Ring3挂起进程,跟恢复进程.
一丶简介
有时候我们做对抗的时候可能会遇到.一个进程常常操作我们.但是我们
可以通过挂起进程来挂起它让它无法操作.当然方法很多.不止这一种.
原理:
原理就是挂起所有线程,我们可以调用NtDLL中低层的函数还挂起进程.
NT 函数
NtSuspendProcess NtResumeProcess 第一个是挂起进程,第二个是恢复进程
二丶代码
#include <Windows.h>
#include <stdio.h>
#include <stdlib.h>
typedef DWORD(WINAPI *NtSuspendProcess)(HANDLE ProcessHandle);
typedef DWORD(WINAPI *NtResumeProcess)(HANDLE hProcess);
typedef DWORD(WINAPI *pFnNtTerMinateProcess)(HANDLE hProcess,DWORD DwExitCode);
NtSuspendProcess m_NtSuspendProcess;
NtResumeProcess m_NtResumeProcess;
pFnNtTerMinateProcess m_NtTerminateProcess;
bool AdjustPrivileges() {
HANDLE hToken = NULL;
TOKEN_PRIVILEGES tp;
TOKEN_PRIVILEGES oldtp;
DWORD dwSize = sizeof(TOKEN_PRIVILEGES);
LUID luid;
OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken);
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid)) {
CloseHandle(hToken);
OutputDebugString(TEXT("提升权限失败,LookupPrivilegeValue"));
return false;
}
ZeroMemory(&tp, sizeof(tp));
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
/* Adjust Token Privileges */
if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), &oldtp, &dwSize)) {
CloseHandle(hToken);
OutputDebugString(TEXT("提升权限失败 AdjustTokenPrivileges"));
return false;
}
// close handles
CloseHandle(hToken);
return true;
}
int main()
{
AdjustPrivileges();
DWORD processID = 1324;
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,//暂停时用这个(P.._S.._R..)标志PROCESS_SUSPEND_RESUME
FALSE, (DWORD)processID);
HMODULE h_module = LoadLibrary(L"ntdll.dll");
m_NtSuspendProcess = (NtSuspendProcess)GetProcAddress(h_module, "NtSuspendProcess");
m_NtSuspendProcess(hProcess);
/*if (hProcess)
{
m_NtResumeProcess = (NtResumeProcess)GetProcAddress(h_module, "NtResumeProcess");
m_NtSuspendProcess = (NtSuspendProcess)GetProcAddress(h_module, "NtSuspendProcess");
m_NtTerminateProcess = (pFnNtTerMinateProcess)GetProcAddress(h_module, "NtTerminateProcess");
m_NtResumeProcess(hProcess);
}*/
}