DownWithUp/ProcessStateChangeTests.c

## ProcessStateChangeTests.c
#include <Windows.h>
#include <winternl.h>
#include <stdio.h>

// Looking at the disassembly, Unknown must be 0?
typedef NTSTATUS (__fastcall* NtCreateProcessStateChange)(OUT PHANDLE StateChangeHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN HANDLE ProcessHandle, IN INT Unknown);

/*
    New type of object (and therefore handle) type PspProcessStateChangeType
    If wanting to suspend/resume:
    Unknown1, Unknown2, and Unknown3 must be 0
    Action must be set to 1 for suspend, 2 for resume
*/
typedef NTSTATUS(__fastcall* NtChangeProcessState)(IN HANDLE StateChangeHandle, IN HANDLE ProcessHandle, IN ULONG Action, IN ULONG64 Unknown1, IN ULONG64 Unknown2, IN ULONG64 Unknown3);

void main()
{
    NtCreateProcessStateChange	pNtCreateProcessStateChange;
    NtChangeProcessState        pNtChangeProcessState;
    PROCESS_INFORMATION         procInfo;
    STARTUPINFOA                startInfo;
    NTSTATUS                    ntRet;
    HMODULE                     hNtdll;
    HANDLE                      hStateChange;

    hNtdll = GetModuleHandleA("ntdll.dll");
    if (hNtdll)
    {
        pNtCreateProcessStateChange = GetProcAddress(hNtdll, "NtCreateProcessStateChange");
        if (pNtCreateProcessStateChange)
        {
            ZeroMemory(&startInfo, sizeof(startInfo));
            startInfo.cb = sizeof(startInfo);
            if (CreateProcessA("C:\\Windows\\System32\\notepad.exe", NULL, NULL, NULL, FALSE, 0, NULL, NULL, &startInfo, &procInfo))
            {
                CloseHandle(procInfo.hThread);
                printf("[i] Created process with PID: %d\n", procInfo.dwProcessId);
                ntRet = pNtCreateProcessStateChange(&hStateChange, MAXIMUM_ALLOWED, NULL, procInfo.hProcess, 0);
                printf("[i] NtCreateProcessStateChange returned: 0x%X\n", ntRet);
                printf("[.] Press [ENTER] to suspend\n");
                getchar();
                pNtChangeProcessState = GetProcAddress(hNtdll, "NtChangeProcessState");
                if (pNtChangeProcessState)
                {
                    ntRet = pNtChangeProcessState(hStateChange, procInfo.hProcess, 1, 0, 0, 0);
                    printf("[i] NtChangeProcessState returned: 0x%X\n", ntRet);
                    printf("[.] Press [ENTER] to resume\n");
                    getchar();
                    ntRet = pNtChangeProcessState(hStateChange, procInfo.hProcess, 2, 0, 0, 0);
                    printf("[i] NtChangeProcessState returned: 0x%X\n", ntRet);
                }
                printf("[.] Press [ENTER] to exit the program\n");
                getchar();
                CloseHandle(procInfo.hProcess);
                CloseHandle(hStateChange);
                ExitProcess(0);
            }
        }
    }
    ExitProcess(-1);
}
	#include <Windows.h>
	#include <winternl.h>
	#include <stdio.h>

	// Looking at the disassembly, Unknown must be 0?
	typedef NTSTATUS (__fastcall* NtCreateProcessStateChange)(OUT PHANDLE StateChangeHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN HANDLE ProcessHandle, IN INT Unknown);

	/*
	New type of object (and therefore handle) type PspProcessStateChangeType
	If wanting to suspend/resume:
	Unknown1, Unknown2, and Unknown3 must be 0
	Action must be set to 1 for suspend, 2 for resume
	*/
	typedef NTSTATUS(__fastcall* NtChangeProcessState)(IN HANDLE StateChangeHandle, IN HANDLE ProcessHandle, IN ULONG Action, IN ULONG64 Unknown1, IN ULONG64 Unknown2, IN ULONG64 Unknown3);

	void main()
	{
	NtCreateProcessStateChange pNtCreateProcessStateChange;
	NtChangeProcessState pNtChangeProcessState;
	PROCESS_INFORMATION procInfo;
	STARTUPINFOA startInfo;
	NTSTATUS ntRet;
	HMODULE hNtdll;
	HANDLE hStateChange;

	hNtdll = GetModuleHandleA("ntdll.dll");
	if (hNtdll)
	{
	pNtCreateProcessStateChange = GetProcAddress(hNtdll, "NtCreateProcessStateChange");
	if (pNtCreateProcessStateChange)
	{
	ZeroMemory(&startInfo, sizeof(startInfo));
	startInfo.cb = sizeof(startInfo);
	if (CreateProcessA("C:\\Windows\\System32\\notepad.exe", NULL, NULL, NULL, FALSE, 0, NULL, NULL, &startInfo, &procInfo))
	{
	CloseHandle(procInfo.hThread);
	printf("[i] Created process with PID: %d\n", procInfo.dwProcessId);
	ntRet = pNtCreateProcessStateChange(&hStateChange, MAXIMUM_ALLOWED, NULL, procInfo.hProcess, 0);
	printf("[i] NtCreateProcessStateChange returned: 0x%X\n", ntRet);
	printf("[.] Press [ENTER] to suspend\n");
	getchar();
	pNtChangeProcessState = GetProcAddress(hNtdll, "NtChangeProcessState");
	if (pNtChangeProcessState)
	{
	ntRet = pNtChangeProcessState(hStateChange, procInfo.hProcess, 1, 0, 0, 0);
	printf("[i] NtChangeProcessState returned: 0x%X\n", ntRet);
	printf("[.] Press [ENTER] to resume\n");
	getchar();
	ntRet = pNtChangeProcessState(hStateChange, procInfo.hProcess, 2, 0, 0, 0);
	printf("[i] NtChangeProcessState returned: 0x%X\n", ntRet);
	}
	printf("[.] Press [ENTER] to exit the program\n");
	getchar();
	CloseHandle(procInfo.hProcess);
	CloseHandle(hStateChange);
	ExitProcess(0);
	}
	}
	}
	ExitProcess(-1);
	}