process will be suspended when hook NTTerminate and etc...

[power888]

Hi. madshi..

I'm using madCHook 3.1.2

And my object is protect terminate main application using following hooks.
- HookAPI("kernel32.dll", "TerminateProcess", TerminateProcessCallback, (PVOID*) &TerminateProcessNext);
- HookAPI("ntdll.dll", "NtTerminateProcess", NtTerminateProcessCallback, (PVOID*) &NtTerminateProcessNext);
- HookAPI("ntdll.dll", "NtSuspendProcess", NtSuspendProcessCallback, (PVOID*) &NtSuspendProcessNext);
- HookAPI("ntdll.dll", "NtDebugActiveProcess", NtDebugActiveProcessCallback, (PVOID*) &NtDebugActiveProcessNext);
- HookAPI("kernel32.dll", "TerminateThread", TerminateThreadCallback, (PVOID*) &TerminateThreadNext);
- HookAPI("User32.dll", "ExitWindowsEx", ExitWindowsExCallback, (PVOID*) &ExitWindowsExNext);

and for get process name/id, using
- ProcessIdToFileNameA(ProcessHandleToId(hProcess), tr.szProcess2, bufLenInChars);
- ThreadHandleToId
and following source for getting process handle from threadID

Code: Select all

HANDLE GetProcessHandle(DWORD hThreadID)
{
HANDLE hThreads;
HANDLE hProcess;
THREADENTRY32  te;

	__try 
	{
    if ( (hThreadID==NULL) || (hThreadID==0) )
		return NULL;

    hThreads = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
    if (hThreads==INVALID_HANDLE_VALUE)
		return NULL;

	te.dwSize = sizeof(te);
	if (!(Thread32First(hThreads, &te)))
		return NULL;

	do {
        if (te.th32ThreadID==hThreadID) {
			hProcess = OpenProcess(PROCESS_QUERY_INFORMATION || PROCESS_VM_READ,
                          false,
                          te.th32OwnerProcessID);
			CloseHandle(hThreads);
			return hProcess;
		}
	} while(Thread32Next(hThreads, &te));
	return NULL;
  } __except (EXCEPTION_EXECUTE_HANDLER) {
	return NULL;
  }

}

In this case, sometimes, when try execute some process using ShellExecute or CreateProcess or etc.., Some process's main thread will be suspended..
Above case, very open happend in x64, and sometimes happend in x86.

How can I do?
if you have any idea, please help me...

[madshi]

First of all make sure that you check if the process/thread handle is "0" or "-1" before doing anything with it. Those are special cases which you should handle with extra code. Then, don't do ThreadHandleToId + toolhelp. Instead you can use NtQueryInformationThread(ThreadBasicInformation) to directly get the process id that belongs to the thread handle. Why do need to open the process, if you have a thread handle, btw?

In any case, I'd suggest that you comment out all your HookAPI() calls and put them back in one by one to identify which of the HookAPI() calls is reponsible for the suspended process. Finding that out will limit down the amount of code you have to check/rework to fix the problem.

[power888]

Thanks for your kindly reply...

I have a another question..
1. you had commented to me like [don't do ThreadHandleToId + toolhelp. Instead you can use NtQueryInformationThread(ThreadBasicInformation) to directly get the process id that belongs to the thread handle.]
==> Do you mean that dont use ThreadHandleToId or *ToolTip, instead using NtQueryInformationThread?
or Dont use ThreadHandleToId and *ToolTip (BOTH) ?

2. After hook Dll is started, If I try execute some process using ShellExecute or CreateProcess, this process immediately suspended sometimes.. (so any dll is not attached to this process)
so, I want to know that prevent starting new process will be suspended ...

3. and the reason of get processid, process name evenif already known thread handle, is...
==> my object is to protect kill certain my process..
so, when Thread or process will be terminated, first get process name, and compare it with my target process name.
if process name is matching, I will deny Thread or process is terminated..

best regards

[madshi]

1. you had commented to me like [don't do ThreadHandleToId + toolhelp. Instead you can use NtQueryInformationThread(ThreadBasicInformation) to directly get the process id that belongs to the thread handle.]
==> Do you mean that dont use ThreadHandleToId or *ToolTip, instead using NtQueryInformationThread?
or Dont use ThreadHandleToId and *ToolTip (BOTH) ?

Of course you can use both ThreadHandleToId and the toolhelp functions. Neither of them are "bad". But if you just want to know which process a thread handle belongs to, using NtQueryInformationThread is the better approach. It will give you the process ID the thread handle belongs to, and then you can use ProcessIdToFileName.

2. After hook Dll is started, If I try execute some process using ShellExecute or CreateProcess, this process immediately suspended sometimes.. (so any dll is not attached to this process)
so, I want to know that prevent starting new process will be suspended ...

I don't understand this question.

3. and the reason of get processid, process name evenif already known thread handle, is...
==> my object is to protect kill certain my process..
so, when Thread or process will be terminated, first get process name, and compare it with my target process name.
if process name is matching, I will deny Thread or process is terminated..

Yes, ok, you need the process ID, but why are you calling OpenProcess()? You don't need OpenProcess() to get the process name.

[power888]

Thanks for reply...

OK. I see...

and My problem is that
1) Hooked NTTerminateProcess, NtSuspendProcess, TerminateThread and etc for protecting kill of my application..
2) But After hook, when I try execute some another execution file using ShellExecute or CreateProcess, this process immediately suspended sometimes..
3) So, I want to know that how to prevent new-process will be suspended ...

[madshi]

As I said before, remove all your HookAPI() calls, then put them back in one by one. This way you should be able to find out which of your API hooks is reponsible for the problem. That's the first step...

[power888]

Thanks.. I will check it...