|
|
|
|
#1
02-22-2005, 03:21
|
||||
|
||||
|
would it be possible that the main thread creates a new thread (with new thread id of course) and then terminates itself so your handle isn't valid anymore?
|
|
#2
02-22-2005, 06:04
|
|||
|
|||
|
are you playng with SDprotector?
it creates threads with 'inherited' parameter & SuspendProcess can't suspend them.. on this case, seems you are creating non-debugged process, ye? but in case of DEBUG-flag, you need to awoid detection via ZwQueryInform.. ** i wrote this in your thread @ Woodman, but now will paste here, in case.. **
|
|
#3
02-22-2005, 07:54
|
||||
|
||||
|
Hi,
I investigated a little the program launches itself and then closes it passing a parameter to another program that then launches the original program again. Waiting for the main window's program I can corectly detect the correct processID, open it and then access to a valid handle, but the problem is that is won't still suspend itself. even if there's only one thread in the process and the processid is correct. I have a doubt that zwSuspendProcess how I implemented it might not be working correctly (I read it directly from ntdll). But I cannot find an API which allow to pass from hProcess to an hTread and then being able to use SuspendThread. Any suggestion?
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪) There are only 10 types of people in the world: Those who understand binary, and those who don't http://www.accessroot.com
|
|
#4
02-22-2005, 10:05
|
|||
|
|||
|
Could the security descriptor of the created thread (by target)
have been defined to prevent suspend/resume? If so, possible to change objects access rights of spawned thread? -bg
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| How RIOT Games employs anti cheat measures | foosaa | General Discussion | 0 | 07-18-2018 09:45 |
| Suspending Kernel Mode Threads... | omidgl | General Discussion | 10 | 01-17-2005 17:56 |
Hybrid Mode
