Suspending and Resuming Processes

WinArk/ProcessTable.cpp

@@ -25,6 +25,8 @@ NtSuspendProcess(
 	_In_ HANDLE ProcessHandle
 );
 
+extern "C" NTSTATUS NtResumeProcess(_In_ HANDLE ProcessHandle);
+
 CProcessTable::CProcessTable(BarInfo& bars,TableInfo& table)
 	:CTable(bars,table){
 	SetTableWindowInfo(bars.nbar);
@@ -286,6 +288,35 @@ LRESULT CProcessTable::OnProcessKill(WORD /*wNotifyCode*/, WORD /*wID*/, HWND /*
 	return 0;
 }
 
+LRESULT CProcessTable::OnProcessResume(WORD /*wNotifyCode*/, WORD /*wID*/, HWND /*hWndCtl*/, BOOL& /*bHandled*/) {
+	int selected = m_Table.data.selected;
+	ATLASSERT(selected >= 0);
+	auto& p = m_Table.data.info[selected];
+
+	CString text;
+	text.Format(L"恢复进程: %u (%ws)?", p->Id, p->GetImageName().c_str());
+	if (AtlMessageBox(*this, (PCWSTR)text, IDS_TITLE, MB_ICONWARNING | MB_OKCANCEL | MB_DEFBUTTON2) == IDCANCEL)
+		return 0;
+
+	auto hProcess = DriverHelper::OpenProcess(p->Id, PROCESS_SUSPEND_RESUME);
+	BOOL ok = false;
+	NTSTATUS status = STATUS_UNSUCCESSFUL;
+	if (hProcess) {
+		status = NtResumeProcess(hProcess);
+		if (NT_SUCCESS(status))
+			ok = true;
+		::CloseHandle(hProcess);
+	}
+
+	if (!ok) {
+		AtlMessageBox(*this, L"Failed to suspend process", IDS_TITLE, MB_ICONERROR);
+	}
+	else {
+		Refresh();
+	}
+	return 0;
+}
+
 LRESULT CProcessTable::OnProcessSuspend(WORD /*wNotifyCode*/, WORD /*wID*/, HWND /*hWndCtl*/, BOOL& /*bHandled*/) {
 	int selected = m_Table.data.selected;
 	ATLASSERT(selected >= 0);

WinArk/ProcessTable.h

@@ -30,8 +30,9 @@ class CProcessTable
 		MESSAGE_HANDLER(WM_KEYDOWN,OnKeyDown)
 		MESSAGE_HANDLER(WM_SYSKEYDOWN, OnSysKeyDown)
 		MESSAGE_HANDLER(WM_GETDLGCODE, OnGetDlgCode)
-		//MESSAGE_HANDLER(WM_SIZE,OnSize)
 		COMMAND_ID_HANDLER(ID_PROCESS_KILL,OnProcessKill)
+		COMMAND_ID_HANDLER(ID_PROCESS_SUSPEND,OnProcessSuspend)
+		COMMAND_ID_HANDLER(ID_PROCESS_RESUME,OnProcessResume)
 		COMMAND_ID_HANDLER(ID_PROCESS_REFRESH, OnProcessRefresh)
 		COMMAND_ID_HANDLER(ID_PROCESS_MODULES,OnProcessModules)
 		COMMAND_ID_HANDLER(ID_PROCESS_PROPERTIES,OnProcessProperties)
@@ -82,6 +83,7 @@ class CProcessTable
 	LRESULT OnProcessMemory(WORD /*wNotifyCode*/, WORD /*wID*/, HWND /*hWndCtl*/, BOOL& /*bHandled*/);
 	LRESULT OnProcessInlineHookScan(WORD /*wNotifyCode*/, WORD /*wID*/, HWND /*hWndCtl*/, BOOL& /*bHandled*/);
 	LRESULT OnProcessSuspend(WORD /*wNotifyCode*/, WORD /*wID*/, HWND /*hWndCtl*/, BOOL& /*bHandled*/);
+	LRESULT OnProcessResume(WORD /*wNotifyCode*/, WORD /*wID*/, HWND /*hWndCtl*/, BOOL& /*bHandled*/);
 	LRESULT OnProcessEATHookScan(WORD /*wNotifyCode*/, WORD /*wID*/, HWND /*hWndCtl*/, BOOL& /*bHandled*/);
 	LRESULT OnProcessVadInfo(WORD /*wNotifyCode*/, WORD /*wID*/, HWND /*hWndCtl*/, BOOL& /*bHandled*/);
 	LRESULT OnProcessDump(WORD /*wNotifyCode*/, WORD /*wID*/, HWND /*hWndCtl*/, BOOL& /*bHandled*/);

WinArk/WinArk.rc

@@ -577,6 +577,8 @@ BEGIN
     BEGIN
         MENUITEM "Refresh",                     ID_PROCESS_REFRESH
         MENUITEM "&Kill",                       ID_PROCESS_KILL
+        MENUITEM "Resume",                      ID_PROCESS_RESUME
+        MENUITEM "Suspend",                     ID_PROCESS_SUSPEND
         MENUITEM "Properties",                  ID_PROCESS_PROPERTIES
         MENUITEM "Go to File Location",         ID_PROCESS_GOTOFILELOCATION
         POPUP "Details"

WinArk/resource.h

@@ -471,13 +471,16 @@
 #define ID_INLINEHOOK_REFRESH_ALL       33017
 #define ID_KERNEL_INLINEHOOKSCAN        33018
 #define ID_KERNEL_INLINE_HOOK_SCAN      33019
+#define ID_PROCESS_RESUME               33020
+#define ID_PROCESS_SUS                  33021
+#define ID_PROCESS_SUSPEND              33022
 
 // Next default values for new objects
 // 
 #ifdef APSTUDIO_INVOKED
 #ifndef APSTUDIO_READONLY_SYMBOLS
 #define _APS_NEXT_RESOURCE_VALUE        306
-#define _APS_NEXT_COMMAND_VALUE         33020
+#define _APS_NEXT_COMMAND_VALUE         33023
 #define _APS_NEXT_CONTROL_VALUE         1126
 #define _APS_NEXT_SYMED_VALUE           101
 #endif