A thread can suspend and resume the execution of another thread. While a thread is suspended, it is not scheduled for time on the processor.

If a thread is created in a suspended state (with the CREATE_SUSPENDED flag), it does not begin to execute until another thread calls the ResumeThread function with a handle to the suspended thread. This can be useful for initializing the thread's state before it begins to execute. Suspending a thread at creation can be useful for one-time synchronization, because this ensures that the suspended thread will execute the starting point of its code when you call ResumeThread.

The SuspendThread function is not intended to be used for thread synchronization because it does not control the point in the code at which the thread's execution is suspended. This function is primarily designed for use by debuggers.

A thread can temporarily yield its execution for a specified interval by calling the Sleep or SleepEx functions This is useful particularly in cases where the thread responds to user interaction, because it can delay execution long enough to allow users to observe the results of their actions. During the sleep interval, the thread is not scheduled for time on the processor.

The SwitchToThread function is similar to Sleep and SleepEx, except that you cannot specify the interval. SwitchToThread allows the thread to give up its time slice.

https://docs.microsoft.com/zh-cn/windows/win32/procthread/suspending-thread-execution

两个 API 函数

SuspendThread

Wow64SuspendThread

How to suspend/resume a process in Windows?

You can't do it from the command line, you have to write some code (I assume you're not just looking for an utility otherwise Super User may be a better place to ask). I also assume your application has all the required permissions to do it (examples are without any error checking).

Hard Way

First get all the threads of a given process then call the SuspendThread function to stop each one (and ResumeThread to resume). It works but some applications may crash or hung because a thread may be stopped in any point and the order of suspend/resume is unpredictable (for example this may cause a dead lock). For a single threaded application this may not be an issue.

void suspend(DWORD processId)

{

    HANDLE hThreadSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);

    THREADENTRY32 threadEntry;

    threadEntry.dwSize = sizeof(THREADENTRY32);

    Thread32First(hThreadSnapshot, &threadEntry);

    do

    {

        if (threadEntry.th32OwnerProcessID == processId)

        {

            HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, FALSE,

                threadEntry.th32ThreadID);

            SuspendThread(hThread);

            CloseHandle(hThread);

        }

    } while (Thread32Next(hThreadSnapshot, &threadEntry));

    CloseHandle(hThreadSnapshot);

}

Please note that this function is even too much naive, to resume threads you should skip threads that was suspended and it's easy to cause a dead-lock because of suspend/resume order. For single threaded applications it's prolix but it works.

Undocumented way

Starting from Windows XP there is the NtSuspendProcess but it's undocumented. Read this post for a code example (reference for undocumented functions: news://comp.os.ms-windows.programmer.win32).

typedef LONG (NTAPI *NtSuspendProcess)(IN HANDLE ProcessHandle);

void suspend(DWORD processId)

{

    HANDLE processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processId));

    NtSuspendProcess pfnNtSuspendProcess = (NtSuspendProcess)GetProcAddress(

        GetModuleHandle("ntdll"), "NtSuspendProcess");

    pfnNtSuspendProcess(processHandle);

    CloseHandle(processHandle);

}

"Debugger" Way

To suspend a program is what usually a debugger does, to do it you can use the DebugActiveProcess function. It'll suspend the process execution (with all threads all together). To resume you may use DebugActiveProcessStop.

This function lets you stop a process (given its Process ID), syntax is very simple: just pass the ID of the process you want to stop et-voila. If you'll make a command line application you'll need to keep its instance running to keep the process suspended (or it'll be terminated). See the Remarks section on MSDN for details.

void suspend(DWORD processId)

{

    DebugActiveProcess(processId);

}

From Command Line

As I said Windows command line has not any utility to do that but you can invoke a Windows API function from PowerShell. First install Invoke-WindowsApi script then you can write this:

Invoke-WindowsApi "kernel32" ([bool]) "DebugActiveProcess" @([int]) @(process_id_here)

Of course if you need it often you can make an alias for that.

Windows 挂起进程的更多相关文章

  1. windows核心编程---第六章 线程的调度

    每个线程都有一个CONTEXT结构,保存在线程内核对象中.大约每隔20ms windows就会查看所有当前存在的线程内核对象.并在可调度的线程内核对象中选择一个,将其保存在CONTEXT结构的值载入c ...

  2. 正确处理Windows电源事件

    简介为系统挂起与恢复而进行的应用准备步骤 曾几何时,当您正要通过应用提交或发布一些重要数据时,突然遇到一些急事需要处理,而且会耽误很长时间.当您完成任务回到电脑前时,发现电脑已经自动进入 了挂起状态, ...

  3. Windows用户模式下注入方式总结

    注入技术在病毒木马.游戏.打补丁等编程中应用很广泛,学习该技术不仅能帮助理解Windows工作原理,还能对病毒木马技术手段有更加深刻的理解,下面我们了解下各种注入方式吧. 一.DLL注入 在注入技术中 ...

  4. windows cmd下如何暂停(挂起)运行中的进程

    在Linux下做开发时,我们都熟知Ctrl+Z的指令,作用就是把当前运行的程序转到后台,暂停执行,等到合适的时候再使用fg指令把这个程序调出来再次执行.这功能也不常用,但有时候还挺必要. 那么wind ...

  5. 《windows核心编程系列 》六谈谈线程调度、优先级和关联性

    线程调度.优先级和关联性 每个线程都有一个CONTEXT结构,保存在线程内核对象中.大约每隔20ms windows就会查看所有当前存在的线程内核对象.并在可调度的线程内核对象中选择一个,将其保存在C ...

  6. ring3 x32挂起进程注入原理.

    目录 一丶挂起进程注入简介与前言 二丶ShellCode核心讲解. 2.1 保存Contex.EIP 2.2 DLL路径重定位 2.3 LoadLibrary的重定位 三丶 全部C++代码.拷贝即可使 ...

  7. windows内核代码之进程操作

    [toc] 一丶简介 整理一下windows内核中.常用的代码.这里只整理下进程的相关代码. 二丶 windows内核之遍历进程 内核中记录进程的结构体是EPROCESS结构.所以只需要遍历这个结构即 ...

  8. Ring3挂起进程,跟恢复进程.

    目录 Ring3挂起进程,跟恢复进程. 一丶简介 二丶代码 Ring3挂起进程,跟恢复进程. 一丶简介 有时候我们做对抗的时候可能会遇到.一个进程常常操作我们.但是我们 可以通过挂起进程来挂起它让它无 ...

  9. 线程操作与进程挂起(Windows核心编程)

    0x01 线程挂起与切换 对于挂起进程,挂起线程则比较简单,利用 ResumeThread 与 SuspendThread 即可,当线挂起时线程用户状态下的一切操作都会暂停 #include < ...

随机推荐

  1. 【django】 django后台管理 导出excel表

    from django.contrib import admin # Register your models here. import xlwt from django.http import Ht ...

  2. Step by Step!教你如何在k3s集群上使用Traefik 2.x

    本文来自边缘计算k3s社区 作者简介 Cello Spring,瑞士人.从电子起步,拥有电子工程学位.尔后开始关注计算机领域,在软件开发领域拥有多年的工作经验. Traefik是一个十分可靠的云原生动 ...

  3. C++判断输入是否为double

    C++判断输入是否为double 之前写过了Python如何判断输入字符串是否为数字,但是Python是弱类型语言,相比之下C++这种强类型语言判定难度更大. Python判断输入字符串是否为数字的方 ...

  4. 在scratch中怎样编写抓蝴蝶游戏

    打开scratch2.0软件,进入工作界面,将语言切换为简体中文:将默认的演员猫删除掉:在新建背景中选择“从背景库中选择背景”: 选择户外,来点一个背景图flower bed,然源后点下面的确定: 背 ...

  5. 四、华为VRP平台介绍和常用配置

    一.华为VRP平台 华为现用的平台是VRP(Versatile Routing Platform)是华为公司数据通信产品的通用操作系统平台. 包含华为产品中的路由.交换.安全.无线等等 二.华为设备管 ...

  6. xftp连接centos7

    1.下载xftp文件,并正常进行安装 2.安装好之后运行,并新建会话,此时可见如下界面: 注意: 名称,可随便输入,自己能看懂是什么就行      主机,输入当前Linux服务器的ip(如何获取服务器 ...

  7. 《深入理解 Java 虚拟机》笔记整理

    正文 一.Java 内存区域与内存溢出异常 1.运行时数据区域 程序计数器:当前线程所执行的字节码的行号指示器.线程私有. Java 虚拟机栈:Java 方法执行的内存模型.线程私有. 本地方法栈:N ...

  8. Spring(DI,AOP) 理解(一)

    感觉自己的spring理解的不好.所以重新开始学习. 这篇文章主要是来理解DI(依赖注入),Aop(切面) 一.DI(依赖注入,这里没有涉及到注释.只是用xml文件和Bean的方法来注册pojo,) ...

  9. Linux C++ 网络编程学习系列(2)——多路IO之select实现

    select实现多路IO 源码地址:https://github.com/whuwzp/linuxc/tree/master/select 源码说明: server.cpp: 监听127.1:6666 ...

  10. Js 事件原理与事件委托

    事件原理三阶段 捕获(有外向内).目标.冒泡(由内向外) 事件冒泡(event bubbling),即事件开始时由最具体的元素(文档中嵌套层次最深的那个节点)接收,然后逐级向上传播到较为不具体的节点( ...