|
Suspending a riot process..how?
Hi,
I'm working on a patch of a program and writing a loader for it. But for it I have this problem: the SuspendThread won't suspend the thread. I launch the victim process using CreateProcess in suspended mode as: Code:
if( !::CreateProcess( victimFileName.c_str(), // No module name (use command line). Code:
//Before patching the victim application it's better to suspend it..I don't know if all the tentatives are sensefull or not, but all fails as well as the simple SuspendThread. Anyway a simple SuspendThread has worked fine for all the loaders I wrote, this is the first time I cannot suspend the process at all. Any suggestion regarding this will be extremely welcome! 10x in advance! |
Hi Shub-Nigurrath !
You can inject some call to GetLastErrorMsg() under the call to SuppendThread to determine the error, and post the error you got. Regards, TQN |
Hi TQN,
I forgotten to post it: the error code is always this: 5, "Access denied".. I'm administrator of the machine. I never supposed that suspending a thread whould have required a granting..I tried to play a little with the SECURITY attributes of CreateProcess but none of them changes the final result. |
Have you tried to assign yourself Debug-Privileges or to run the Loader as "SYSTEM" User?
|
Hi,
with all the other processes/program it works perfectly so it's something related to this particular program indeed.. Olly btw is able to attach to the program so it is doing something different. i have not used debug APIs of course, but I would avoid using them if there are other option.. In case how can I do what you suggest? |
wow, happy to reply to shub.
The pi.hThread you have is the primary thread of the process.
an idea : 1. the process (and so on, the primary thread) do CreateThread 2. In the primary thread, do ExitThread (or TerminateThread) 3. sure the pi.hThread will be inexistant ? To be sure : GetProcessIdOfThread(pi.hThread) or GetThreadID(pi.hThread) Sure you did it but have you tried ProcessExplorer from SysInternals to see more info on the progyy ? Name of the proggy to DIY ? |
humm good idea, indeed the program is closing itself to reopen under another process..so my handle was useless..now I open the process once I have the real window of the application.
Anyway the program is "Advanced Registry Doctor Professional" 4.1 build 5563 hxyp://www.elcor.net/ard.php it's almost finished except some details such these for side parts of the program..the program giving problems is RegBackup.exe, while instead the main program works perfectly with a loader.. |
oh God,
I now have this situation: in VC++ the loader works fine, even with no breakpoints (continuous execution), but externally I have this behaviour -the ProcessId is correctly found using the handle of the main process window, -then it's passed to OpenProcess, which returns NULL -the GetLastError message reports 0, "The operation completed succesfully"...????? this happens only when running outside VC++. Alternatively, always outside VC++, some times instead the OpenProcess returns a valid handle but zwSuspendProcess is unable to suspend it.. Another question, once I have the handle coming from OpenProcess how can I suspend the Thread? Now I'm using zwSuspendProcess() but seems to give some problems indeed.. any glue!?!? |
would it be possible that the main thread creates a new thread (with new thread id of course) and then terminates itself so your handle isn't valid anymore?
|
are you playng with SDprotector?
it creates threads with 'inherited' parameter & SuspendProcess can't suspend them.. on this case, seems you are creating non-debugged process, ye? but in case of DEBUG-flag, you need to awoid detection via ZwQueryInform.. ** i wrote this in your thread @ Woodman, but now will paste here, in case.. ** |
Hi,
I investigated a little the program launches itself and then closes it passing a parameter to another program that then launches the original program again. Waiting for the main window's program I can corectly detect the correct processID, open it and then access to a valid handle, but the problem is that is won't still suspend itself. even if there's only one thread in the process and the processid is correct. I have a doubt that zwSuspendProcess how I implemented it might not be working correctly (I read it directly from ntdll). But I cannot find an API which allow to pass from hProcess to an hTread and then being able to use SuspendThread. Any suggestion? |
Could the security descriptor of the created thread (by target)
have been defined to prevent suspend/resume? If so, possible to change objects access rights of spawned thread? -bg |
We can use ToolHelp API with CreateToolhelp32Snapshot, ThreadFirst, ThreadNext, OpenThread... functions to obtain threadID, threadHandle of all threads in a process which have processID obtained from GetWindowThreadProcessId, OpenProcess.
Some threads have security descriptor which not allow SuspendThread, ResumeThread. We can use the Get/SetSecurityInfo functions to see and change security descriptor of those threads. |
ah, TQN, this is exactly what I was looking at, I was hoping there was a simpler way to do it!
actually what I only need is to write something in the process's space. How Olly does to attach to a process? is there any readymade implementation of a function such for example Attach(processID) ?? Just to make it simple! :-) Moreover ZwSuspendProcess might work instead (even if it seems not to work for me)? 10x again to all of U. |
for attach to a process OLLY use DebugActiveProcess api
you test if with the same loader you can suspendthread in other target? maybe the problem is in the loader and not the target. I have this problem in my tut of loader debugger, the first loader i kame with masm, if you can set hardawre bpx in the target is impossible and return ACESS ERROR, i built with the same code the loader in radasm, and is possible put the hardware bpx in the same target. Maybe the restrictions is in the built of the loader. Ricardo Narvaja |
An other idea.
Thanks MARKuS to explain better my idea :-)
In fact, RegBackup launch the service RegManServ which launch another instance of RegBackup in a SYSTEM context ! Have you tried to launch via SYSTEM context (ie: AT HH:MM myProg.exe). You have RegManServ.Log which may help you... Effectively, it execs : "C:\app_test\Advanced Registry Doctor\RegBackup.exe" /INIT_DIR="c:\RegBackup\" /local_system ***** A part of the answer ***** As it Executes GlobalAddAtomA("RegManServRegBackup.exe") [see HW_BP in 00411986 or BP on ntdll.ZwAddAtom], it uses DDE !... |
Hi Shub-Nigurrath !
How do you know the ZwSuspendProcess prototype. I have searched with Google, but not found the prototype of Zw/NtSuspendProcess. On SysInternals, I found that Zw/NtSuspendProcess was a new function in XP and after Win OS. It takes one input parameter. According to your source, it takes hProcess parameter. But, can you try with processID. Regards, |
lot of wine developeing usenet posts document them
in thier quest to port windows to linux for example NTSTATUS STDCALL NtSuspendProcess( IN HANDLE Process ); this i pasted from this link here is a header file link that documents some apis which arent avl in gary nebbets book :) http://cvs.cosoft.org.cn/cgi-bin/viewcvs.cgi/fileshare/FreeWin/include/funcs.h?rev=HEAD |
1 Attachment(s)
2JuneMouse
yes, it's what I used, zwSuspendProcess which I found in the same file..as told in previous posts of this thread. 2TQN I found the whole set of .h files into a cvs system of a project. If you point here you could get all the things you need: http://cvs.cosoft.org.cn/cgi-bin/viewcvs.cgi/fileshare/FreeWin/ (where JuneMouse also did). The internal signature (first bytes) of this API instead has been taken using the symbsrv patch for Olly and then the downloaded symbolic files, coming from msdl.microsoft.com. There's no need of this last step of course (and you also can use CTRL-N function of Olly), but I did it also for adding a second check of being absolutely sure to call the right API. Anyay if you have the complete DDK isn't it defined there? I added the code for this part here too. 2LaDidi the conclusion you got is the same I have, but it's a solution for the specific problem indeed. In facts I patched the calling process and used the loader as the main backup program, so the services do not anymore complains about the wrong crcs and launches the loader as the real program, allowing me to normally patch it just before executing it. This was the last point patching this application, I am already writing a complete tut, as usual from me, for which the program will only be an example of a general technique and of the use of a general source code framework in c++ to create general loaders. I spent some time coding it to be easily usable..stay tuned ;-) |
As I did not know before, maybe can help you
Thread Security and Access Rights :
h--p://msdn.microsoft.com/library/en-us/dllproc/base/thread_security_and_access_rights.asp?frame=true and #define PROCESS_SUSPEND_RESUME (0x0800) |
sorry LaDidi, didn't see you already posted this :)
|
No matter
when comments come from a cracker like you.
And sure my old comment wasn't very clear... Regards. |
| All times are GMT +8. The time now is 21:59. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX