Creating processes with suspended flag

[Beatrice] · 07/09/2020, 01:52

Needed it for something, may be useful to someone.

Code:

#RequireAdmin
#include <MemoryConstants.au3>
#include <WinApi.au3>
#include <WinApiProc.au3>
#include <String.au3>
$tStartup = DllStructCreate($tagSTARTUPINFO)
$tProcess = DllStructCreate($tagPROCESS_INFORMATION)
$sAppName = FileOpenDialog("","","(*.exe)")
If $sAppName = "" Then Exit
$iDelay = InputBox("Delay","Delay between base checks","200")
If Not StringIsInt($iDelay) Then Exit
$aAppName = _StringBetween(StringReverse($sAppName),"","\")
$sProcessName = StringReverse($aAppName[0])
_WinAPI_CreateProcess("", $sAppName, 0, 0, 0, 0x00000004, 0, 0, DllStructGetPtr($tStartup), DllStructGetPtr($tProcess))
$iPID = DllStructGetData($tProcess, "ProcessID")
$hProcess = DllStructGetData($tProcess, "hProcess")
$hThread = DllStructGetData($tProcess, "hThread")
Do
	ResumeThread($hThread)
	Sleep($iDelay)
	SuspendThread($hThread)
	$dwBase = _MemoryModuleGetBaseAddress($iPID, $sProcessName)
Until $dwBase <> -1

Func ResumeThread($hThread)
	DllCall("Kernel32.dll", "int", "ResumeThread", "hwnd", $hThread)
EndFunc

Func SuspendThread($hThread)
	DllCall("Kernel32.dll", "int", "SuspendThread", "hwnd", $hThread)
EndFunc

Func _MemoryModuleGetBaseAddress($iPID, $sModule)
	If Not ProcessExists($iPID) Then Return SetError(1, 0, 0)
	If Not IsString($sModule) Then Return SetError(2, 0, 0)
	Local $PSAPI = DllOpen("psapi.dll")
	Local $hProcess
	Local $PERMISSION = BitOR(0x0002, 0x0400, 0x0008, 0x0010, 0x0020)
	If $iPID > 0 Then
		Local $hProcess = DllCall("kernel32.dll", "ptr", "OpenProcess", "dword", $PERMISSION, "int", 0, "dword", $iPID)
		If $hProcess[0] Then
			$hProcess = $hProcess[0]
		EndIf
	EndIf
	Local $Modules = DllStructCreate("ptr[1024]")
	Local $aCall = DllCall($PSAPI, "int", "EnumProcessModules", "ptr", $hProcess, "ptr", DllStructGetPtr($Modules), "dword", DllStructGetSize($Modules), "dword*", 0)
	If $aCall[4] > 0 Then
		Local $iModnum = $aCall[4] / 4
		Local $aTemp
		For $i = 1 To $iModnum
			$aTemp = DllCall($PSAPI, "dword", "GetModuleBaseNameW", "ptr", $hProcess, "ptr", Ptr(DllStructGetData($Modules, 1, $i)), "wstr", "", "dword", 260)
			If $aTemp[3] = $sModule Then
				DllClose($PSAPI)
				Return Ptr(DllStructGetData($Modules, 1, $i))
			EndIf
		Next
	Else
		Return -1
	EndIf
	DllClose($PSAPI)
	Return SetError(-1, 0, 0)
EndFunc