suspend method. :(
Where? In driver or in user mode app?
Can I use the ZwSuspendProcess in user mode? Just load the drivers?

http://www.codereversing.com/blog/?p=128

Open source is tested itgilre but an error in the source
 Return to “Newbie Questions”