> When using the usermode function CreateProcess, I have the option to give
CREATE_SUSPENDED in creationFlags parameter.
What I need is to suspend every process that is being created - in kernel mode.
Means, the first thread is suspended immediately before it starts to run.
FYI, CreateProcess() is just a Win32 API function that makes multiple calls to native API in order to create a Win32 process. Process creation includes at least 5 steps, and, hence, 5 system calls:
1.Opening the target image file
-
Creating an executable section that is backed up by the above mentioned file
-
Creating a process that is based upon above mentioned section. It does not yet have any threads in it - for the time being this is just an address space with with the executable file image, as well as NTDLL.DLL, mapped to it .
4.Creating a primary thread of the process, which is created in initially suspended state.
- Informing Win32 subsystem about the newly created process
Only at this point the primary thread of a newly-created may be allowed to run, and this is when.
CREATE_SUSPENDED may come into the play
As you can see, your question simply does not make sense in itself, because, from the kernel’s perspective, this is just a sequence of system calls
Anton Bassov