The Kandie Man

Process Suspend/Process Resume UDF

39 posts in this topic

#1 ·  Posted (edited)

Well, I was looking on the internet for ways to suspend processes and spent a great deal of time trying to find API commands to do this. I found many thread suspend functions and other things, but not really any process suspend functions. I finally found a process suspend NTAPI function NtSuspendProcess(). To my great distaste I could find absolutely nothing documenting the NTAPI functions, nothing at all. Hours of Googling and i finally found a page that has the NTAPI functions listed. No thanks to Microsoft. :S You would think they would document functions that they took the time to write so that people could actually use them.

To save others time, here is a page with the NTAPI functions listed:

http://www.metasploit.com/users/opcode/syscalls.html

Here is a UDF to call the system API to suspend or resume a process. No more systeminternals 104kb PsSuspend.exe.

Func _ProcessSuspend($process)
$processid = ProcessExists($process)
If $processid Then
    $ai_Handle = DllCall("kernel32.dll", 'int', 'OpenProcess', 'int', 0x1f0fff, 'int', False, 'int', $processid)
    $i_sucess = DllCall("ntdll.dll","int","NtSuspendProcess","int",$ai_Handle[0])
    DllCall('kernel32.dll', 'ptr', 'CloseHandle', 'ptr', $ai_Handle)
    If IsArray($i_sucess) Then 
        Return 1
    Else
        SetError(1)
        Return 0
    Endif
Else
    SetError(2)
    Return 0
Endif
EndFunc

Func _ProcessResume($process)
$processid = ProcessExists($process)
If $processid Then
    $ai_Handle = DllCall("kernel32.dll", 'int', 'OpenProcess', 'int', 0x1f0fff, 'int', False, 'int', $processid)
    $i_sucess = DllCall("ntdll.dll","int","NtResumeProcess","int",$ai_Handle[0])
    DllCall('kernel32.dll', 'ptr', 'CloseHandle', 'ptr', $ai_Handle)
    If IsArray($i_sucess) Then 
        Return 1
    Else
        SetError(1)
        Return 0
    Endif
Else
    SetError(2)
    Return 0
Endif
EndFunc

@The Development Team

I think it would be a good idea to add these to the process.au3 include file.

You can call the function with the process name or PID

_ProcessSuspend("notepad.exe")

or

_ProcessSuspend(467)

The returns are as follows:

0 = Failure

1 = Sucess

@error = 1 means that it failed because something errored when calling the dll

@error = 2 means that it failed because the process was not found or is not running

Sorry i didn't do a standard UDF writeup, didn't have time. If the development team is interested in adding this function i will happily write the standard UDF documentation for it.

Important: This function will only run on Windows XP, Windows 2003 and Windows Vista.

Edited by The Kandie Man
3 people like this

"So man has sown the wind and reaped the world. Perhaps in the next few hours there will no remembrance of the past and no hope for the future that might have been." & _"All the works of man will be consumed in the great fire after which he was created." & _"And if there is a future for man, insensitive as he is, proud and defiant in his pursuit of power, let him resolve to live it lovingly, for he knows well how to do so." & _"Then he may say once more, 'Truly the light is sweet, and what a pleasant thing it is for the eyes to see the sun.'" - The Day the Earth Caught Fire

Share this post


Link to post
Share on other sites



Looks like a great find!... i will certainly try it!

Share this post


Link to post
Share on other sites

Just rated it at 5 stars, love it!

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

Thanks guys, i am glad you like it. It took me forever to find the function and once i found it i had to find documentation on it. The last thing i wanted was for someone else to suffer the same painful process to get this to work. I really appreciate you rating it.

I think it would be good to add this to the AutoIt Process.au3 include file. It is a bit lacking right now imo and i think this is just the thing to help spruce it up.

P.S.

I just wanted to add one more thing. The function above will only run on windows XP and up. This includes Windows XP, Windows 2003 and Windows Vista.

Edited by The Kandie Man

"So man has sown the wind and reaped the world. Perhaps in the next few hours there will no remembrance of the past and no hope for the future that might have been." & _"All the works of man will be consumed in the great fire after which he was created." & _"And if there is a future for man, insensitive as he is, proud and defiant in his pursuit of power, let him resolve to live it lovingly, for he knows well how to do so." & _"Then he may say once more, 'Truly the light is sweet, and what a pleasant thing it is for the eyes to see the sun.'" - The Day the Earth Caught Fire

Share this post


Link to post
Share on other sites

Nice work TKM, I'm sure I'll find use for it :)


[center]Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.[/center]

Share this post


Link to post
Share on other sites

Very Interesting process controlling code.

Note that you may want to close the handle of the OpenProcess Call.

DllCall('kernel32.dll', 'ptr', 'CloseHandle', 'ptr', $ai_Handle)

I would also recommend changing the Return 2 to SetError(1) for easy usage.

:)

Share this post


Link to post
Share on other sites

Nice function Kandie Man! Works perfectly


My Programs:AInstall - Create a standalone installer for your programUnit Converter - Converts Length, Area, Volume, Weight, Temperature and Pressure to different unitsBinary Clock - Hours, minutes and seconds have 10 columns each to display timeAutoIt Editor - Code Editor with Syntax Highlighting.Laserix Editor & Player - Create, Edit and Play Laserix LevelsLyric Syncer - Create and use Synchronised Lyrics.Connect 4 - 2 Player Connect 4 Game (Local or Online!, Formatted Chat!!)MD5, SHA-1, SHA-256, Tiger and Whirlpool Hash Finder - Dictionary and Brute Force FindCool Text Client - Create Rendered ImageMy UDF's:GUI Enhance - Enhance your GUIs visually.IDEA File Encryption - Encrypt and decrypt files easily! File Rename - Rename files easilyRC4 Text Encryption - Encrypt text using the RC4 AlgorithmPrime Number - Check if a number is primeString Remove - remove lots of strings at onceProgress Bar - made easySound UDF - Play, Pause, Resume, Seek and Stop.

Share this post


Link to post
Share on other sites

Very nice, I had no idea something like this was possible :)


Don't take my pic to serious...~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~You Looked, but you did not see!~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Share this post


Link to post
Share on other sites

suspend windows media player :) it keeps repeating a small portion of the current song.


My Programs:AInstall - Create a standalone installer for your programUnit Converter - Converts Length, Area, Volume, Weight, Temperature and Pressure to different unitsBinary Clock - Hours, minutes and seconds have 10 columns each to display timeAutoIt Editor - Code Editor with Syntax Highlighting.Laserix Editor & Player - Create, Edit and Play Laserix LevelsLyric Syncer - Create and use Synchronised Lyrics.Connect 4 - 2 Player Connect 4 Game (Local or Online!, Formatted Chat!!)MD5, SHA-1, SHA-256, Tiger and Whirlpool Hash Finder - Dictionary and Brute Force FindCool Text Client - Create Rendered ImageMy UDF's:GUI Enhance - Enhance your GUIs visually.IDEA File Encryption - Encrypt and decrypt files easily! File Rename - Rename files easilyRC4 Text Encryption - Encrypt text using the RC4 AlgorithmPrime Number - Check if a number is primeString Remove - remove lots of strings at onceProgress Bar - made easySound UDF - Play, Pause, Resume, Seek and Stop.

Share this post


Link to post
Share on other sites

#11 ·  Posted (edited)

suspend windows media player :) it keeps repeating a small portion of the current song.

lol, works on my one too!

Edit: obviously these should be included.

Edited by marfdaman

Don't take my pic to serious...~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~You Looked, but you did not see!~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Share this post


Link to post
Share on other sites

Very Interesting process controlling code.

Note that you may want to close the handle of the OpenProcess Call.

DllCall('kernel32.dll', 'ptr', 'CloseHandle', 'ptr', $ai_Handle)

I would also recommend changing the Return 2 to SetError(1) for easy usage.

:)

Thanks Mhz. I made the adjustment that you suggested and added the close handle into it. I completely forgot to close the handle :S

Thanks guys for your support. I am glad i could contribute something to this community. I would really like to see something like this added to the process.au3. I think it would be a great edition.


"So man has sown the wind and reaped the world. Perhaps in the next few hours there will no remembrance of the past and no hope for the future that might have been." & _"All the works of man will be consumed in the great fire after which he was created." & _"And if there is a future for man, insensitive as he is, proud and defiant in his pursuit of power, let him resolve to live it lovingly, for he knows well how to do so." & _"Then he may say once more, 'Truly the light is sweet, and what a pleasant thing it is for the eyes to see the sun.'" - The Day the Earth Caught Fire

Share this post


Link to post
Share on other sites

sorry for my english

it would be great if you make a function that can check "suspend status"...

If i suspend process twice than i must resume it twice...

Share this post


Link to post
Share on other sites

Both functions in one.

Func _ProcessNT($iPID, $iSuspend = True)
    If IsString($iPID) Then $iPID = ProcessExists($iPID)
    If Not $iPID Then Return SetError(2, 0, 0)
    Local $ai_Handle = DllCall("kernel32.dll", 'int', 'OpenProcess', 'int', 0x1f0fff, 'int', False, 'int', $iPID)
    If $iSuspend Then
        Local $i_sucess = DllCall("ntdll.dll","int","NtSuspendProcess","int",$ai_Handle[0])
    Else
        Local $i_sucess = DllCall("ntdll.dll","int","NtResumeProcess","int",$ai_Handle[0])
    EndIf
    DllCall('kernel32.dll', 'ptr', 'CloseHandle', 'ptr', $ai_Handle)
    If IsArray($i_sucess) Then Return 1
    Return SetError(1, 0, 0)
EndFunc

Thanks TKC.


[center]Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.[/center]

Share this post


Link to post
Share on other sites

#16 ·  Posted (edited)

SmOke_N your example works great however I do have one question; why does the function not work on all processes such as winlogon.exe?

EDIT: Not sure whether I should post this here, if not please could someone redirect me ?

Edited by oliver369

Share this post


Link to post
Share on other sites

#17 ·  Posted

SmOke_N your example works great however I do have one question; why does the function not work on all processes such as winlogon.exe?

EDIT: Not sure whether I should post this here, if not please could someone redirect me ?

Why would it work on it? Why would you want it to work on it?

[center]Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.[/center]

Share this post


Link to post
Share on other sites

#18 ·  Posted (edited)

Well the answer is pretty straight forward: for removing certain viruses (especially Vundo type) there is a nice removal process here: http://vil.nai.com/vil/Content/v_127690.htm

However the procedure involves using Process Explorer or one of the other tools written by Sysinternals (now owned by Microsoft for those who don't know). I did try asking permission for including one of the tools in my program which ended in this answer:

Thank you for your email. We don't allow any redistribution of any of our tools.

:(

I know I'm always the one that is a pain in the ass. :)

Edited by oliver369

Share this post


Link to post
Share on other sites

#19 ·  Posted (edited)

Well the answer is pretty straight forward: for removing certain viruses (especially Vundo type) there is a nice removal process here: http://vil.nai.com/vil/Content/v_127690.htm

However the procedure involves using Process Explorer or one of the other tools written by Sysinternals (now owned by Microsoft for those who don't know). I did try asking permission for including one of the tools in my program which ended in this answer:

Thank you for your email. We don't allow any redistribution of any of our tools.

:(

I know I'm always the one that is a pain in the ass. :)

Too make a long story short, I can't imagine your process having rights to be able to suspend a lower level service such as the one you're asking about with the above shown UDF. Edited by SmOke_N

[center]Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.[/center]

Share this post


Link to post
Share on other sites

#20 ·  Posted (edited)

Thanks for the answer, I guess it's back to the drawing board for me... I think I will have to get someone to develop a command line tool for me.

EDIT: Found a way to do so, use Nopey to launch the compiled script as system (nopey.exe child -d winlogon script.exe) then you are able to pause processes such as winlogon.exe

Edited by oliver369

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now