Suspend specific process on launch C#

Question

0.00/5 (No votes)

See more:

In an attempt to inject a DLL into a process before it calls a specific method, I am trying to suspend a process while it is being created.

Alternatively I am trying to do a system wide hook of CreateFile, located in kernel32.dll. If that is possible it would be even better since that was the end result intended.

Old Questioin: I am looking to suspend a process as soon as it is created but before it is started. But I don't want to have to launch the process suspended manually.

I want to be able to double click any .exe, and if it has a specific process name(Or if it's metadata matches), I want to be able to suspend it before it starts.

I looked at "Hooking the native API and controlling process creation on a system-wide basis", but it doesn't seem to work on my system, Windows 7 x64... I am terrible at C and I was hoping for a C# alternative? I don't even know if that is possible...

And a side question. If I self sign my program, will an antivirus be set off by a driver and DLL injection? (This is not for malicious intent, see here for more information.) I am only worried about self signing and AV because most users freak out about that type of thing.

Posted 9-Nov-11 3:18am

KairuByte

Updated 13-Nov-11 9:38am

v5

Add a Solution

2 solutions

Solution 1

Pretty sure as described that is impossible.

"Suspend" only applies to a process that is running. If it hasn't started then it can't be running.

Posted 9-Nov-11 11:40am

jschell

Comments

KairuByte 9-Nov-11 17:44pm

You can create a process in suspended state. Hooking specific methods could potentially force any file to start in a suspended state, I just have no clue what methods.

Not impossible, just difficult.

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Ashraf Hussain Chowdhury · Accepted Answer · 2013-07-16T01:22:00

You can create a process in suspended using the api CreateProcess with CREATE_SUSPENDED flag in dwCreationFlags parameter. This is the link of the CreateProcess documentation link http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425%28v=vs.85%29.aspx and after your injection is done you can resume the thread for the application to load properly with the function hooked. However, when you create a process this way, not all the dlls are loaded except the ntdll.dll and your hooking engine might fail. In that case you have to monitor the process and when the required dlls are loaded you can suspend it, hook the methods and resume the threads.To monitor the process, you have two options, periodically theck the loaded modules or use a driver to get notification of modules loaded for a process.