我尝试停止一些进程,我使用来自 ntdll 的 NativeAPI。我写了一些C代码,它可以工作:
typedef LONG(NTAPI* NtSuspendProcess)(IN HANDLE ProcessHandle);
UINT __stdcall Suspend(VOID* processId)
{
HANDLE processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, (DWORD)processId);
NtSuspendProcess pfnNtSuspendProcess = (NtSuspendProcess)GetProcAddress(GetModuleHandle(L"ntdll"), "NtSuspendProcess");
pfnNtSuspendProcess(processHandle);
CloseHandle(processHandle);
return 0;
}
UINT __stdcall Resume(VOID* processId)
{
HANDLE processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, (DWORD)processId);
NtSuspendProcess pfnNtSuspendProcess = (NtSuspendProcess)GetProcAddress(
GetModuleHandle(L"ntdll"), "NtResumeProcess");
pfnNtSuspendProcess(processHandle);
CloseHandle(processHandle);
return 0;
}
但是,当我尝试使用 MASM 编写它时,我的过程并没有停止。我查看了寄存器 EAX 和 ECX,那里一切正常。我调用了 GetLastError,返回值为零。代码:
pauseProc proc pid:dword
push pid
push 0
push PROCESS_ALL_ACCESS
call OpenProcess@12
.IF eax == 0
PUSH MB_ICONERROR
PUSH 0
PUSH offset errorOpenProccess
PUSH 0
CALL MessageBoxA@16
.ENDIF
mov processHandle, eax
push offset NtModuleNameWStr
call GetModuleHandleW@4
; call GetLastError
.IF eax == 0
PUSH MB_ICONERROR
PUSH 0
PUSH offset errorGetModuleHandle
PUSH 0
CALL MessageBoxA@16
.ENDIF
push offset NtSuspendProcessAStr
push eax
call GetProcAddress@8
.IF eax == 0
PUSH MB_ICONERROR
PUSH 0
PUSH offset errorGetProcAddress
PUSH 0
CALL MessageBoxA@16
.ENDIF
push processHandle
call CloseHandle@4
; pfnNtSuspendProcess
ret
pauseProc endp
关于常量:
STANDARD_RIGHTS_REQUIRED equ 000F0000h
SYNCHRONIZE equ 00100000h
PROCESS_ALL_ACCESS equ (STANDARD_RIGHTS_REQUIRED or SYNCHRONIZE or 0FFFFh)
我使用 Windows 10,因为我们需要写入 0FFFF。适用于 Windows Vista 0FFFh 之前的版本。为什么进程不会停止?