The thread notify callback for PsSetCreateThreadNotifyRoutine can run at either PASSIVE or APC. I need to call ZwQueryInformationThread on thread creation to capture thread start address information, however ZwQueryInformationThread must be called at PASSIVE only. What are my options here to avoid a bsod if my notification callback gets called at APC? Can I just queue a work item and pass the process and thread id to the work item routine and call ZwQueryInformationThread at that point? I guess in that case you'd have to just hope the thread hadn't already exited before the work item executed?
It looks like you're new here. If you want to get involved, click one of these buttons!
|Upcoming OSR Seminars|
|Developing Minifilters||29 July 2019||OSR Seminar Space|
|Writing WDF Drivers||23 Sept 2019||OSR Seminar Space|
|Kernel Debugging||21 Oct 2019||OSR Seminar Space|
|Internals & Software Drivers||18 Nov 2019||Dulles, VA|