[SOLVED] NativeAPI Suspend process

NativeAPI Suspend process

I try to stop some process, I use NativeAPI from ntdll. I wrote some C code, It works:

typedef LONG(NTAPI* NtSuspendProcess)(IN HANDLE ProcessHandle);

UINT __stdcall Suspend(VOID* processId)
{
    HANDLE processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, (DWORD)processId);

    NtSuspendProcess pfnNtSuspendProcess = (NtSuspendProcess)GetProcAddress(GetModuleHandle(L"ntdll"), "NtSuspendProcess");

    pfnNtSuspendProcess(processHandle);

    CloseHandle(processHandle);

    return 0;
}

UINT __stdcall Resume(VOID* processId)
{
    HANDLE processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, (DWORD)processId);

    NtSuspendProcess pfnNtSuspendProcess = (NtSuspendProcess)GetProcAddress(
    GetModuleHandle(L"ntdll"), "NtResumeProcess");

    pfnNtSuspendProcess(processHandle);

    CloseHandle(processHandle);

    return 0;
}

But, when I try to write it using MASM, my process doesn't stop. I looked registers EAX and ECX, everything is okay there. I called GetLastError, there was zero, as return value. Code:

pauseProc proc pid:dword

push pid
push 0
push PROCESS_ALL_ACCESS
call OpenProcess@12

.IF eax == 0
    PUSH MB_ICONERROR
    PUSH 0
    PUSH offset errorOpenProccess
    PUSH 0
    CALL MessageBoxA@16 
.ENDIF

mov processHandle, eax

push offset NtModuleNameWStr
call GetModuleHandleW@4

; call GetLastError

.IF eax == 0
    PUSH MB_ICONERROR
    PUSH 0
    PUSH offset errorGetModuleHandle
    PUSH 0
    CALL MessageBoxA@16 
.ENDIF

push offset NtSuspendProcessAStr
push eax
call GetProcAddress@8

.IF eax == 0
    PUSH MB_ICONERROR
    PUSH 0
    PUSH offset errorGetProcAddress
    PUSH 0
    CALL MessageBoxA@16 
.ENDIF

push processHandle
call CloseHandle@4

; pfnNtSuspendProcess
ret
pauseProc endp

About consts:

STANDARD_RIGHTS_REQUIRED equ 000F0000h
SYNCHRONIZE              equ 00100000h
PROCESS_ALL_ACCESS      equ (STANDARD_RIGHTS_REQUIRED or SYNCHRONIZE or 0FFFFh)

I use Windows 10, because we need write 0FFFF. For versions before Windows Vista 0FFFh. Why process doesn't stop?

Solution

;Process pause
pauseProc proc pid:dword

push pid
push 0
push PROCESS_ALL_ACCESS
call OpenProcess@12

.IF eax == 0
    PUSH MB_ICONERROR
    PUSH 0
    PUSH offset errorOpenProccess
    PUSH 0
    CALL MessageBoxA@16 
.ENDIF

mov processHandle, eax

push offset NtModuleNameWStr
call GetModuleHandleW@4

; call GetLastError

.IF eax == 0
    PUSH MB_ICONERROR
    PUSH 0
    PUSH offset errorGetModuleHandle
    PUSH 0
    CALL MessageBoxA@16 
.ENDIF

push offset NtSuspendProcessAStr
push eax
call GetProcAddress@8

.IF eax == 0
    PUSH MB_ICONERROR
    PUSH 0
    PUSH offset errorGetProcAddress
    PUSH 0
    CALL MessageBoxA@16 
.ENDIF

;Call NtSuspendProcess from dll
push processHandle
call eax

push processHandle
call CloseHandle@4

; pfnNtSuspendProcess
ret
pauseProc endp