Jump to content

useful Process Functions

cryn
 Share

Recommended Posts

cryn Seeker

cryn

Posted
Posted

Wanted to post this under "Example Scripts" forum but I did not have the permission.

2 days ago I needed to create something like pskill to kill process and all its child process. I searched thru the forums hoping someone already done this but only found left for dead post threads of the subject. So i took a stab at it and this is what I came up with.

Killing Process 

;_processKillTree("cmd.exe") 
Func _ProcessKillTree($ProcessTreeKill)
    local $PID
    
    If Processexists($ProcessTreeKill) Then
        $PID = Processexists($ProcessTreeKill)
        
    $oWmiService = ObjGet("winmgmts:\\.\root\CIMV2")
       ;SQL query requesting for all process that has ProcessID of executable trying to kill
    $ChildProc = $oWmiService.Execquery("SELECT ProcessID FROM Win32_Process WHERE ParentProcessId='" & $PID & "'")
    
        If isObj($ChildProc) then
    ;Suspending process in case it tries to recreate child process
            _SuspendExe($PID)
            For $Child in $ChildProc 
        ;closing child process
                ProcessClose($child.ProcessID)
            Next
            processclose($PID)
        Endif
    EndIf
EndFunc

Here's code for the _suspendExe function used in the ProcessKillTree function.

Func _SuspendExe($PID)  
    
Local $THREAD_SUSPEND_RESUME =0x0002
$oWmiService = ObjGet("winmgmts:\\.\root\CIMV2")
    $ThreadHandle = $oWmiService.Execquery("SELECT Handle FROM Win32_Thread WHERE ProcessHandle='" & $PID & "'")
    if isobj($threadHandle) then
        For $TID in $threadHandle
    ;Getting the handle of thread
        $hwnd = DllCall('Kernel32.dll','hwnd',"OpenThread","int",$THREAD_SUSPEND_RESUME,"int",0,'int',$TID.handle)
        $ret = DllCall('kernel32.dll','uint',"SuspendThread",'hwnd',$hwnd[0])
        next
    EndIf
    
EndFunc

Here's how to resume a thread

Func _ResumeExe($PID)
    
local $THREAD_SUSPEND_RESUME =0x0002
$oWmiService = ObjGet("winmgmts:\\.\root\CIMV2")
    $ThreadHandle = $oWmiService.Execquery("SELECT Handle FROM Win32_Thread WHERE ProcessHandle='" & $PID & "'")
    if isobj($threadHandle) then
        For $TID in $threadHandle
        $hwnd = DllCall('Kernel32.dll','hwnd',"OpenThread","int",$THREAD_SUSPEND_RESUME,"int",0,'int',$TID.handle)
        $ret = DllCall('kernel32.dll','uint',"ResumeThread",'hwnd',$hwnd[0])
        next
    EndIf
    
EndFunc

I've tested on xp sp2 only so am not sure if it will work with any other flavor of Micro$oft.

Thanks for reading and I hope someone has a use for it.

Any positive suggestions would be appreciated.

Link to comment
Share on other sites
  • 2 years later...
mavor Seeker

mavor

Posted
Posted (edited)

This works perfectly with vista.

And it just saved me a TON of time while creating an injection into a game process (where the process must be paused for a millisecond while executing injected code).

Thank you so much.

**Btw i see it was done using the com object... but what is the com object? >.<

Edited by mavor
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...