![]() ![]() Ulong proc_min_address_l = (ulong)proc_min_address UIntPtr proc_max_address = sys_info.maximumApplicationAddress UIntPtr proc_min_address = sys_info.minimumApplicationAddress ![]() SYSTEM_INFO sys_info = new SYSTEM_INFO() int error = Marshal.GetLastWin32Error() UIntPtr processHandle = OpenProcess(new UIntPtr(PROCESS_QUERY_INFORMATION | PROCESS_WM_READ), false, new UIntPtr((uint)process.Id)) ("Return Value: " + suspendreturnvalue.ToString()) UIntPtr suspendreturnvalue = NtSuspendProcess(processSuspendResumeHandle) UIntPtr processSuspendResumeHandle = OpenProcess(new UIntPtr(PROCESS_SUSPEND_RESUME), false, new UIntPtr((uint)process.Id)) Process process = Process.GetProcessById(int.Parse(DataGridView_.ToString())) Private void Button_Extract_Click(object sender, EventArgs e) Static extern bool CloseHandle(UIntPtr hObject) Static extern UIntPtr VirtualQueryEx(UIntPtr hProcess, UIntPtr lpAddress, out MEMORY_BASIC_INFORMATION64 lpBuffer, UIntPtr dwLength) Static extern void GetSystemInfo(out SYSTEM_INFO lpSystemInfo) Public static extern bool ReadProcessMemory(UIntPtr hProcess, UIntPtr lpBaseAddress, byte lpBuffer, UIntPtr dwSize, out UIntPtr lpNumberOfBytesRead) Public static extern UIntPtr OpenProcess(UIntPtr dwDesiredAccess, bool bInheritHandle, UIntPtr dwProcessId) Private static extern UIntPtr NtResumeProcess(UIntPtr processHandle) Private static extern UIntPtr NtSuspendProcess(UIntPtr processHandle) How do I even go about debugging this problem from this point? Where do I start?īelow are some code snippets from my memory scanner: const uint PROCESS_SUSPEND_RESUME = 0x0800 Ĭonst uint PROCESS_QUERY_INFORMATION = 0x0400 Which might mean the original Suspend message isn't being consumed properly. This explains the Suspend Count incrementing when it should be decrementing. Somehow, the message to suspend is being duplicated, and being released when resume is called. When the program has a file open, it fails to suspend, and increments the Suspend Count on attempts to resume. So yes, with my memory scanner and Process Explorer, when this program has no files open, it suspends and resumes normally. Figuring it was a bug in my scanner, I tried suspending the program, once again when a file is opened, using Process Explorer it flashes "Suspended" very briefly I looked under Suspend Count for the threads associated with the process, and it increments just fine when I tell Process Explorer to suspend it.but when I tell Process Explorer to resume the process, it increments the Suspend Count (you read that right, it INCREMENTS it). The funny thing is, I have this program (do not have access to the source) which, once a file is opened, refuses to suspend. I am using NtSuspendProcess at this point to attempt to achieve this end. Before scanning a program (read: live program), it is supposed to suspend the process. I have adapted a 32-bit memory scanner in C# to 64-bit. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |