I'm using madCHook 3.1.2
And my object is protect terminate main application using following hooks.
- HookAPI("kernel32.dll", "TerminateProcess", TerminateProcessCallback, (PVOID*) &TerminateProcessNext);
- HookAPI("ntdll.dll", "NtTerminateProcess", NtTerminateProcessCallback, (PVOID*) &NtTerminateProcessNext);
- HookAPI("ntdll.dll", "NtSuspendProcess", NtSuspendProcessCallback, (PVOID*) &NtSuspendProcessNext);
- HookAPI("ntdll.dll", "NtDebugActiveProcess", NtDebugActiveProcessCallback, (PVOID*) &NtDebugActiveProcessNext);
- HookAPI("kernel32.dll", "TerminateThread", TerminateThreadCallback, (PVOID*) &TerminateThreadNext);
- HookAPI("User32.dll", "ExitWindowsEx", ExitWindowsExCallback, (PVOID*) &ExitWindowsExNext);
and for get process name/id, using
- ProcessIdToFileNameA(ProcessHandleToId(hProcess), tr.szProcess2, bufLenInChars);
- ThreadHandleToId
and following source for getting process handle from threadID
Code: Select all
HANDLE GetProcessHandle(DWORD hThreadID)
{
HANDLE hThreads;
HANDLE hProcess;
THREADENTRY32 te;
__try
{
if ( (hThreadID==NULL) || (hThreadID==0) )
return NULL;
hThreads = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if (hThreads==INVALID_HANDLE_VALUE)
return NULL;
te.dwSize = sizeof(te);
if (!(Thread32First(hThreads, &te)))
return NULL;
do {
if (te.th32ThreadID==hThreadID) {
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION || PROCESS_VM_READ,
false,
te.th32OwnerProcessID);
CloseHandle(hThreads);
return hProcess;
}
} while(Thread32Next(hThreads, &te));
return NULL;
} __except (EXCEPTION_EXECUTE_HANDLER) {
return NULL;
}
}
In this case, sometimes, when try execute some process using ShellExecute or CreateProcess or etc.., Some process's main thread will be suspended..
Above case, very open happend in x64, and sometimes happend in x86.
How can I do?
if you have any idea, please help me...