HollowsHunter
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
suspend.cpp
Go to the documentation of this file.
1#include "suspend.h"
2#include <iostream>
3#include <psapi.h>
4
5#include "ntddk.h"
6
7bool suspend_process(DWORD processId)
8{
9 HMODULE hNtdll = GetModuleHandleA("ntdll");
10 if (!hNtdll) return false;
11
12 HANDLE processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processId);
13
14 typedef LONG(NTAPI *NtSuspendProcess)(IN HANDLE ProcessHandle);
15
16 auto pfnNtSuspendProcess = (NtSuspendProcess)GetProcAddress(
17 hNtdll, "NtSuspendProcess");
18 if (!pfnNtSuspendProcess) {
19 return false;
20 }
21 LONG res = pfnNtSuspendProcess(processHandle);
22 CloseHandle(processHandle);
23 if (res == S_OK) {
24 return true;
25 }
26 return false;
27}
28
29bool resume_process(DWORD processId)
30{
31 HMODULE hNtdll = GetModuleHandleA("ntdll");
32 if (!hNtdll) return false;
33
34 HANDLE processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processId);
35
36 typedef LONG(NTAPI *NtResumeProcess)(IN HANDLE ProcessHandle);
37
38 auto pfnNtResumeProcess = (NtResumeProcess)GetProcAddress(
39 hNtdll, "NtResumeProcess");
40 if (!pfnNtResumeProcess) {
41 return false;
42 }
43 LONG res = pfnNtResumeProcess(processHandle);
44 CloseHandle(processHandle);
45 if (res == S_OK) {
46 return true;
47 }
48 return false;
49}
50
51bool is_process_associated(DWORD remote_pid)
52{
53 DWORD my_pid = GetCurrentProcessId();
54 const bool is_me = (remote_pid == my_pid);
55 if (is_me) {
56 return true;
57 }
58
59 DWORD my_parent = GetParentProcessID(my_pid);
60 DWORD remote_parent = GetParentProcessID(remote_pid);
61
62 if (my_parent == INVALID_PID || remote_parent == INVALID_PID) {
63 return false;
64 }
65
66 bool is_my_child = remote_parent == my_pid;
67 bool is_my_parent = my_parent == remote_pid;
68 bool is_sibling = my_parent == remote_parent;
69
70 if (!is_my_child && !is_my_parent && !is_sibling) {
71 return false;
72 }
73 return true;
74}
75
76DWORD GetParentProcessID(DWORD dwPID)
77{
78 DWORD dwParentPID = INVALID_PID;
79
80 PROCESS_BASIC_INFORMATION pbi = { 0 };
81 ULONG ulRetLen = 0;
82
83 HMODULE hNtdll = GetModuleHandleA("ntdll");
84 if (!hNtdll) return INVALID_PID;
85
86 typedef NTSTATUS(__stdcall* FPTR_NtQueryInformationProcess) (HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);
87 auto NtQueryInformationProcess
88 = (FPTR_NtQueryInformationProcess)GetProcAddress(hNtdll, "NtQueryInformationProcess");
89 if (!NtQueryInformationProcess) {
90 return INVALID_PID;
91 }
92 // get process handle
93 HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION,
94 FALSE,
95 dwPID
96 );
97 // could fail due to invalid PID or insufficiant privileges
98 if (!hProcess)
99 return INVALID_PID;
100
101 // gather information
102 NTSTATUS ntStatus = NtQueryInformationProcess(hProcess,
103 ProcessBasicInformation,
104 (void*)&pbi,
105 sizeof(PROCESS_BASIC_INFORMATION),
106 &ulRetLen
107 );
108 // copy PID on success
109 if (ntStatus == S_OK)
110 dwParentPID = (DWORD)pbi.InheritedFromUniqueProcessId;
111 CloseHandle(hProcess);
112 return dwParentPID;
113}
suspend_process
bool suspend_process(DWORD processId)
Definition suspend.cpp:7
GetParentProcessID
DWORD GetParentProcessID(DWORD dwPID)
Definition suspend.cpp:76
resume_process
bool resume_process(DWORD processId)
Definition suspend.cpp:29
is_process_associated
bool is_process_associated(DWORD remote_pid)
Definition suspend.cpp:51
INVALID_PID
#define INVALID_PID
Definition suspend.h:4
Generated by doxygen 1.13.2