暂停启动C＃的特定进程 [英] Suspend specific process on launch C#

问题描述

在尝试在调用特定方法之前将DLL注入进程时，我试图在创建进程时挂起进程。



或者我正在尝试在kernel32.dll中创建一个系统范围的CreateFile钩子。如果这是可能的话会更好，因为那是预期的最终结果。





Old Questioin：我希望暂停进程一旦创建但在启动之前。但是我不想手动启动这个过程。



我希望能够双击任何.exe，如果它有特定的进程name（或者如果它的元数据匹配），我希望能够在它开始之前暂停它。



我看了挂钩本机API并在系统范围内控制进程创建，但它似乎不适用于我的系统，Windows 7 x64 ......我在C上很糟糕，我希望有一个C＃替代方案？我甚至不知道这是否可能......



和一个附带问题。如果我自己签署我的程序，是否会通过驱动程序和DLL注入来启动防病毒？ （这不是出于恶意，请参阅此处以获取更多信息。 ）我只担心自我签名和AV，因为大多数用户对这种类型的东西感到害怕。

In an attempt to inject a DLL into a process before it calls a specific method, I am trying to suspend a process while it is being created.

Alternatively I am trying to do a system wide hook of CreateFile, located in kernel32.dll. If that is possible it would be even better since that was the end result intended.


Old Questioin: I am looking to suspend a process as soon as it is created but before it is started. But I don't want to have to launch the process suspended manually.

I want to be able to double click any .exe, and if it has a specific process name(Or if it's metadata matches), I want to be able to suspend it before it starts.

I looked at "Hooking the native API and controlling process creation on a system-wide basis", but it doesn't seem to work on my system, Windows 7 x64... I am terrible at C and I was hoping for a C# alternative? I don't even know if that is possible...

And a side question. If I self sign my program, will an antivirus be set off by a driver and DLL injection? (This is not for malicious intent, see here for more information.) I am only worried about self signing and AV because most users freak out about that type of thing.

推荐答案

非常确定如所描述的那样是不可能的。



暂停仅适用于正在运行的进程。如果它尚未启动，则无法运行。

Pretty sure as described that is impossible.

"Suspend" only applies to a process that is running. If it hasn't started then it can't be running.

您可以使用dwCreationFlags参数中的带CREATE_SUSPENDED标志的api CreateProcess创建暂停的进程。这是CreateProcess文档链接http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425%28v=vs.85%29.aspx的链接，注入完成后您可以恢复应用程序的线程正确加载函数钩子。但是，当您以这种方式创建进程时，除了ntdll.dll之外，并非所有dll都被加载，并且您的挂钩引擎可能会失败。在这种情况下，您必须监视进程并在加载所需的dll时，您可以挂起它，挂钩方法并恢复线程。要监视进程，您有两个选项，定期检查已加载的模块或使用驱动程序获取为进程加载的模块通知。

You can create a process in suspended using the api CreateProcess with CREATE_SUSPENDED flag in dwCreationFlags parameter. This is the link of the CreateProcess documentation link http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425%28v=vs.85%29.aspx and after your injection is done you can resume the thread for the application to load properly with the function hooked. However, when you create a process this way, not all the dlls are loaded except the ntdll.dll and your hooking engine might fail. In that case you have to monitor the process and when the required dlls are loaded you can suspend it, hook the methods and resume the threads.To monitor the process, you have two options, periodically theck the loaded modules or use a driver to get notification of modules loaded for a process.

这篇关于暂停启动C＃的特定进程的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！