Reputation: 6981
Obtain Exclusive Process Handle
I am writing an app in C# and C++/CLI, and I have code that suspends processes. However, I want to prevent them from being un-suspended by another process (such as Process Explorer). Is it possible to obtain an exclusive process handle or otherwise somehow block other applications from performing this operation? And if so, how?
Upvotes: 3
Views: 640
Answers (2)
Reputation: 379
You can inject code into another running process and patch the NtResumeProcess and NtResumeThread routines exported by NTDLL. The exported routines will perform a system-call however you can intercept before this transition occurs and redirect execution to your own callback routine to apply filtering - return STATUS_ACCESS_DENIED or another appropriate NTSTATUS error code to block the operation.
This won't prevent someone from bypassing your patch with a manual system call though. Your best bet is ObRegisterCallbacks and then stripping PROCESS_SUSPEND_RESUME for any caller other than yourself.
The first method via run-time byte patching is fine because user-mode hooking isn't a concern as long as it's done properly. There are also open-source libraries for accomplishing this, Microsoft own their own API hooking library named MS Detours as well. The ObRegisterCallbacks method will require a kernel-mode device driver, and with this comes the necessity for a digital signature which supports kernel-mode software signing (and for support on systems which have Secure Boot enabled, you'll need an Extended Validation signature which is only issued to genuinely registered companies and is a lot pricier).
Good luck.
Upvotes: 0
Reputation: 33716
this is impossible do from user mode.
any process which have SE_DEBUG_PRIVILEGE enabled in token can open process/thread handle with all access (only if it not protected process).
from kernel mode you can register own callback with ObRegisterCallbacks and filter process/threads open attempt. say deny handle open or remove PROCESS_SUSPEND_RESUME, THREAD_SUSPEND_RESUME and THREAD_RESUME from DesiredAccess in OB_PRE_CREATE_HANDLE_INFORMATION. but this not prevent another kernel mode code call exported api PsResumeProcess.
in general object handles partially support exclusive access. look for OBJ_EXCLUSIVE flag in OBJECT_ATTRIBUTES (this is always passed as 3-rd parameter to any open/create object call - ZwOpenProcess as well) but this will be work only if the OBJ_EXCLUSIVE flag was set when the object was created. otherwise you got STATUS_INVALID_PARAMETER or if handle already opened by another process , you got STATUS_ACCESS_DENIED. but because processes always created without OBJ_EXCLUSIVE flag - you and can not open it handle in exclusive (i already not say about that in csrss.exe related to process session already exist open handle to your process)
Upvotes: 4
Related Questions
- How can I get a process handle by its name in C++?
- Is it possible to get a Process object by process handle?
- Getting Detail Information of process handle
- Get process from control handle
- how to get process handle from process id?
- Cannot get handle of process
- Is it possible to get the WINAPI process handle by the process name without iterating through all processes
- How to use Win32 API to get HANDLE of a process for an application in Windows
- get handle from process
- Win32API - How to get file name of process from process handle?