A forum for reverse engineering, OS internals and malware analysis 

Suspend process creation

Forum for discussion about kernel-mode development.

Suspend process creation

 #23237  by Stylo
 Sat Jun 28, 2014 4:08 pm
Hi,
I want to suspend a process creation for few seconds, should I use NtSuspendProcess?
here's my code sample
Code: Select all
void
CreateProcessCallback(
	__in HANDLE		ParentId,
	__in HANDLE		ProcessId,
	__in BOOLEAN	Create
	)
{
	NTSTATUS		        status;
	PEPROCESS		Process;
	HANDLE			hProcess;

	if(Create)
	{
              // suspend the process for 5 seconds, then create.
        }
}
If I am suppose to use NtSuspendProcess, how would I use it?
when I'm trying to compile it, compiler isn't familiar with this API

Thanks

** EDIT **
Solved that.
Had to get the address of PsSuspendProcess first.. :x

Re: Suspend process creation

 #23239  by Stylo
 Sun Jun 29, 2014 4:32 am
Vrtule wrote:What about waiting directly in the notify routine?
Thought about that, But, isn't it running in a different thread that the process creation thread?

Re: Suspend process creation

 #23243  by Vrtule
 Sun Jun 29, 2014 11:57 am
AFAIK it runs in the context of the thread that created the new process. I expect the primary thread of the new process is suspended at that time (if it already exists).

Suspending a new process for a few seconds sounds quite strange to me. When I need to do something when a new process is being created, I use PsSetCreateProcessNotifyRoutineEx and do it in the notify orutine. The advantage is that if the notify routine reports a failure, the process creation fails too.

When you suspend the process, can somebody else (e.g. user mode application) resume it by calling NtOpenProcess->NtResumeProcess<
 Return to “Kernel-Mode Development”