Windows Process Suspension
Windows Process Suspension
Win32 API offers this function called "SuspendThread", however it does NOT offer a "SuspendProcess" function. I want to add the ability to Injex to suspend a process that is already running while it is injecting a payload. I thought about just getting a list of thread and then suspending them one by one and then after injection is complete, resuming them one by one... Although, I am afraid of race conditions.
Anyone know of a better way? And/Or is my worry unfounded?
Also, does anyone think that thread high-jacking is something I should add as an injection method? Would anyone see that as useful?
Anyone know of a better way? And/Or is my worry unfounded?
Also, does anyone think that thread high-jacking is something I should add as an injection method? Would anyone see that as useful?
You need to suspend the all threads in the process to 'suspend a process'. You can find some information here:
Win32 process suspend/resume tool - CodeProject®
Win32 process suspend/resume tool - CodeProject®
Right thats what I am saying, but i can't suspend them all at the same time...
I read that article a while ago and I believe the author offers a viable way to avoid the race conditions, but I'm not completely sure since it's some time ago.
Never mind not the same article, however:
You could try setting the processes' priority to very low, and then rapidly suspend all threads. The lowered priority should give you a greater chance of avoiding deadlocks.
Never mind not the same article, however:
You could try setting the processes' priority to very low, and then rapidly suspend all threads. The lowered priority should give you a greater chance of avoiding deadlocks.
What exactly would happen in these race conditions? Just exceptional cases? I mean, if your eventual aim is to free the current view of the data (free all the process's memory), typical race conditions won't matter in the end. If there's exceptions you can just add a vectored exception handler to prevent crashing.
Or, you can just spawn the process yourself with the CreateProcess function and CREATE_SUSPEND flag, as I think Nebbet intended.
Or, you can just spawn the process yourself with the CreateProcess function and CREATE_SUSPEND flag, as I think Nebbet intended.
He wants to resume execution after he's done injecting. Multi threaded applications might use mutexes and semaphores or asynchronous IO that would result in a deadlock. Imagine a thread that's waiting for a second thread to yield access to an object, now the first thread is suspended and then the second thread signals the first thread that's done with the object in the time it takes for your SuspendThread() loop to reach this second thread. When the first thread is resumed it has not received a signal from the second thread, so it's still waiting. Meanwhile the second thread could also be waiting for the first thread.
There you've got the deadlock right there
There you've got the deadlock right there
Yeah that is a great example of a race condition that I am trying to avoid. Another is with threads that use timers. So I think if I added this, it would be a kind of silly and never really used feature of injex. Thank you all for your input.
Similar Threads
- 6Last post
- 6Last post
- 6Last post
- 27Last post
- 6Last post