Skip to content

Commit

Permalink
added suspend thread methods
Browse files Browse the repository at this point in the history
  • Loading branch information
@erfg12
erfg12 committed Jan 7, 2022
1 parent d3d0720 commit af32b27
Show file tree
Hide file tree
Showing 4 changed files with 57 additions and 19 deletions.
4 changes: 0 additions & 4 deletions Memory/Memory.csproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,8 +47,4 @@
<None Include="build\**" Pack="True" PackagePath="build\" />
</ItemGroup>

<ItemGroup>
<PackageReference Include="System.Security.Principal.Windows" Version="5.0.0" />
</ItemGroup>

</Project>
4 changes: 2 additions & 2 deletions Memory/Structures/Imports.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,8 @@ public static extern UIntPtr Native_VirtualQueryEx(IntPtr hProcess, UIntPtr lpAd

[DllImport("kernel32.dll")]
public static extern IntPtr OpenThread(ThreadAccess dwDesiredAccess, bool bInheritHandle, uint dwThreadId);
[DllImport("kernel32.dll")]
public static extern uint SuspendThread(IntPtr hThread);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern int SuspendThread(IntPtr hThread);
[DllImport("kernel32.dll")]
public static extern int ResumeThread(IntPtr hThread);

Expand Down
4 changes: 0 additions & 4 deletions Memory/codesign.bat
View file

This file was deleted.

64 changes: 55 additions & 9 deletions Memory/memory.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,10 +65,10 @@ public UIntPtr VirtualQueryEx(IntPtr hProcess, UIntPtr lpAddress, out MEMORY_BAS
/// <param name="FailReason">Show reason open process fails</param>
public bool OpenProcess(int pid, out string FailReason)
{
if (!IsAdmin())
/*if (!IsAdmin())
{
Debug.WriteLine("WARNING: This program may not be running with raised privileges! Visit https://github.com/erfg12/memory.dll/wiki/Administrative-Privileges");
}
}*/

if (pid <= 0)
{
Expand Down Expand Up @@ -163,11 +163,7 @@ public bool OpenProcess(int pid)
return OpenProcess(pid, out string FailReason);
}

/// <summary>
/// Check if program is running with administrative privileges. Read about it here: https://github.com/erfg12/memory.dll/wiki/Administrative-Privileges
/// </summary>
/// <returns></returns>
public bool IsAdmin()
/*public bool IsAdmin()
{
try
{
Expand All @@ -182,7 +178,7 @@ public bool IsAdmin()
Debug.WriteLine("ERROR: Could not determin if program is running as admin. Is the NuGet package \"System.Security.Principal.Windows\" missing?");
return false;
}
}
}*/

/// <summary>
/// Builds the process modules dictionary (names with addresses).
Expand Down Expand Up @@ -1007,7 +1003,57 @@ public bool DumpMemory(string file = "dump.dmp")
return true;
}


/// <summary>
/// get a list of available threads in opened process
/// </summary>
public void GetThreads()
{
if (mProc.Process == null)
{
Debug.WriteLine("mProc.Process is null so GetThreads failed.");
return;
}

foreach (ProcessThread thd in mProc.Process.Threads)
{
Debug.WriteLine("ID:" + thd.Id + " State:" + thd.ThreadState + " Address:" + thd.StartAddress + " Priority:" + thd.PriorityLevel);
}
}

/// <summary>
/// suspend a thread by ID
/// </summary>
/// <param name="ThreadID">the thread you wish to suspend by ID</param>
/// <returns></returns>
public bool SuspendThreadByID(int ThreadID)
{
foreach (ProcessThread thd in mProc.Process.Threads)
{
if (thd.Id != ThreadID)
continue;
else
Debug.WriteLine("Found thread " + ThreadID);

IntPtr threadHandle = OpenThread(ThreadAccess.SUSPEND_RESUME, false, (uint)ThreadID);

if (threadHandle == IntPtr.Zero)
break;

if (SuspendThread(threadHandle) == -1)
{
Debug.WriteLine("Thread failed to suspend");
CloseHandle(threadHandle);
break;
}
else
{
Debug.WriteLine("Thread suspended!");
CloseHandle(threadHandle);
return true;
}
}
return false;
}

}
}

0 comments on commit af32b27

Please sign in to comment.