HollowsHunter
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
suspend.cpp
Go to the documentation of this file.
1#include "suspend.h"
2#include <iostream>
3#include <psapi.h>
4
5#include "ntddk.h"
6
7bool suspend_process(DWORD processId)
8{
9 HANDLE processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processId);
10
11 typedef LONG(NTAPI *NtSuspendProcess)(IN HANDLE ProcessHandle);
12
13 NtSuspendProcess pfnNtSuspendProcess = (NtSuspendProcess)GetProcAddress(
14 GetModuleHandleA("ntdll"), "NtSuspendProcess");
15 if (!pfnNtSuspendProcess) {
16 return false;
17 }
18 LONG res = pfnNtSuspendProcess(processHandle);
19 CloseHandle(processHandle);
20 if (res == S_OK) {
21 return true;
22 }
23 return false;
24}
25
26bool resume_process(DWORD processId)
27{
28 HANDLE processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processId);
29
30 typedef LONG(NTAPI *NtResumeProcess)(IN HANDLE ProcessHandle);
31
32 NtResumeProcess pfnNtResumeProcess = (NtResumeProcess)GetProcAddress(
33 GetModuleHandleA("ntdll"), "NtResumeProcess");
34 if (!pfnNtResumeProcess) {
35 return false;
36 }
37 LONG res = pfnNtResumeProcess(processHandle);
38 CloseHandle(processHandle);
39 if (res == S_OK) {
40 return true;
41 }
42 return false;
43}
44
45bool is_process_associated(DWORD remote_pid)
46{
47 DWORD my_pid = GetCurrentProcessId();
48 const bool is_me = remote_pid == my_pid;
49 if (is_me) {
50 return true;
51 }
52
53 DWORD my_parent = GetParentProcessID(my_pid);
54 DWORD remote_parent = GetParentProcessID(remote_pid);
55
56 if (my_parent == INVALID_PID || remote_parent == INVALID_PID) {
57 return false;
58 }
59
60 bool is_my_child = remote_parent == my_pid;
61 bool is_my_parent = my_parent == remote_pid;
62 bool is_sibling = my_parent == remote_parent;
63
64 if (!is_my_child && !is_my_parent && !is_sibling) {
65 return false;
66 }
67 return true;
68}
69
70DWORD GetParentProcessID(DWORD dwPID)
71{
72 NTSTATUS ntStatus;
73 DWORD dwParentPID = INVALID_PID;
74 HANDLE hProcess;
75 PROCESS_BASIC_INFORMATION pbi;
76 ULONG ulRetLen;
77
78 // create entry point for 'NtQueryInformationProcess()'
79 typedef NTSTATUS(__stdcall *FPTR_NtQueryInformationProcess) (HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);
80
81 FPTR_NtQueryInformationProcess NtQueryInformationProcess
82 = (FPTR_NtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll"), "NtQueryInformationProcess");
83 if (!NtQueryInformationProcess) {
84 return INVALID_PID;
85 }
86 // get process handle
87 hProcess = OpenProcess(PROCESS_QUERY_INFORMATION,
88 FALSE,
89 dwPID
90 );
91 // could fail due to invalid PID or insufficiant privileges
92 if (!hProcess)
93 return INVALID_PID;
94
95 // gather information
96 ntStatus = NtQueryInformationProcess(hProcess,
97 ProcessBasicInformation,
98 (void*)&pbi,
99 sizeof(PROCESS_BASIC_INFORMATION),
100 &ulRetLen
101 );
102 // copy PID on success
103 if (ntStatus == S_OK)
104 dwParentPID = (DWORD)pbi.InheritedFromUniqueProcessId;
105 CloseHandle(hProcess);
106 return dwParentPID;
107}
suspend_process
bool suspend_process(DWORD processId)
Definition suspend.cpp:7
GetParentProcessID
DWORD GetParentProcessID(DWORD dwPID)
Definition suspend.cpp:70
resume_process
bool resume_process(DWORD processId)
Definition suspend.cpp:26
is_process_associated
bool is_process_associated(DWORD remote_pid)
Definition suspend.cpp:45
INVALID_PID
#define INVALID_PID
Definition suspend.h:4
Generated by doxygen 1.12.0