I am attempting to write a hook which will catch "SomeFunction" of Process Explorer that suspends process. I already have a solution which hooks functions such as SuspendThread and NtSuspendThread. But the Process Explorer use something different and I don't know what. Please can anyone tell me the name of the function used by PE to suspend process?
Asked
Active
Viewed 444 times
5
-
Have you checked the import table? Have you done anything at all to help yourself before asking here? – Ben Voigt Aug 06 '14 at 14:33
1 Answers
7
Attach it to an API Monitor; It calls NtOpenProcess -> NtSuspendProcess()
Alex K.
- 171,639
- 30
- 264
- 288
-
-
1Thanks, that looks very nice. I'll dig into it some more, always in the market for good tools. – Niall Aug 06 '14 at 19:48
-
Thanks, that's it! I tried to hook NtSuspendThread in procexp.exe but without results. I hooked this function in procexp64.exe and it works!!! Thanks a lot!!! – Anton23 Aug 07 '14 at 06:55