Problem with NtSuspendThread.

NTFSD
1

Hello all,

I am having a problem with the NtSuspendThread() function from within my
file filter driver. I am developing and testing it on Windows XP.

I have written a user mode app which can dynamically load and unload the
driver, but when I have a call to NtSuspendThread() in my driver, even
though I am not actually calling it, I can no longer load the driver.

I am getting the following error:

“The specified procedure could not be found.”

Does anyone have any idea what I might have done wrong?

I have declared the function as follows:

NTSYSAPI NTSTATUS NTAPI NtSuspendThread(IN HANDLE ThreadHandle, OUT PLONG
SuspendCount OPTIONAL);

Thanks in advance,

Dave

2

Neither NtSuspendThread or PsSuspendThread
are exported by the kernel. In fact I wonder
how you even built the driver. No linker errors ?

L.

3

Hello Ladislav,

Thanks for the reply, it built without any errors at all so I assumed it
would work.

Is there any way I can suspend a thread/process from within my driver?

I am very new to driver writing so I am sorry if this is a dumb question.

Thanks again.

Dave

Neither NtSuspendThread or PsSuspendThread
are exported by the kernel. In fact I wonder
how you even built the driver. No linker errors ?

L.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@blueyonder.co.uk To
unsubscribe send a blank email to xxxxx@lists.osr.com

4

Only FltMgr-based filters can be dynamically unloaded. The others - cannot.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Dave Wilkes”
To: “Windows File Systems Devs Interest List”
Sent: Tuesday, August 02, 2005 12:34 PM
Subject: [ntfsd] Problem with NtSuspendThread.

> Hello all,
>
> I am having a problem with the NtSuspendThread() function from within my
> file filter driver. I am developing and testing it on Windows XP.
>
> I have written a user mode app which can dynamically load and unload the
> driver, but when I have a call to NtSuspendThread() in my driver, even
> though I am not actually calling it, I can no longer load the driver.
>
> I am getting the following error:
>
> “The specified procedure could not be found.”
>
> Does anyone have any idea what I might have done wrong?
>
> I have declared the function as follows:
>
> NTSYSAPI NTSTATUS NTAPI NtSuspendThread(IN HANDLE ThreadHandle, OUT PLONG
> SuspendCount OPTIONAL);
>
> Thanks in advance,
>
> Dave
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

5

Suspending a thread is a very bad idea. It causes deadlocks if the thread
owns some locks.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Dave Wilkes”
To: “Windows File Systems Devs Interest List”
Sent: Tuesday, August 02, 2005 12:59 PM
Subject: Re: [ntfsd] Problem with NtSuspendThread.

> Hello Ladislav,
>
> Thanks for the reply, it built without any errors at all so I assumed it
> would work.
>
> Is there any way I can suspend a thread/process from within my driver?
>
> I am very new to driver writing so I am sorry if this is a dumb question.
>
> Thanks again.
>
> Dave
>
> > Neither NtSuspendThread or PsSuspendThread
> > are exported by the kernel. In fact I wonder
> > how you even built the driver. No linker errors ?
> >
> > L.
> >
> > —
> > Questions? First check the IFS FAQ at
> > https://www.osronline.com/article.cfm?id=17
> >
> > You are currently subscribed to ntfsd as: xxxxx@blueyonder.co.uk To
> unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
>
>
>
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

6

> Is there any way I can suspend a thread/process from within my driver?

Probably not a simple one. No thread suspending thread
I know can do it from the kernel. Even NtSetInformationThread
does not have any thread info class to doing this …

You will probably have to do this from the user mode,
after notification from the driver.

L.

7

Thanks Maxim,

I am using a mini-filter driver based on the minispy example with the IFS
kit so it is a FltMgr based driver.

It is only failing to load when I use NtSuspendThread().

Dave

8

Hello,

Thanks very much for the replies so far.

Basically I want to detect an app as running, suspend it’s main thread
until I decide (user mode app) whether the app can continue or not then
get the driver to allow it or kill it.

Ladislav has stated that I can only do it from user mode which is probably
ok for what I am writing, but my boss really wanted the process stopping
BEFORE any CPU time has been given to the app.

I am not even sure yet if this is possible.

Dave

9

> Suspending a thread is a very bad idea. It causes deadlocks if the

thread
owns some locks.

Yes, even in user mode. The only safe way to suspend thread
is to tell it that it should suspend itself. Of course this cannot
be done for third party applications.

It is only failing to load when I use NtSuspendThread().

You may prove it if you use DEPENDS.exe against your SYS
file, it will show you all the imports and also the missing ones.

L.

10

Greetings mortal, Dave!
You wrote on Tue, 2 Aug 2005 10:25:48 +0100 (BST):

DW> Basically I want to detect an app as running, suspend it’s main
DW> thread until I decide (user mode app) whether the app can continue
DW> or not then get the driver to allow it or kill it.

DW> Ladislav has stated that I can only do it from user mode which is
DW> probably ok for what I am writing, but my boss really wanted the
DW> process stopping
DW> BEFORE any CPU time has been given to the app.

Yes… It is that I already spoke.

DW> I am not even sure yet if this is possible.

It is possible but no this way.

Eugene.

11

Hello Eugene,

Thanks for your reply,

You say that my approach is not possible, could you please expand on that
or at least suggest an alternative.

Thanks in advance for any help you can give,

Dave

Greetings mortal, Dave!
You wrote on Tue, 2 Aug 2005 10:25:48 +0100 (BST):

DW> Basically I want to detect an app as running, suspend it’s main
DW> thread until I decide (user mode app) whether the app can continue
DW> or not then get the driver to allow it or kill it.

DW> Ladislav has stated that I can only do it from user mode which is
DW> probably ok for what I am writing, but my boss really wanted the
DW> process stopping
DW> BEFORE any CPU time has been given to the app.

Yes… It is that I already spoke.

DW> I am not even sure yet if this is possible.

It is possible but no this way.

Eugene.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@blueyonder.co.uk
To unsubscribe send a blank email to xxxxx@lists.osr.com

12

Greetings mortal, Dave!
You wrote on Tue, 2 Aug 2005 11:55:03 +0100 (BST):

DW> You say that my approach is not possible, could you please expand on
DW> that or at least suggest an alternative.

A notification is not a place where you should to make a decision. It is good for logging,
tracing, profiling etc. There is one legal way to achieve your goal. It is a filtering
file systems. You should intercept the file open, check it by your rules and make a
decision. Post-create is a best place. At this moment you already have the open file, but
for OS it does not exist yet. You can read it’s contents (header, hash etc). You can close
(IoCancelFileOpen) it and return (actually set in the IRP) an appropriate error code
(STATUS_ACCESS_DENIED). User will see standard message.

It is a theory. Grab the sfilter (look at FileSpy too) example from IFS Kit and try. If
your task is a XP+ related platforms try to use a minifilter.

Eugene.

13

Warning, we have already told Eugene that the logic to do this is incredibly
complex and getting even one piece wrong, is going to screw up the whole
system. You can handle this for most things in the notification callback,
just pend the callback till you make your descision, which will pend the
executuon of the module being loaded.

If you follow Eugene’s method, please be aware that the folks on this news
group are pretty good at letting the industry know to never buy a product
from you company, or hire you.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Eugene Lomovsky” wrote in message news:xxxxx@ntfsd…
> Greetings mortal, Dave!
> You wrote on Tue, 2 Aug 2005 11:55:03 +0100 (BST):
>
> DW> You say that my approach is not possible, could you please expand on
> DW> that or at least suggest an alternative.
>
> A notification is not a place where you should to make a decision. It is
> good for logging, tracing, profiling etc. There is one legal way to
> achieve your goal. It is a filtering file systems. You should intercept
> the file open, check it by your rules and make a decision. Post-create is
> a best place. At this moment you already have the open file, but for OS it
> does not exist yet. You can read it’s contents (header, hash etc). You can
> close (IoCancelFileOpen) it and return (actually set in the IRP) an
> appropriate error code (STATUS_ACCESS_DENIED). User will see standard
> message.
>
> It is a theory. Grab the sfilter (look at FileSpy too) example from IFS
> Kit and try. If your task is a XP+ related platforms try to use a
> minifilter.
>
> Eugene.
>
>

14

Pass the app’s thread through the path where it will wait on event, and
close the event.

This is better then suspend, since you know exactly where your thread is.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Dave Wilkes”
To: “Windows File Systems Devs Interest List”
Sent: Tuesday, August 02, 2005 1:25 PM
Subject: Re: [ntfsd] Problem with NtSuspendThread.

> Hello,
>
> Thanks very much for the replies so far.
>
> Basically I want to detect an app as running, suspend it’s main thread
> until I decide (user mode app) whether the app can continue or not then
> get the driver to allow it or kill it.
>
> Ladislav has stated that I can only do it from user mode which is probably
> ok for what I am writing, but my boss really wanted the process stopping
> BEFORE any CPU time has been given to the app.
>
> I am not even sure yet if this is possible.
>
> Dave
>
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

15

Yes, and NtSuspendThread is really sending an interesting APC to the
thread.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Ladislav Zezula”
To: “Windows File Systems Devs Interest List”
Sent: Tuesday, August 02, 2005 1:17 PM
Subject: Re: [ntfsd] Problem with NtSuspendThread.

> > Suspending a thread is a very bad idea. It causes deadlocks if the
> > thread
> > owns some locks.
>
> Yes, even in user mode. The only safe way to suspend thread
> is to tell it that it should suspend itself. Of course this cannot
> be done for third party applications.
>
> > It is only failing to load when I use NtSuspendThread().
>
> You may prove it if you use DEPENDS.exe against your SYS
> file, it will show you all the imports and also the missing ones.
>
> L.
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

16

Greetings mortal, Don!
You wrote on Tue, 2 Aug 2005 08:49:37 -0400:

DB> Warning, we have already told Eugene that the logic to do this is

Who are “we”? :)) It seems only you. (BTW, Maxim is the first person who points this way.)

DB> incredibly complex and getting even one piece wrong, is going to
DB> screw up the whole system. You can handle this for most things in

If you are not wiseless, you are not screw up the whole system (I think one attention is
enough, but what for you post it in every msg?). After installing SP2 on XP a lot of
applications screwed up and what?

DB> the notification callback, just pend the callback till you make
DB> your descision, which will pend the executuon of the module being
DB> loaded.

DB> If you follow Eugene’s method, please be aware that the folks on
DB> this news group are pretty good at letting the industry know to
DB> never buy a product from you company, or hire you.

Oh no! I shall go to bittern a poison. :slight_smile:

PS: Once again. The software with such a functionality is not for common users, it intends
for very very special purpose.
PPS: As for me, I with greater pleasure would insert updatings in the source of OS than
“set in crutches”, but it is available only on unix-like systems…

Eugene.

17

Eugene,

You object to the recomendation against your approach then
specifically, state “such a functionality is not for common users” my
posting was to point to the OP that using such a complex and dangerous
method will get him in a lot of trouble.

You have been cautioned about you approach by every respondent to the
“Begginers question” thread, yet you insist on following a design that will
make the system unstable. That is your choice, but when you start
recomending to others that they follow your lead, they need to be aware of
the problems.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Eugene Lomovsky” wrote in message news:xxxxx@ntfsd…
> Greetings mortal, Don!
> You wrote on Tue, 2 Aug 2005 08:49:37 -0400:
>
> DB> Warning, we have already told Eugene that the logic to do this is
>
> Who are “we”? :)) It seems only you. (BTW, Maxim is the first person who
> points this way.)
>
> DB> incredibly complex and getting even one piece wrong, is going to
> DB> screw up the whole system. You can handle this for most things in
>
> If you are not wiseless, you are not screw up the whole system (I think
> one attention is enough, but what for you post it in every msg?). After
> installing SP2 on XP a lot of applications screwed up and what?
>
> DB> the notification callback, just pend the callback till you make
> DB> your descision, which will pend the executuon of the module being
> DB> loaded.
>
> DB> If you follow Eugene’s method, please be aware that the folks on
> DB> this news group are pretty good at letting the industry know to
> DB> never buy a product from you company, or hire you.
>
> Oh no! I shall go to bittern a poison. :slight_smile:
>
> PS: Once again. The software with such a functionality is not for common
> users, it intends for very very special purpose.
> PPS: As for me, I with greater pleasure would insert updatings in the
> source of OS than “set in crutches”, but it is available only on unix-like
> systems…
>
> Eugene.
>
>

18

> enough, but what for you post it in every msg?). After installing SP2 on XP a
lot
of

applications screwed up and what?

Not “a lot”. A minor number.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

19

Greetings, Maxim!
You wrote on Wed, 3 Aug 2005 17:28:39 +0400:

> enough, but what for you post it in every msg?). After installing SP2
>> on XP a
MSS> lot of
>> applications screwed up and what?

MSS> Not “a lot”. A minor number.

http://support.microsoft.com/default.aspx?scid=kb;en-us;884130

Eugene.

20

The wonderful thing about terms like “a lot” is that it is so
delightfully imprecise. Some people might consider 2 dozen applications
to be unacceptable (and if you run one or more of those applications and
it stops working then it IS unacceptable) but others will think those
applications “got what they had coming”.

Did you notice that many of them failed because they had stack-executing
code?

That IS a cost of increasing security. There are legitimate
applications that use techniques now considered to be highly suspect.
*I* consider eliminating stack execution to be worth the cost of
breaking applications, even those that I use. Other people might not
agree with that assessment. Bottom line? The decision belongs to
Microsoft - it is their operating system. We can argue the merits of
their decision, but we can’t do anything to undo it.

In 64-bit Windows XP and Server 2003, it is no longer possible to hook
system calls. I consider this to be a Good Thing. The last time I had
to use this technique in a real product was NT 3.51. Today, there’s a
different mechanism to achieve the same thing, so I wouldn’t do it. But
it WILL break applications. Again, I consider the “loss” of the ability
to hook system calls no loss at all. Applications that break because of
it were defective in the first place.

Harsh? Probably, but such is the cost of security - as you no doubt
know given the previous postings you’ve made in this thread.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Eugene Lomovsky
Sent: Thursday, August 04, 2005 8:08 AM
To: ntfsd redirect
Subject: Re:[ntfsd] Problem with NtSuspendThread.

Greetings, Maxim!
You wrote on Wed, 3 Aug 2005 17:28:39 +04

> enough, but what for you post it in every msg?). After installing
SP2
>> on XP a
MSS> lot of
>> applications screwed up and what?

MSS> Not “a lot”. A minor number.

http://support.microsoft.com/default.aspx?scid=kb;en-us;884130

Eugene.

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com