Freeze a program and hold execution
-
Hello people I wanna know if there is anyway you could freeze or program hold it's execution or control it, like a firewall for instance it freezes the program and tells the user "This program is unsafe.". Do any of you'll AV freaks know anything on how to do such a thing. Edit: Like pausing the program if you were programming it or compiling it. Regards, Brandon T. H. CodeProject Member
-
Hello people I wanna know if there is anyway you could freeze or program hold it's execution or control it, like a firewall for instance it freezes the program and tells the user "This program is unsafe.". Do any of you'll AV freaks know anything on how to do such a thing. Edit: Like pausing the program if you were programming it or compiling it. Regards, Brandon T. H. CodeProject Member
The only way that anti-virus programs recognise this is by scanning the executable file and looking for patterns that match known viruses. Once the program is running then there is little you can do to recognise when it performs some dangerous or questionable action.
Unrequited desire is character building. OriginalGriff I'm sitting here giving you a standing ovation - Len Goodman
-
Hello people I wanna know if there is anyway you could freeze or program hold it's execution or control it, like a firewall for instance it freezes the program and tells the user "This program is unsafe.". Do any of you'll AV freaks know anything on how to do such a thing. Edit: Like pausing the program if you were programming it or compiling it. Regards, Brandon T. H. CodeProject Member
I believe that AV programs suspend the process. This is the same advice Mark Russinovich gives when you see a suspicious process -- use task mgr, right-click and pick Suspend. So, I see the SuspendThread() API which _may_work but you'd really want to suspend all threads simultaneously instead of walking all threads and suspending individually. This article may help: Win32 process suspend/resume tool[^] John
-
Hello people I wanna know if there is anyway you could freeze or program hold it's execution or control it, like a firewall for instance it freezes the program and tells the user "This program is unsafe.". Do any of you'll AV freaks know anything on how to do such a thing. Edit: Like pausing the program if you were programming it or compiling it. Regards, Brandon T. H. CodeProject Member
There is no "freeze". It is a block. A application start without AV would look something like this. 1. User requests app start 2. Windows itself calls a low level method called X 3. X returns after doing something 4. Other stuff happens in windows 5. App starts With AV in place the above process becomes the following instead. 1. User requests app start 2. Windows itself calls a low level method called X a. Call to AV is made b. AV does stuf c. AV displays dialog d. (other stuff.) 3. X returns after doing something 4. Other stuff happens in windows 5. App starts In the above c blocks waiting on the user. Since it blocks 2 blocks. Since 2 blocks the entire process blocks. The AV accomplishes this by hooking into windows low level functionality. AV apps probably use quite a few different low level API hooks but in terms of this question only the specific one is called "File System Filter Drivers". See the following. http://msdn.microsoft.com/en-us/windows/hardware/gg462968.aspx[^]
-
I believe that AV programs suspend the process. This is the same advice Mark Russinovich gives when you see a suspicious process -- use task mgr, right-click and pick Suspend. So, I see the SuspendThread() API which _may_work but you'd really want to suspend all threads simultaneously instead of walking all threads and suspending individually. This article may help: Win32 process suspend/resume tool[^] John
Yes I would like to know how to suspend a specific process by name or one at a time. I would also like to know if there could be anyway you could skip specific processes as well like "explorer" or "winlogin" although these a Microsoft Windows made programs, If a virus was smart it would disguise it's name like that, so how would you be able to contrast the two from a virus and the real program, maybe heuristics (to search for suspicious behavior or overuse of system resources like RAM, processor, internet bandwidth, etc.) or by it's color depth, ever notice when two processes of the same name on Microsoft Windows taskmgr the second or first process has a (*) star next to it followed by a 2, 4, 8, 16, 32 or 64 (color depths), but these are the two ways of my knowledge how to contrast the two but how to use these on programming, but I'm really hardcore on this subject and find every possible way to the best of my knowledge to predict how malicious software could use stealth. I did read that article you recommended for me I'm still studying and trying to identify things in the code that would be useful. And for that taskmgr thing you said
John Schroedl wrote:
I believe that AV programs suspend the process. This is the same advice Mark Russinovich gives when you see a suspicious process -- use task mgr, right-click and pick Suspend.
I did find that type of "taskmgr" so did you mean't Process Explorer? It does have the suspend process on it and was made by Microsoft. The default task manager installed on windows does not have such feature on it see image (in URL): http://harristech.webs.com/temp/taskmanagerss1.png so yeah I do understand what are you trying to explain, we are on the same page right?
-
Hello people I wanna know if there is anyway you could freeze or program hold it's execution or control it, like a firewall for instance it freezes the program and tells the user "This program is unsafe.". Do any of you'll AV freaks know anything on how to do such a thing. Edit: Like pausing the program if you were programming it or compiling it. Regards, Brandon T. H. CodeProject Member
