|
I believe that AV programs suspend the process. This is the same advice Mark Russinovich gives when you see a suspicious process -- use task mgr, right-click and pick Suspend.
So, I see the SuspendThread() API which maywork but you'd really want to suspend all threads simultaneously instead of walking all threads and suspending individually.
This article may help: Win32 process suspend/resume tool[^]
John
|
|
|
|
|
Yes I would like to know how to suspend a specific process by name or one at a time. I would also like to know if there could be anyway you could skip specific processes as well like "explorer" or "winlogin" although these a Microsoft Windows made programs, If a virus was smart it would disguise it's name like that, so how would you be able to contrast the two from a virus and the real program, maybe heuristics (to search for suspicious behavior or overuse of system resources like RAM, processor, internet bandwidth, etc.) or by it's color depth, ever notice when two processes of the same name on Microsoft Windows taskmgr the second or first process has a (*) star next to it followed by a 2, 4, 8, 16, 32 or 64 (color depths), but these are the two ways of my knowledge how to contrast the two but how to use these on programming, but I'm really hardcore on this subject and find every possible way to the best of my knowledge to predict how malicious software could use stealth.
I did read that article you recommended for me I'm still studying and trying to identify things in the code that would be useful.
And for that taskmgr thing you said
John Schroedl wrote: I believe that AV programs suspend the process. This is the same advice Mark Russinovich gives when you see a suspicious process -- use task mgr, right-click and pick Suspend.
I did find that type of "taskmgr" so did you mean't Process Explorer? It does have the suspend process on it and was made by Microsoft. The default task manager installed on windows does not have such feature on it
see image (in URL): http://harristech.webs.com/temp/taskmanagerss1.png
so yeah I do understand what are you trying to explain, we are on the same page right?
|
|
|
|
|
There is no "freeze". It is a block.
A application start without AV would look something like this.
1. User requests app start
2. Windows itself calls a low level method called X
3. X returns after doing something
4. Other stuff happens in windows
5. App starts
With AV in place the above process becomes the following instead.
1. User requests app start
2. Windows itself calls a low level method called X
a. Call to AV is made
b. AV does stuf
c. AV displays dialog
d. (other stuff.)
3. X returns after doing something
4. Other stuff happens in windows
5. App starts
In the above c blocks waiting on the user. Since it blocks 2 blocks. Since 2 blocks the entire process blocks.
The AV accomplishes this by hooking into windows low level functionality. AV apps probably use quite a few different low level API hooks but in terms of this question only the specific one is called "File System Filter Drivers".
See the following.
http://msdn.microsoft.com/en-us/windows/hardware/gg462968.aspx[^]
|
|
|
|
|
Hi,
I think that you need to handle the instruction pointer.
You can edit eip using jmp, call or ret. You just can't directly read from or write to eip using normal operations.
Best regards!
|
|
|
|
|
Hi,
I'm using VC ++ , Visual studio 2010 express edition.
And trying to create simple form application, and a thread and some control classes in my application.
1) But whenever I try to crate a thread class which is derived from "CbaseThread" class, I always get an error .. " Unmanaged class can't derive from a managed Class "
2) If I try to make my thread class as managed, then I can't derived from "CbaseThread", since the class becomes sealed .
3) In one of the control class I need a reference to "FORM1", which is created inside Application.Run (gcnew Form1()).. Even getting this reference is also not possible.
Can anyone please help me..
I can completely manage with "Unmanaged Code.."
How can I have just unmanaged code throughout my application.
If having only unmanaged code is not at all possible, how can i solve above mentioned problem. ie working with both managed and unmanaged code together.
Thanks in advance.
Regards,
Vijay.
|
|
|
|
|
What is CBaseThread?
Vijay Sringeri wrote: In one of the control class I need a reference to "FORM1", which is created inside Application.Run (gcnew Form1())..
Move the definition from the Run method to a place where you have access to it.
Vijay Sringeri wrote: How can I have just unmanaged code throughout my application.
Don't use Windows Forms and make your project an unmanaged c++ project. Windows Forms is part of the .Net framework so has to use managed code.
Mark Salsbery
![Java | [Coffee]](https://codeproject.global.ssl.fastly.net/script/Forums/Images/coffee.gif)
|
|
|
|
|
hi all i hope u help me im an it student they want us project about graghices using physical equasion like simulating car ,any game can u help any cod>my email sicko.scorpion@gmail.com than you ver
|
|
|
|
|
I think you would be much better to use Google to research your issue; and try spelling your keywords in full.
Unrequited desire is character building. OriginalGriff
I'm sitting here giving you a standing ovation - Len Goodman
|
|
|
|
|
Here are all the reasons I gave a 1 to your question :
1. You didn't set a meaningful title
2. You didn't take time to make proper sentences (spelling mistakes, textspeak, almost no punctuation) ; how do you expect us to help you if being understood isn't your concern at the first place ?
3. We are not here to do your homework
4. Never put your email address on a public forum, unless being spammed to death isn't a problem for you
|
|
|
|
|
phil.o wrote: Never put your email address ...
I have stopped warning people about this as chances are they are doing it all over the internet.
Unrequited desire is character building. OriginalGriff
I'm sitting here giving you a standing ovation - Len Goodman
|
|
|
|
|
I didn't, yet 
|
|
|
|
|
How to get callback in managed C++/CLI from unmanaged code, my managed code class has implemented unmanaged COM interface ,how shall i do that
|
|
|
|
|
i think this will help
<a href="http://blogs.microsoft.co.il/blogs/alon/archive/2007/05/29/Native-Callback.aspx">http://blogs.microsoft.co.il/blogs/alon/archive/2007/05/29/Native-Callback.aspx</a>[<a href="http://blogs.microsoft.co.il/blogs/alon/archive/2007/05/29/Native-Callback.aspx" target="_blank" title="New Window">^</a>]
Величие не Бога может быть недооценена.
-- modified 3-Jan-12 4:58am.
|
|
|
|
|
Your link is not clickable.
Unrequited desire is character building. OriginalGriff
I'm sitting here giving you a standing ovation - Len Goodman
|
|
|
|
|
Just pull out the useful part from the link.
http://blogs.microsoft.c.il/blogs/alon/archive/2007/05/29/Native-Callback.aspx
I genrally use method #4 because many of my callbacks are in the form of interface classes (e.g. "ICallback"). I create a "bridge" class (unmanaged class built in a managed dll) with an implementation of the unmanaged callback that marshals any parameters to the managed world, then calls a similar method on a gcroot'ed handle to a managed interface.
Bob Ciora
|
|
|
|
|
I need to solve a problem for reading and writing COM Port data from MIDI application.
1)The software must be able to handle multiple MIDI In and MIDI Out ports simultaneously sending and receiving MIDI data without choking off performance for the application (this will include audio as well).
I am using a modified version of the old Mabry MIDIIO already, MFC COM server in a shared .dll, written in c++. It is currently be compiled down into an .ocx and requires COM registration. It is working in the Visual Studio 2008 environment
But A total rewrite or different solution is a viable option but of course with the fastest, most inexpensive and easiest to maintain solution.
Here are the questions:
1)What direction would you recommend COM control or .net control, .dll, multi-thread, something else and why? If anybody having idea about MABRY Control, Do you think the Mabry control could be reworked into my new solution or would it be better to just take a totally different direction?
2)What is the recommendation? an unmanaged or managed solution?
Regards Usman
|
|
|
|
|
Hi,
This is my first post on this forum so please bear with me.
I'm trying to send epson fx printer code to the dot-matrix printer using function:
char* cSendBuf = "\0x1bl\0x03"; RawDataToPrinter( L"\\\\AGO\\Oki ML 520 Elite (IBM)", cSendBuf, strlen(cSendBuf) );
And I don`t know where to put the text "sample text"? Just behind the code: the text does not print. Before the code: text will not be set to the column specified in the code.
char* cSendBuf = "\0x1bl\0x03\sample text";
char* cSendBuf = "sample text\0x1bl\0x03";
How it should be assigned to a pointer value to char* cSendBuf?
Thanks.
|
|
|
|
|
Hi,
in my experience printing on an EPSON matrix printer doesn't need anything special, it works like all other printers, which means: create a class that derives from PrintDocument, and all is good. That is, assuming you are using the .NET Framework. If you don't, your code isn't managed C++ and your question is in the wrong forum.
If, for whatever reason, you do need to generate ESC/P commands yourself, the language specs can be found with Google, here[^] is one candidate; I trust there are some working examples included. And if you still have questions about it, you still would be (slightly) better of in another forum, probably "Hardware and Devices" (don't hold your breath).
|
|
|
|
|
Hi, everyone. I got some trouble with c++.
IDE: Visual C++ 2010 express
win32 console application
The purpose of this program is: if I input a string such as: "CS101 C++ PROGRAMMING", the string what i've inputed will appear on the screen.
The following is my codes.
#include "stdafx.h"
#include <string>
using std::string;
using std::getline;
#include <iostream>
using std::cin;
using std::cout;
using std::endl;
class GradeBook
{
private:
string courseName;
public:
GradeBook( string name )
{
setCourseName( name );
}
void setCourseName( string name )
{
courseName = name;
}
string getCourseName()
{
return courseName;
}
void displayMessage()
{
cout << "The courseName: " << getCourseName()<<"!" << endl;
}
};
int _tmain(int argc, _TCHAR* argv[])
{
for( int i = 0; i < 2; i ++ )
{ string name;
cout << "Input Grade book [" << i + 1 << "]" << endl;
getline( cin, name );
GradeBook myGradeBook( name );
myGradeBook.getCourseName();
}
return 0;
}
In this program, I've defined a class named GradeBook who has four member functions. In the main function, if i used "myGradeBook.getCourseName()" there will be no result on the screen. If I use "myGradeBook.displayMessage()", the result will appear on the screen.
who can tell me why. Thank you.
|
|
|
|
|
why can't i edit the string "#include<iostream>" and "#include<string> "on this page?
|
|
|
|
|
I got the answer
the statment should be cout << myGradeBook.getCourseName();
Then the result will be on the screen!
WOW!
|
|
|
|
|
You could also have used your displayMessage() function, which does the same thing for you. Remember the definition of your getCourseName() function, is just to return the string containing the name, so you still need to pass that to a function that will display it, or, as in this case, pass it directly to cout.
|
|
|
|
|
|
Hello people I have the following the code written in C++, converted from Vb.net to C++ from a program, the following code tells the user via message box if the program is running as an admin, see below
Object ^identity = WindowsIdentity::GetCurrent();
WindowsPrincipal ^principal = gcnew WindowsPrincipal(identity);
bool isElevated = principal->IsInRole(WindowsBuiltInRole::Administrator);
try
{
if (isElevated == true)
{
}
else
{
MessageBox::Show("WARNING: Program not running as administrator!", "Credential Error", MessageBoxButtons::OK, MessageBoxIcon::Error);
}
}
catch (Exception ^ex)
{
MessageBox::Show("This program cannot run as performed because your system does not support admin rights, program now terminating from computer memory.", ".Net Framework Error", MessageBoxButtons::OK, MessageBoxIcon::Error);
Environment::Exit(1);
}
When this block of code was executed with my program, I get the following error message (In double quotations):
"error C2664: 'System::Security::Principal::WindowsPrincipal::WindowsPrincipal(System::Security::Principal::WindowsIdentity ^)' : cannot convert parameter 1 from 'System::Object ^' to 'System::Security::Principal::WindowsIdentity ^'"
the remaining error messages are (In double quotations):
"1> No user-defined-conversion operator available, or
1> Types pointed to are unrelated; conversion requires reinterpret_cast, C-style cast or function-style cast"
Could anyone point out something that I could edit that could make the compiler accept or work, any suggestions or personal solutions are appreciated .
|
|
|
|
|
Brandon-hbx12000 wrote: Object ^identity = WindowsIdentity::GetCurrent();
The problem is in the very first word. Why would you "anonimize" whatever it is GetCurrent() returns? Use real types where ever you can.
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
