Suspending a riot process..how?

[LaDidi]

Thanks MARKuS to explain better my idea :-)
In fact, RegBackup launch the service RegManServ which launch another instance of RegBackup in a SYSTEM context !
Have you tried to launch via SYSTEM context (ie: AT HH:MM myProg.exe).
You have RegManServ.Log which may help you...
Effectively, it execs :
"C:\app_test\Advanced Registry Doctor\RegBackup.exe" /INIT_DIR="c:\RegBackup\" /local_system

***** A part of the answer *****
As it Executes GlobalAddAtomA("RegManServRegBackup.exe") [see HW_BP in 00411986 or BP on ntdll.ZwAddAtom], it uses DDE !...

[TQN]

Hi Shub-Nigurrath !
How do you know the ZwSuspendProcess prototype. I have searched with Google, but not found the prototype of Zw/NtSuspendProcess. On SysInternals, I found that Zw/NtSuspendProcess was a new function in XP and after Win OS. It takes one input parameter. According to your source, it takes hProcess parameter. But, can you try with processID.
Regards,

lot of wine developeing usenet posts document them
in thier quest to port windows to linux

for example

NTSTATUS
STDCALL
NtSuspendProcess(
IN HANDLE Process
);

this i pasted from this link

here is a header file link that documents some apis which arent avl in
gary nebbets book
http://cvs.cosoft.org.cn/cgi-bin/viewcvs.cgi/fileshare/FreeWin/include/funcs.h?rev=HEAD

[Shub-Nigurrath]

2JuneMouse
yes, it's what I used, zwSuspendProcess which I found in the same file..as told in previous posts of this thread.

2TQN
I found the whole set of .h files into a cvs system of a project. If you point here you could get all the things you need: http://cvs.cosoft.org.cn/cgi-bin/viewcvs.cgi/fileshare/FreeWin/
(where JuneMouse also did).
The internal signature (first bytes) of this API instead has been taken using the symbsrv patch for Olly and then the downloaded symbolic files, coming from msdl.microsoft.com.
There's no need of this last step of course (and you also can use CTRL-N function of Olly), but I did it also for adding a second check of being absolutely sure to call the right API.
Anyay if you have the complete DDK isn't it defined there?

I added the code for this part here too.

2LaDidi
the conclusion you got is the same I have, but it's a solution for the specific problem indeed. In facts I patched the calling process and used the loader as the main backup program, so the services do not anymore complains about the wrong crcs and launches the loader as the real program, allowing me to normally patch it just before executing it.
This was the last point patching this application, I am already writing a complete tut, as usual from me, for which the program will only be an example of a general technique and of the use of a general source code framework in c++ to create general loaders.
I spent some time coding it to be easily usable..stay tuned ;-)

[LaDidi]

Thread Security and Access Rights :
h--p://msdn.microsoft.com/library/en-us/dllproc/base/thread_security_and_access_rights.asp?frame=true

and

#define PROCESS_SUSPEND_RESUME (0x0800)

[MaRKuS-DJM]

sorry LaDidi, didn't see you already posted this

[LaDidi]

when comments come from a cracker like you.
And sure my old comment wasn't very clear...
Regards.