进程的挂起与恢复--NtSuspendProcess&&NtResumeProcess
2013-03-20 20:28阅读:
原文:http://www.cnblogs.com/-clq/archive/2012/03/15/2397533.html
MFC任务管理器task
manager----进程的挂起与恢复--NtSuspendProcess&&NtResumeProcess
2009-08-11 1:13
.h
pubilc:
typedef DWORD (WINAPI *NtSuspendProcess)(HANDLE ProcessHandle);
typedef DWORD (WINAPI *NtResumeProcess)(HANDLE hProcess);
NtSuspendProcess m_NtSuspendProcess;
NtResumeProcess m_NtResumeProcess;
.cpp:
void CPage2::OnBnClickedResume()
{
// TODO: 在此添加控件通知处理程序代码
int nIdx=m_list2.GetNextItem(-1,LVNI_SELECTED);
CString process=m_list2.GetItemText(nIdx,1);
DWORD processID= _ttol(process.GetBuffer(0));
HANDLE hProcess = OpenProcess( PROCESS_SUSPEND_RESUME
,//暂停时用这个(P.._S.._R..)标志
FALSE, (DWORD)processID );
if (hProcess)
{
HMODULE h_module=LoadLibrary(L'ntdll.dll');
m_NtResumeProcess=(NtResumeProcess)GetProcAddress(h_module,'NtResumeProcess');
m_NtResumeProcess(hProcess);
}
}
太晚了 睡觉睡觉。。。。。。。
--------------------------------------------------
.h
#pragma once
#include
#include
#include
#include
#include
//#include
#include
#pragma comment (lib,'Psapi.lib')
void ErrorExit(LPTSTR lpszFunction);
//--------------------------------------------------
// for cpu 暂停
//方法1 不可关闭本程序,否则进程会退出
long DbgUiConnectToDbg_ntdll();
//long (*DbgUiConnectToDbg)();//这样会报重复定义
long DbgUiDebugActiveProcess_ntdll(HANDLE ProcessHandle);//暂停
long DbgUiStopDebugging_ntdll(HANDLE ProcessHandle);//恢复
//方法2 可关闭本程序
DWORD NtSuspendProcess_ntdll(HANDLE hProcess);//暂停
DWORD NtResumeProcess_ntdll(HANDLE hProcess);//恢复
//要先调用这个
void LoadNtDllFun();
//--------------------------------------------------
class win_proc_public
{
public:
win_proc_public(void);
~win_proc_public(void);
public:
std::string GetExeFullName(HANDLE
hProcess)
{
std::string r =
'';
//HANDLE hProcess =
0;
char
lpImageFileName[2049] = {0};
DWORD nSize =
2048;
//hProcess =
getm
DWORD len =
GetProcessImageFileName(hProcess, lpImageFileName, nSize);
if (len <
1)
{
//不能直接退出,因为有些权限是得不到的
//ErrorExit('GetExeFullName: ');
}
//len =
GetModuleFileNameEx(hProcess, lpImageFileName, nSize);
r =
lpImageFileName;
r =
DosDevicePath2LogicalPath(r.c_str());
return r;
}//
//将 '\Device\HarddiskVolume2' 等转换为
'D:'
//DosDevicePath2LogicalPath代码摘自:ms-help://MS.MSDNQTR.v80.chs/MS.MSDN.v80/MS.WIN32COM.v10.en/fileio/fs/obtaining_a_file_name_from_a_file_handle.htm
std::string
DosDevicePath2LogicalPath(LPCTSTR lpszDosPath)
{
std::string
strResult = '';
// Translate path
with device name to drive letters.
TCHAR
szTemp[MAX_PATH];
szTemp[0] =
'\0';
if (
lpszDosPath==NULL || !GetLogicalDriveStrings(_countof(szTemp)-1,
szTemp) )
{
return strResult;
}
TCHAR
szName[MAX_PATH];
TCHAR szDrive[3] =
TEXT(' :');
BOOL bFound =
FALSE;
TCHAR* p =
szTemp;
do{
// Copy the drive letter to the template string
*szDrive = *p;
// Look up each device name
if ( QueryDosDevice(szDrive, szName, _countof(szName))
)
{
UINT uNameLen =
(UINT)_tcslen(szName);
if (uNameLen < MAX_PATH)
{
bFound =
_tcsnicmp(lpszDosPath, szName, uNameLen) == 0;
if ( bFound
)
{
// Reconstruct pszFilename using szTemp
// Replace device path with DOS path
TCHAR szTempFile[MAX_PATH];
_stprintf(szTempFile, TEXT('%s%s'), szDrive,
lpszDosPath+uNameLen);
strResult = szTempFile;
}
}
}
// Go to the next NULL character.
while (*p++);
} while (!bFound
&& *p); // end of string
return
strResult;
}//
void mainaaa()
{
GetProcessList(
);
}
BOOL GetProcessList( )
{
HANDLE
hProcessSnap;
HANDLE
hProcess;
PROCESSENTRY32
pe32;
DWORD
dwPriorityClass;
hProcessSnap =
CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
if( hProcessSnap ==
INVALID_HANDLE_VALUE )
{
return( FALSE );
}
pe32.dwSize =
sizeof( PROCESSENTRY32 );
if( !Process32First(
hProcessSnap, &pe32 ) )
{
CloseHandle( hProcessSnap );
return( FALSE );
}
do
{
printf( ''
'====================================================='
);
printf( 'PROCESS NAME: %5s', pe32.szExeFile);
printf( ''
'-----------------------------------------------------'
);
dwPriorityClass = 0;
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE,
pe32.th32ProcessID );
//hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE,
pe32.th32ProcessID );
if( hProcess == NULL )
{
printf('erro');
}
else
{
dwPriorityClass = GetPriorityClass(
hProcess );
if( !dwPriorityClass )
printf('erro');
//--------------------------------------------------
//clq add 程序全路径
//char szFilePath[256] = {0};
////HANDLE
hProcess=OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,pe32.th32ProcessID);
//if (
GetProcessImageFileName(hProcess,szFilePath,MAX_PATH)!=0 )
//{
// //mystring
strFilePath =
CCommon::DosDevicePath2LogicalPath(szFilePath);
//}
std::string exename =
GetExeFullName(hProcess);
printf( ' path
= %s', exename.c_str() );
//--------------------------------------------------
//
CloseHandle( hProcess );
}
printf( ' process ID
= %d', pe32.th32ProcessID );
printf( ' thread count
= %d', pe32.cntThreads );
printf( ' parent process ID = %d',
pe32.th32ParentProcessID );
printf( ' Priority Base
= %d', pe32.pcPriClassBase );
if( dwPriorityClass )
printf( ' Priority Class =
%d', dwPriorityClass );
} while(
Process32Next( hProcessSnap, &pe32 ) );
CloseHandle(
hProcessSnap );
return( TRUE
);
}//
public:
static void test1()
{
win_proc_public
proc;
proc.mainaaa();
test2(4008);
}//
static void test2(DWORD pid)
{
HANDLE hProcess =
OpenProcess(PROCESS_ALL_ACCESS, false, pid);
//if
(!GetProcessTimes(hProcess, &creation_time, &exit_time,
&kernel_time, &user_time))
//{
//
return -1;
//}
if (hProcess ==
NULL) return;
LoadNtDllFun();
//DbgUiConnectToDbg_ntdll();
//long r =
DbgUiDebugActiveProcess_ntdll(hProcess);//暂停//调用后不能停止程序否则被停止的程序会被强制退出(相当于调试器停止?)
//::Sleep(5*60*1000);
//r =
DbgUiStopDebugging_ntdll(hProcess);//恢复运行
NtSuspendProcess_ntdll(hProcess);//暂停
NtResumeProcess_ntdll(hProcess);//恢复
}//
};
--------------------------------------------------
.cpp
#include 'win_proc_public.h'
win_proc_public::win_proc_public(void)
{
}
win_proc_public::~win_proc_public(void)
{
}
//--------------------------------------------------
// for cpu 暂停
//方法1
long (__stdcall *DbgUiConnectToDbg_p)();//在 .h 这样会报重复定义
long (__stdcall *DbgUiDebugActiveProcess_p)(HANDLE
ProcessHandle);//暂停
long (__stdcall *DbgUiStopDebugging_p)(HANDLE
ProcessHandle);//恢复
//方法2
//NtResumeProcess
DWORD (WINAPI *NtResumeProcess_p)(HANDLE hProcess);//暂停
DWORD (WINAPI *NtSuspendProcess_p)(HANDLE hProcess);//恢复
void LoadNtDllFun()
{
HMODULE dllhandle;
//dwret:dword;
//ProcessHandle: dword;
//begin
dllhandle = LoadLibrary('ntdll.dll');
if (dllhandle != 0 )
{
DbgUiConnectToDbg_p
= (long (__stdcall
*)()) GetProcAddress(dllhandle,
'DbgUiConnectToDbg');
DbgUiDebugActiveProcess_p = (long (__stdcall
*)(HANDLE))GetProcAddress(dllhandle,
'DbgUiDebugActiveProcess');
DbgUiStopDebugging_p
= (long (__stdcall
*)(HANDLE))GetProcAddress(dllhandle, 'DbgUiStopDebugging');
//MyDbgUiConnectToDbg;
//ProcessHandle:=OpenProcess(process_all_access, False,
findprocess('winlogon.exe'));
////messagebox(0,pchar(inttohex(ProcessHandle,8)),'aa',0);
//dwret:=MyDbgUiDebugActiveProcess(ProcessHandle);
//if dwret<>0
then messagebox(0,pchar('保护失败'),'提示',0) else
//messagebox(0,pchar('保护成功,来结束我吧!'),'提示',0)
NtResumeProcess_p
= (DWORD (__stdcall
*)(HANDLE))GetProcAddress(dllhandle, 'NtResumeProcess');
NtSuspendProcess_p
= (DWORD (__stdcall
*)(HANDLE))GetProcAddress(dllhandle, 'NtSuspendProcess');
}
//CloseHandle(dllhandle);
}//
long DbgUiConnectToDbg_ntdll()
{
return DbgUiConnectToDbg_p();
}//
long DbgUiDebugActiveProcess_ntdll(HANDLE ProcessHandle)
{
return
DbgUiDebugActiveProcess_p(ProcessHandle);
}//
long DbgUiStopDebugging_ntdll(HANDLE ProcessHandle)
{
return
DbgUiStopDebugging_p(ProcessHandle);
}//
DWORD NtResumeProcess_ntdll(HANDLE hProcess)//暂停
{
return NtResumeProcess_p(hProcess);
}
DWORD NtSuspendProcess_ntdll(HANDLE hProcess)//恢复
{
return NtSuspendProcess_p(hProcess);
}
//--------------------------------------------------
