Hi,
I'm working on a patch of a program and writing a loader for it.
But for it I have this problem: the SuspendThread won't suspend the thread.
I launch the victim process using CreateProcess in suspended mode as:
Code:
if( !::CreateProcess( victimFileName.c_str(), // No module name (use command line).
NULL, // Command line.
NULL, // Process handle not inheritable.
NULL, // Thread handle not inheritable.
NULL, // Set handle inheritance to FALSE.
CREATE_SUSPENDED, // suspended creation flags.
NULL, // Use parent's environment block.
NULL, // Use parent's starting directory.
&si, // Pointer to STARTUPINFO structure.
&pi ) // Pointer to PROCESS_INFORMATION structure.
)
{
MessageBox(NULL, GetLastErrorMsg().c_str(), MSG_CAPTION,
MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL);
return 1;
}
And then after an initial resume of the process, to skip the initial unpacking and wait the guard condition to come active (I wait a memory address assuming a specific value or the main program's window to appear). I do as following:
Code:
//Before patching the victim application it's better to suspend it..
//If we cannot for some protection suspend the application then
//a little of tentatives are tried:
//1. repeat several time SuspendThread (see comment below to see why)
//2. try to lower the priority
//3. try using the kernel counterparts zwSuspendThread and zwSuspendProcess
//4. open the process to get another process handle.
// If all these things fails then closes the patcher with an error!
if(SuspendThread(pi.hThread)==-1) {
//If the thread is making a kernel call, SuspendThread fails.
//An application may need to repeat the SuspendThread several times for it
//to succeed.
int trials_count=0;
BOOL skiptherest=FALSE;
while(trials_count<=MAX_SUSPENDTHREAD_TRIALS) {
if(SuspendThread(pi.hThread)!=-1) {
skiptherest=TRUE;
break;
}
trials_count++;
}
//Try to lower the the thread's priority.
if(!skiptherest) {
thPriority=GetThreadPriority(pi.hThread);
if(thPriority!=THREAD_PRIORITY_NORMAL)
SetThreadPriority(pi.hThread,THREAD_PRIORITY_NORMAL);
if(SuspendThread(pi.hThread)!=-1)
skiptherest=TRUE;
}
//Try suspending the process using kernel equivalent functions
NTSTATUS ret=0;
if(!skiptherest) {
ret=ZwSuspendThread(pi.hThread, NULL);
if(ret>0)
skiptherest=TRUE;
}
if(!skiptherest) {
ret=ZwSuspendProcess(pi.hProcess);
if(ret>0)
skiptherest=TRUE;
}
if(!skiptherest) {
HANDLE hProc=OpenProcess(PROCESS_ALL_ACCESS,FALSE, pi.dwProcessId);
if(hProc==NULL) {
MessageBox(NULL, GetLastErrorMsg().c_str(), MSG_CAPTION,
MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL);
return 1;
}
pi.hProcess=hProc;
bProcessOpened=TRUE;
NTSTATUS ret=ZwSuspendProcess(pi.hProcess);
if(ret>0)
skiptherest=TRUE;
}
if(!skiptherest) {
::MessageBox(NULL, GetLastErrorMsg().c_str(), MSG_CAPTION,
MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL);
return 1;
}
}
then patch it using writememory..
I don't know if all the tentatives are sensefull or not, but all fails as well as the simple SuspendThread.
Anyway a simple SuspendThread has worked fine for all the loaders I wrote, this is the first time I cannot suspend the process at all.
Any suggestion regarding this will be extremely welcome!
10x in advance!