Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Internals
  New Posts New Posts RSS Feed: Suspend a process
  FAQ FAQ  Forum Search   Calendar   Register Register  Login Login

Suspend a process
 Post Reply Post Reply Page  12>
Author
Message Reverse Sort Order
  Share Topic Share Topic  Topic Search Topic Search  Topic Options Topic Options
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17492 		Post Options Post Options   Quote molotov Quote  Post ReplyReply Direct Link To This Post Topic: Suspend a process
    Posted: 14 January 2009 at 11:56am
I think it would be more straightforward to try loading the kernel module into WinDbg as a crash dump, configure symbols, and then unassemble the desired function.
Daily affirmation:
net helpmsg 4006
Back to Top
deepgeorge View Drop Down
Newbie
Newbie
Avatar

Joined: 02 June 2008
Location: India
Online Status: Offline
Posts: 15 		Post Options Post Options   Quote deepgeorge Quote  Post ReplyReply Direct Link To This Post Posted: 14 January 2009 at 7:53am
Hi,

I am trying to understand how NtSuspendProcess is implemented.
I am using SoftIce debugger.

The below assembly code is taken using IDA Pro thou.
NtDll!NtSuspendProces-
ntdll.dll:7C90E83A ntdll_NtSuspendProcess:
ntdll.dll:7C90E83A mov eax, 0FDh
ntdll.dll:7C90E83F mov edx, offset off_7FFE0300
ntdll.dll:7C90E844 call dword ptr [edx]
ntdll.dll:7C90E846 retn 4

As you can see, EAX is set to FDh (253), which is the SSDT index.
The function call to dword ptr [edx] leads to -

ntdll.dll:7C90EB8B ntdll_KiFastSystemCall:
ntdll.dll:7C90EB8B mov edx, esp
ntdll.dll:7C90EB8D sysenter
ntdll.dll:7C90EB8F nop
ntdll.dll:7C90EB90 nop
ntdll.dll:7C90EB91 nop
ntdll.dll:7C90EB92 nop
ntdll.dll:7C90EB93 nop
ntdll.dll:7C90EB94
ntdll.dll:7C90EB94 ntdll_KiFastSystemCallRet:
ntdll.dll:7C90EB94 retn

sysenter is used instead of int 2E.
I want to debug implementation of NtSuspendProcess in ntoskrnl.exe.

I thought of using SoftIce command:
bpint 2e if (eax==FD). But this does not work.
bpint sysenter is not supported.
How do i do this?

Please help.



Edited by deepgeorge - 14 January 2009 at 7:54am
Cheers
Deep GZ
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17492 		Post Options Post Options   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 12 January 2009 at 11:33am
Kernel32!SuspendThread looks to be a light wrapper around ntdll!NtSuspendThread, which, similar to ntdll!NtSuspendProcess, is a pretty small function that essentially just transitions into kernel mode to do the work.

Again, you could load the kernel module into the debugger, configure symbols, and unassemble the functions of interest.

MSDN says SuspendThread may lead to a deadlock situation in certain scenarious.
Did you read about the condition MSDN is describing?  Essentially, MSDN is saying that most likely, only the thread that is to be suspended has the ability to make decisions regarding whether or not it is appropriate for the thread to be suspended; therefore, rather than suspending the thread from a different thread, another thread should signal to the thread that's a candidate for suspension, to suspend itself.  So, the thread needs to be executing code that specifically looks for an indication that it should suspend itself.  I doubt that many threads do this, and even if they did, one would need to determine the mechanism used to indicate to the thread that it should suspend itself.  Thus, it seems to come down to... do you want to take the risk of what MSDN describes, or not?  If so, suspend the thread; if not...
Daily affirmation:
net helpmsg 4006
Back to Top
deepgeorge View Drop Down
Newbie
Newbie
Avatar

Joined: 02 June 2008
Location: India
Online Status: Offline
Posts: 15 		Post Options Post Options   Quote deepgeorge Quote  Post ReplyReply Direct Link To This Post Posted: 12 January 2009 at 7:04am
Thanks. i could view it on google groups.
hmmm..

I don't know how NtSuspendProcess is implemented. But would like to know if its implemented asynchronously.
This is because i want to find out the time it takes to suspend a process.
I'll be able to do that by finding out the time taken for NtSuspendProcess to execute and return. But if NtSuspendProcess is implemented asynchronously it would return immediately isint.

From the news group, i found some info on SuspendProcess. Jeffrey Ritcher has written a function in his book, that suspends all the threads in a process, thereby suspending the process itself. He's making use of Toolhelp APIs and SuspendThread, basically all documented API's.
But, is it safe to use SuspendThread. Even MSDN says that SuspendThread may lead to a deadlock situation in certain scenarious.


Can i set a process state to idle?

Thanks for the help.
Cheers
Deep GZ
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17492 		Post Options Post Options   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 12 January 2009 at 2:24am
I suppose, you could check it out in Google Groups, if your ISP's news server doesn't list it.
Daily affirmation:
net helpmsg 4006
Back to Top
deepgeorge View Drop Down
Newbie
Newbie
Avatar

Joined: 02 June 2008
Location: India
Online Status: Offline
Posts: 15 		Post Options Post Options   Quote deepgeorge Quote  Post ReplyReply Direct Link To This Post Posted: 12 January 2009 at 2:05am

Hi bruce,

In which news server is this (news://comp.os.ms-windows.programmer.win32) group located?

I am trying to subscribe to this group. Its not found in msnews.microsoft.com news server.
I am using Binary News Reaper software.




Edited by deepgeorge - 12 January 2009 at 2:07am
Cheers
Deep GZ
Back to Top
Bruce9 View Drop Down
Groupie
Groupie


Joined: 30 May 2008
Online Status: Offline
Posts: 47 		Post Options Post Options   Quote Bruce9 Quote  Post ReplyReply Direct Link To This Post Posted: 10 January 2009 at 4:31pm
You can always get the source code for NtSuspendProcess() and any Win32 api on Adv. Win32 api ng (news://comp.os.ms-windows.programmer.win32)...
(MS, Wine, etc)


Edited by Bruce9 - 10 January 2009 at 4:32pm
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17492 		Post Options Post Options   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 10 January 2009 at 3:03pm
Is it an undocumented API
Essentially, yes.

MS may not support this API in future version of OS rite?
That is my understanding.

Any idea if is it supported on Xp 64bit, Vista 32bit-64bit?
Can't speak for x64, but I don't expect it to be different.  ntdll.dll exports this function, on 32-bit versions of XP and Vista.

Any other alternatives available for suspending a process?
You might consider suspending each thread in the process by calling kernel32!SuspendThread...
Daily affirmation:
net helpmsg 4006
Back to Top
deepgeorge View Drop Down
Newbie
Newbie
Avatar

Joined: 02 June 2008
Location: India
Online Status: Offline
Posts: 15 		Post Options Post Options   Quote deepgeorge Quote  Post ReplyReply Direct Link To This Post Posted: 10 January 2009 at 6:14am
Hi,

I was looking for the documentation of NtSuspendProcess and could not find it in MSDN.
Is it an undocumented API ? Do you know why MS decide to have it undocumented.

I am planning to use this function in one of my projects.
If this API is undocumented, MS may not support this API in future version of OS rite? Any idea if is it supported on Xp 64bit, Vista 32bit-64bit?

I also want to know if this API is synchronous/asynchronous.

Any other alternatives available for suspending a process?



Edited by deepgeorge - 10 January 2009 at 6:29am
Cheers
Deep GZ
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17492 		Post Options Post Options   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 09 January 2009 at 4:59pm
Just because it's not exported, does not mean it does not exist.  Load the kernel module in the debugger, configure symbols, and unassemble nt!NtSuspendProcess.
Daily affirmation:
net helpmsg 4006
Back to Top
 Post Reply Post Reply Page  12>

Forum Jump Forum Permissions View Drop Down