__ntapi_tt_spawn_foreign_process(): optionally use kernel32 as the backend.

1 files changed, 9 insertions, 1 deletions

diff --git a/src/process/ntapi_tt_spawn_native_process.c b/src/process/ntapi_tt_spawn_native_process.c
index 1458e78..ae62d35 100644
--- a/src/process/ntapi_tt_spawn_native_process.c
+++ b/src/process/ntapi_tt_spawn_native_process.c
@@ -67,6 +67,7 @@ int32_t __stdcall __ntapi_tt_spawn_native_process(nt_spawn_process_params * spar
 	void *				hchild[2];
 	uint32_t			written;
 	wchar16_t *			imgbuf;
+	uint32_t			fsuspended;
 
 	/* rtctx (convenience) */
 	rtctx = sparams->rtctx;
@@ -229,6 +230,13 @@ int32_t __stdcall __ntapi_tt_spawn_native_process(nt_spawn_process_params * spar
 				&rtblock,0,0,status);
 	}
 
+	/* process flags */
+	if (sparams->processflags & NT_PROCESS_CREATE_FLAGS_CREATE_THREAD_SUSPENDED)
+		fsuspended = NT_CREATE_SUSPENDED;
+
+	else if (sparams->threadflags & NT_CREATE_SUSPENDED)
+		fsuspended = NT_CREATE_SUSPENDED;
+
 	/* cparams */
 	__ntapi->tt_aligned_block_memset(
 		&cparams,0,sizeof(cparams));
@@ -293,7 +301,7 @@ int32_t __stdcall __ntapi_tt_spawn_native_process(nt_spawn_process_params * spar
 		sizeof(nt_pbi));
 
 	/* create suspended? */
-	if (sparams->fsuspended)
+	if (fsuspended)
 		return __tt_spawn_return(
 			&rtblock,0,0,NT_STATUS_SUCCESS);