Suspend Process Except 1

contains all delphi packages mentioned below
Post Reply
Roswell_r
Posts: 4
Joined: Sat Feb 17, 2007 3:25 am

Suspend Process Except 1

Post by Roswell_r »

Is it possible to suspend threads/processes bar your own application? Unfortunately i dont know the ins and outs of windows, so im guessing maybe a few threads would need to be kept running.

I have read up about suspendthread and resumethread and know that i cant suspend a thread which has a critical section/semaphore and i would have to use WaitForSingleObject or something.

I was hoping you would have some insight into something like this, im curious as to how windows Vista does its dull screen, and gui with little dialog on what option to take the infamous (allow/disallow).

So far the idea is to check all threads and remove ones used for my program. Then suspend all threads or wait for a specific time before forcing a suspend.

Any insight madshi?

Thanks!!!
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Usually suspending thread of other unknown processes is very dangerous. You can even end up locking up the whole OS. Is there no other way to realize your aim? What are you trying to achieve?
dcsoft
Posts: 380
Joined: Sat Dec 11, 2004 2:11 am
Location: San Francisco Bay Area, CA USA
Contact:

Post by dcsoft »

madshi wrote:Usually suspending thread of other unknown processes is very dangerous. You can even end up locking up the whole OS. Is there no other way to realize your aim? What are you trying to achieve?
I have a reason: I want to programatically TerminateProcess() a process that is suspected of being malware. But since the malware might have created other processes which watch for the termination of that process (perhaps using WaitForSingleObject), I need to suspend all the suspected processes, and then TerminateProcess() each of them once they're suspended, so none of them can restart the other ones. This is what the SysInternals guys (Russinovich) recommends. Their Process Explorer has a Suspend Process function. But there is no SuspendProcess() Windows API. The closest is SuspendThread().

So I gather I gave to iterate the threads, using CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD), and call SuspendThread() for each thread in each suspected process. I can't see how this could cause deadlock or other problems since we are going to terminate these processes anyway. In particular, how could it crash the entire OS?

Much thanks,
David
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

It shouldn't crash the whole OS. Furthermore, if you first suspend some threads and then terminate the whole process right after that, risk is reduced somewhat. The general problem with suspending threads is that if the suspended thread owns e.g. a mutex, this mutex is locked forever - until you either resume the thread or terminate it. Since you plan to terminate it, anyway, as I said: The risk is reduced.
dcsoft
Posts: 380
Joined: Sat Dec 11, 2004 2:11 am
Location: San Francisco Bay Area, CA USA
Contact:

Post by dcsoft »

Thanks Madshi.
Post Reply