Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category.

ZwSuspendProcess() fails with STATUS_OBJECT_TYPE_MISMATCH

Greetings,

I have been using ZwSuspendProcess() to suspend process from a notifier that is called when a process is created(registered it using PsSetCreateProcessNotifyRoutine()).

I open the process handle like this:
InitializeObjectAttributes(&ObjAttributes, NULL,
195 OBJ_KERNEL_HANDLE, NULL, NULL);
196
197 ClientId.UniqueProcess = ProcessId;
198 ClientId.UniqueThread = NULL;
199
200 Status = ZwOpenProcess(&ProcessHandle, PROCESS_ALL_ACCESS,
201 &ObjAttributes, &ClientId);
202 if (!NT_SUCCESS(Status)) {
203 ProcessHandle = NULL;
204 goto out;
205 }


And then call ZwSuspendProcess():

Status = ZwSuspendProcess(ProcessHandle);
208 if (!NT_SUCCESS(Status)) {
209 PPERROR("Failed suspending process %u: %x",
210 ProcessId, Status);
211 goto out;
212 }

I know it's not documented, but this worked perfectly on Windows 7 (32bit, 64bit) and on Windows 10(32bit), but fails on WIndows 10 64 bit, because
ZwSuspendProcess() returns STATUS_OBJECT_TYPE_MISMATCH.

The type of the object of course is EPROCESS(just to be sane, i checked by using ObReferenceObjectByHandle(), and it's successfull)

Any hints, ideas?

Thank you.

Comments

  • <quote>
    Any hints, ideas?
    </quote>

    Yup. Here's my idea: This is precisely what can happen when you use undocumented functions, which is why we tell people to avoid doing so. They're undocumented for a reason. Shit changes from release to release... When Devs find holes, issues, or they just change the way a function works because they want to. When a function's not documented, it's fair game.

    Sorry... I know you don't want to hear that. But it's the truth...

    Peter
    OSR
    @OSRDrivers

    Peter Viscarola
    OSR
    @OSRDrivers

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!