A thread can suspend and resume the execution of another thread. While a thread is suspended, it is not scheduled for time on the processor.

If a thread is created in a suspended state (with the CREATE_SUSPENDED flag), it does not begin to execute until another thread calls the ResumeThread function with a handle to the suspended thread. This can be useful for initializing the thread's state before it begins to execute. Suspending a thread at creation can be useful for one-time synchronization, because this ensures that the suspended thread will execute the starting point of its code when you call ResumeThread.

The SuspendThread function is not intended to be used for thread synchronization because it does not control the point in the code at which the thread's execution is suspended. This function is primarily designed for use by debuggers.

A thread can temporarily yield its execution for a specified interval by calling the Sleep or SleepEx functions This is useful particularly in cases where the thread responds to user interaction, because it can delay execution long enough to allow users to observe the results of their actions. During the sleep interval, the thread is not scheduled for time on the processor.

The SwitchToThread function is similar to Sleep and SleepEx, except that you cannot specify the interval. SwitchToThread allows the thread to give up its time slice.

https://docs.microsoft.com/zh-cn/windows/win32/procthread/suspending-thread-execution

两个 API 函数

SuspendThread

Wow64SuspendThread

How to suspend/resume a process in Windows?

You can't do it from the command line, you have to write some code (I assume you're not just looking for an utility otherwise Super User may be a better place to ask). I also assume your application has all the required permissions to do it (examples are without any error checking).

Hard Way

First get all the threads of a given process then call the SuspendThread function to stop each one (and ResumeThread to resume). It works but some applications may crash or hung because a thread may be stopped in any point and the order of suspend/resume is unpredictable (for example this may cause a dead lock). For a single threaded application this may not be an issue.

void suspend(DWORD processId)

{

    HANDLE hThreadSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);

    THREADENTRY32 threadEntry;

    threadEntry.dwSize = sizeof(THREADENTRY32);

    Thread32First(hThreadSnapshot, &threadEntry);

    do

    {

        if (threadEntry.th32OwnerProcessID == processId)

        {

            HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, FALSE,

                threadEntry.th32ThreadID);

            SuspendThread(hThread);

            CloseHandle(hThread);

        }

    } while (Thread32Next(hThreadSnapshot, &threadEntry));

    CloseHandle(hThreadSnapshot);

}

Please note that this function is even too much naive, to resume threads you should skip threads that was suspended and it's easy to cause a dead-lock because of suspend/resume order. For single threaded applications it's prolix but it works.

Undocumented way

Starting from Windows XP there is the NtSuspendProcess but it's undocumented. Read this post for a code example (reference for undocumented functions: news://comp.os.ms-windows.programmer.win32).

typedef LONG (NTAPI *NtSuspendProcess)(IN HANDLE ProcessHandle);

void suspend(DWORD processId)

{

    HANDLE processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processId));

    NtSuspendProcess pfnNtSuspendProcess = (NtSuspendProcess)GetProcAddress(

        GetModuleHandle("ntdll"), "NtSuspendProcess");

    pfnNtSuspendProcess(processHandle);

    CloseHandle(processHandle);

}

"Debugger" Way

To suspend a program is what usually a debugger does, to do it you can use the DebugActiveProcess function. It'll suspend the process execution (with all threads all together). To resume you may use DebugActiveProcessStop.

This function lets you stop a process (given its Process ID), syntax is very simple: just pass the ID of the process you want to stop et-voila. If you'll make a command line application you'll need to keep its instance running to keep the process suspended (or it'll be terminated). See the Remarks section on MSDN for details.

void suspend(DWORD processId)

{

    DebugActiveProcess(processId);

}

From Command Line

As I said Windows command line has not any utility to do that but you can invoke a Windows API function from PowerShell. First install Invoke-WindowsApi script then you can write this:

Invoke-WindowsApi "kernel32" ([bool]) "DebugActiveProcess" @([int]) @(process_id_here)

Of course if you need it often you can make an alias for that.

Windows 挂起进程的更多相关文章

  1. windows核心编程---第六章 线程的调度

    每个线程都有一个CONTEXT结构,保存在线程内核对象中.大约每隔20ms windows就会查看所有当前存在的线程内核对象.并在可调度的线程内核对象中选择一个,将其保存在CONTEXT结构的值载入c ...

  2. 正确处理Windows电源事件

    简介为系统挂起与恢复而进行的应用准备步骤 曾几何时,当您正要通过应用提交或发布一些重要数据时,突然遇到一些急事需要处理,而且会耽误很长时间.当您完成任务回到电脑前时,发现电脑已经自动进入 了挂起状态, ...

  3. Windows用户模式下注入方式总结

    注入技术在病毒木马.游戏.打补丁等编程中应用很广泛,学习该技术不仅能帮助理解Windows工作原理,还能对病毒木马技术手段有更加深刻的理解,下面我们了解下各种注入方式吧. 一.DLL注入 在注入技术中 ...

  4. windows cmd下如何暂停(挂起)运行中的进程

    在Linux下做开发时,我们都熟知Ctrl+Z的指令,作用就是把当前运行的程序转到后台,暂停执行,等到合适的时候再使用fg指令把这个程序调出来再次执行.这功能也不常用,但有时候还挺必要. 那么wind ...

  5. 《windows核心编程系列 》六谈谈线程调度、优先级和关联性

    线程调度.优先级和关联性 每个线程都有一个CONTEXT结构,保存在线程内核对象中.大约每隔20ms windows就会查看所有当前存在的线程内核对象.并在可调度的线程内核对象中选择一个,将其保存在C ...

  6. ring3 x32挂起进程注入原理.

    目录 一丶挂起进程注入简介与前言 二丶ShellCode核心讲解. 2.1 保存Contex.EIP 2.2 DLL路径重定位 2.3 LoadLibrary的重定位 三丶 全部C++代码.拷贝即可使 ...

  7. windows内核代码之进程操作

    [toc] 一丶简介 整理一下windows内核中.常用的代码.这里只整理下进程的相关代码. 二丶 windows内核之遍历进程 内核中记录进程的结构体是EPROCESS结构.所以只需要遍历这个结构即 ...

  8. Ring3挂起进程,跟恢复进程.

    目录 Ring3挂起进程,跟恢复进程. 一丶简介 二丶代码 Ring3挂起进程,跟恢复进程. 一丶简介 有时候我们做对抗的时候可能会遇到.一个进程常常操作我们.但是我们 可以通过挂起进程来挂起它让它无 ...

  9. 线程操作与进程挂起(Windows核心编程)

    0x01 线程挂起与切换 对于挂起进程,挂起线程则比较简单,利用 ResumeThread 与 SuspendThread 即可,当线挂起时线程用户状态下的一切操作都会暂停 #include < ...

随机推荐

  1. MATLAB 排序、拟合

    一.数据排序整合 1.随机生成的数,从小到大排序 clear rand('seed',1)%设置随机种子,确保随机数一样 edge_range=unifrnd (1, 10, 1, 10) edge_ ...

  2. Activiti7新的API介绍

    一.Activiti7 的组成部分 Activiti Core 作为Activiti 的核心部分,Activiti Cloud 主要是利用云服务来实现分布式业务流程开发. 二.Activiti 新的 ...

  3. 在函数中修改全局变量的值,需要加global关键字

    一.引用 使用到的全局变量只是作为引用,不在函数中修改它的值的话,不需要加global关键字.如: #! /usr/bin/python a = 1 b = [2, 3] def func(): if ...

  4. 自执行函数-[javascript]-[语法]

    在看别人的代码的时候,遇到了一种写法,之前没有见过,如下: ![](https://img2018.cnblogs.com/blog/1735896/201912/1735896-2019122114 ...

  5. 1013 Battle Over Cities (25 分)

    It is vitally important to have all the cities connected by highways in a war. If a city is occupied ...

  6. 剑指offer—单链表反转的三种实现方法

    单链表的反转可以用递归.非递归和栈的方法实现 链表节点定义: struct ListNode{ int val; Node* next; ListNode(int x):val(x),next(nul ...

  7. iSCSI集群与存储

                                                                                                        ...

  8. 【PHP】流程控制

    一.      顺序结构 a)    PHP的脚本从上到下,从左往右的执行顺序就是顺序结构! 二.      分支结构 a)    单一的分支结构 If ( 条件表达式 ) { 程序体: } 执行过程 ...

  9. 汇编刷题:统计2000H开始的正负数的个数

    DATA SEGMENT ORG 2000H INFO DB 1,2,3,4,5,70H,71H,72H,80H,92H N_NUMS DB 00H P_NUMS DB 00H DATA ENDS C ...

  10. JVM日常排查问题。基本操作和命令

    1.jstat jstat -gcutil pid 5s    //pid进程号 每隔5s监控一次内存回收情况 E 代表 Eden 区使用率:O(Old)代表老年代使用率    :P(Permanen ...