Get an Exclusive Process Handler

Question

Get an Exclusive Process Handler

I am writing an application in C # and C ++ / CLI and I have code that pauses processes. However, I want them not to be suspended by another process (e.g. Process Explorer). Is it possible to get an exclusive process descriptor or in some way block other applications from performing this operation? And if so, how?

+4

c ++ c # winapi

333 Jun 12 '17 at 20:34

source share

2 answers

RbMm · Answer 1 · 2017-06-13T09:20:22+0000

this cannot be done from user mode.

any process that has SE_DEBUG_PRIVILEGE, included in the token, can open the process / thread handler with all access (only if it is not protected by the process).

ObRegisterCallbacks /. , deny handle open remove PROCESS_SUSPEND_RESUME, THREAD_SUSPEND_RESUME THREAD_RESUME from DesiredAccess OB_PRE_CREATE_HANDLE_INFORMATION. api PsResumeProcess.

. OBJ_EXCLUSIVE OBJECT_ATTRIBUTES ( 3- / - ZwOpenProcess), , OBJ_EXCLUSIVE , . STATUS_INVALID_PARAMETER , STATUS_ACCESS_DENIED. OBJ_EXCLUSIVE - ( , csrss.exe, , )

PspSetProcessPpmPolicy · Answer 2 · 2018-01-18T21:58:32+0000

NtResumeProcess NtResumeThread, NTDLL. , , , , - STATUS_ACCESS_DENIED NTSTATUS, .

- . - ObRegisterCallbacks, PROCESS_SUSPEND_RESUME , .

, , . , Microsoft API-, MS Detours. ObRegisterCallbacks , , ( , ).

.

Get an Exclusive Process Handler

More articles: