logo
搜索
我的图书馆

发文章

发文工具

其他工具

留言交流
搜索
分享

使用NtSuspendProcess 来暂停程序运行|游戏驱动与保护

 quasiceo 2014-01-02


  1. *++
  2. Module Name:
  3. NtSuspendProcess.cpp
  4. Abstract:
  5. This utility [Suspend|Resume] processes.
  6. Author:
  7. Michael Wookey 6-Jun-2003 ([email]ntutils@wookey.org[/email])
  8. Notes:
  9. NtSuspendProcess.exe [Suspend|Resume] pid
  10. Compiler:
  11. VC7
  12. Build:
  13. cl NtSuspendProcess.cpp
  14. // Add Unicode Suppert, [2/23/2010 dnybz([email]cnfreebsd@163.com[/email])]
  15. --*/
  16. #define STRICT
  17. #define WIN32_LEAN_AND_MEAN
  18. #include <windows.h>
  19. #include <stdlib.h>
  20. #include <stdio.h>
  21. #include <tchar.h>
  22. //
  23. // The native functions exported from ntdll.
  24. //
  25. typedef LONG ( NTAPI *_NtSuspendProcess )( IN HANDLE ProcessHandle );
  26. typedef LONG ( NTAPI *_NtResumeProcess )( IN HANDLE ProcessHandle );
  27. bool EnableDebugPrivilege()  
  28. {  
  29. HANDLE hToken;  
  30. LUID sedebugnameValue;  
  31. TOKEN_PRIVILEGES tkp;  
  32. if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
  33. {  
  34.    return   FALSE;  
  35. }  
  36. if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue))
  37. {  
  38.    CloseHandle(hToken);  
  39.    return false;  
  40. }  
  41. tkp.PrivilegeCount = 1;  
  42. tkp.Privileges[0].Luid = sedebugnameValue;  
  43. tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;  
  44. if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL))
  45. {  
  46.    CloseHandle(hToken);  
  47.    return false;  
  48. }  
  49. return true;  
  50. }
  51. int _tmain( int argc, _TCHAR* argv[] )
  52. {
  53. HANDLE ProcessHandle = 0;
  54. _NtSuspendProcess NtSuspendProcess = 0;
  55. _NtResumeProcess NtResumeProcess = 0;
  56. //
  57. // Make sure we have enough arguments.
  58. //
  59. if( 3 > argc )
  60. {
  61.    printf( "usage [Suspend|Resume] pid\n" );
  62.    return 0;
  63. }
  64. //
  65. // Obtain our function imports.
  66. //
  67. NtSuspendProcess = (_NtSuspendProcess)
  68.    GetProcAddress( GetModuleHandle( _T("ntdll") ), "NtSuspendProcess" );
  69. NtResumeProcess = (_NtResumeProcess)
  70.    GetProcAddress( GetModuleHandle( _T("ntdll") ), "NtResumeProcess" );
  71. //
  72. // Attempt to open the target process.
  73. //
  74. EnableDebugPrivilege();
  75. ProcessHandle = OpenProcess( PROCESS_ALL_ACCESS, FALSE, _tstoi( argv[2] ));
  76. //
  77. // Suspend or Resume the process. Note that these alter the process'
  78. // suspend count, so freezing the process twice will require thawing
  79. // the process twice to restore.
  80. //
  81. if( ! ProcessHandle )
  82. {
  83.    printf( "Unable to open process id %d\n", _tstoi( argv[2] ));
  84. }
  85. else
  86. {
  87.    if( ! lstrcmpi( argv[1], _T("Suspend") ))
  88.    {
  89.     if( NtSuspendProcess )
  90.     {
  91.      NtSuspendProcess( ProcessHandle );
  92.     }
  93.    }
  94.    else if( ! lstrcmpi( argv[1], _T("Resume") ))
  95.    {
  96.     if( NtResumeProcess )
  97.     {
  98.      NtResumeProcess( ProcessHandle );
  99.     }
  100.    }
  101.    else
  102.    {
  103.     printf( "usage [Suspend|Resume] pid\n" );
  104.    }
  105. }
  106. //
  107. // Close our process handle.
  108. //
  109. if( ProcessHandle )
  110. {
  111.    CloseHandle( ProcessHandle );
  112. }
  113. return 0;
  114. }
  115. /* EOF */


    本站是提供个人知识管理的网络存储空间,所有内容均由用户发布,不代表本站观点。请注意甄别内容中的联系方式、诱导购买等信息,谨防诈骗。如发现有害或侵权内容,请点击一键举报。
    转藏 分享 献花(0

    来自: quasiceo > 《待分类1》

    举报/认领

    0条评论

    发表

    请遵守用户 评论公约

    类似文章 更多