Suspending a riot process..how?

[ricnar456]

for attach to a process OLLY use DebugActiveProcess api
you test if with the same loader you can suspendthread in other target? maybe the problem is in the loader and not the target.
I have this problem in my tut of loader debugger, the first loader i kame with masm, if you can set hardawre bpx in the target is impossible and return ACESS ERROR, i built with the same code the loader in radasm, and is possible put the hardware bpx in the same target. Maybe the restrictions is in the built of the loader.

Ricardo Narvaja

[TQN]

Hi Shub-Nigurrath !
How do you know the ZwSuspendProcess prototype. I have searched with Google, but not found the prototype of Zw/NtSuspendProcess. On SysInternals, I found that Zw/NtSuspendProcess was a new function in XP and after Win OS. It takes one input parameter. According to your source, it takes hProcess parameter. But, can you try with processID.
Regards,

lot of wine developeing usenet posts document them
in thier quest to port windows to linux

for example

NTSTATUS
STDCALL
NtSuspendProcess(
IN HANDLE Process
);

this i pasted from this link

here is a header file link that documents some apis which arent avl in
gary nebbets book
http://cvs.cosoft.org.cn/cgi-bin/viewcvs.cgi/fileshare/FreeWin/include/funcs.h?rev=HEAD

[Shub-Nigurrath]

2JuneMouse
yes, it's what I used, zwSuspendProcess which I found in the same file..as told in previous posts of this thread.

2TQN
I found the whole set of .h files into a cvs system of a project. If you point here you could get all the things you need: http://cvs.cosoft.org.cn/cgi-bin/viewcvs.cgi/fileshare/FreeWin/
(where JuneMouse also did).
The internal signature (first bytes) of this API instead has been taken using the symbsrv patch for Olly and then the downloaded symbolic files, coming from msdl.microsoft.com.
There's no need of this last step of course (and you also can use CTRL-N function of Olly), but I did it also for adding a second check of being absolutely sure to call the right API.
Anyay if you have the complete DDK isn't it defined there?

I added the code for this part here too.

2LaDidi
the conclusion you got is the same I have, but it's a solution for the specific problem indeed. In facts I patched the calling process and used the loader as the main backup program, so the services do not anymore complains about the wrong crcs and launches the loader as the real program, allowing me to normally patch it just before executing it.
This was the last point patching this application, I am already writing a complete tut, as usual from me, for which the program will only be an example of a general technique and of the use of a general source code framework in c++ to create general loaders.
I spent some time coding it to be easily usable..stay tuned ;-)

[LaDidi]

Thread Security and Access Rights :
h--p://msdn.microsoft.com/library/en-us/dllproc/base/thread_security_and_access_rights.asp?frame=true

and

#define PROCESS_SUSPEND_RESUME (0x0800)

[MaRKuS-DJM]

sorry LaDidi, didn't see you already posted this

[LaDidi]

when comments come from a cracker like you.
And sure my old comment wasn't very clear...
Regards.