map from thread id to ethread pointer

OSR_Community_User-67 · June 30, 2000, 12:08am

In kernel space, how does one map from a thread id to an ethread pointer?

In a kernel driver, I have set up a routine to get a callback on thread
creation using PsSetCreateThreadNotifyRoutine(). When my routine is
invoked, it is called with ProcessId & ThreadId (and a boolean create,
which is true on creation & false on termination). I would like to
get access at that point to the ethread associated with the thread
id argument. Softice knows how to do this, in the sense that the output
from the “thread” command in softice includes this newbie ThreadId with
its correspoinding ethead (kteb).

I can easily get the thread id & ethread associated with a currently
running thread, using PsGetCurrentThreadId() & PsGetCurrentThread(),
but the ThreadId with which the callback routine is called at creation
time is never the currently active thread (which makes sense to me,
system hasn’t cranked up this new thread yet).

Thanks in advance! I’m totally stumped, anne

OSR_Community_User · July 1, 2000, 3:37pm

Hello,

You can use ZwOpenThread/NtOpenThread function to get
handle to the thread using thread id. Then, you can
use ObReferenceObjectByHandle function to reach to the
KTEB.

-Prasad

— xxxxx@hotmail.com wrote:

In kernel space, how does one map from a thread id
to an ethread pointer?

In a kernel driver, I have set up a routine to get a
callback on thread
creation using PsSetCreateThreadNotifyRoutine().
When my routine is
invoked, it is called with ProcessId & ThreadId (and
a boolean create,
which is true on creation & false on termination).
I would like to
get access at that point to the ethread associated
with the thread
id argument. Softice knows how to do this, in the
sense that the output
from the “thread” command in softice includes this
newbie ThreadId with
its correspoinding ethead (kteb).

I can easily get the thread id & ethread associated
with a currently
running thread, using PsGetCurrentThreadId() &
PsGetCurrentThread(),
but the ThreadId with which the callback routine is
called at creation
time is never the currently active thread (which
makes sense to me,
system hasn’t cranked up this new thread yet).

Thanks in advance! I’m totally stumped, anne

You are currently subscribed to ntdev as:
xxxxx@yahoo.com
To unsubscribe send a blank email to
$subst(‘Email.Unsub’)

=====
Prasad S. Dabak
Director of Engineering, Windows NT/2000 Division
Cybermedia Software Private Limited
http://www.cybermedia.co.in
Co-author of the book “Undocumented Windows NT”
ISBN 0764545698

Do You Yahoo!?
Kick off your party with Yahoo! Invites.
http://invites.yahoo.com/

OSR_Community_User · July 3, 2000, 2:48pm

You can use following three routines:

NTKERNELAPI
NTSTATUS
PsLookupProcessByProcessId (
IN HANDLE ProcessId,
OUT PEPROCESS *Process
);

NTKERNELAPI
NTSTATUS
PsLookupThreadByThreadId (
IN HANDLE ThreadId,
OUT PETHREAD *Thread
);

NTKERNELAPI
NTSTATUS
PsLookupProcessThreadByCid (
IN PCLIENT_ID ClientId,
OUT PEPROCESS *Process OPTIONAL,
OUT PETHREAD *Thread
);

But there are some headaches.
I will send you some sample code if you want.

Paul

-----P?vodn? zpr?va-----
Od: Prasad Dabak [SMTP:xxxxx@yahoo.com]
Odesl?no: 1. ?ervence 2000 21:33
Komu: NT Developers Interest List
P?edm?t: [ntdev] Re: map from thread id to ethread pointer

Hello,

You can use ZwOpenThread/NtOpenThread function to get
handle to the thread using thread id. Then, you can
use ObReferenceObjectByHandle function to reach to the
KTEB.

-Prasad

— xxxxx@hotmail.com wrote:
> In kernel space, how does one map from a thread id
> to an ethread pointer?
>
> In a kernel driver, I have set up a routine to get a
> callback on thread
> creation using PsSetCreateThreadNotifyRoutine().
> When my routine is
> invoked, it is called with ProcessId & ThreadId (and
> a boolean create,
> which is true on creation & false on termination).
> I would like to
> get access at that point to the ethread associated
> with the thread
> id argument. Softice knows how to do this, in the
> sense that the output
> from the “thread” command in softice includes this
> newbie ThreadId with
> its correspoinding ethead (kteb).
>
> I can easily get the thread id & ethread associated
> with a currently
> running thread, using PsGetCurrentThreadId() &
> PsGetCurrentThread(),
> but the ThreadId with which the callback routine is
> called at creation
> time is never the currently active thread (which
> makes sense to me,
> system hasn’t cranked up this new thread yet).
>
> Thanks in advance! I’m totally stumped, anne
>
> —
> You are currently subscribed to ntdev as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
> $subst(‘Email.Unsub’)
>

=====
Prasad S. Dabak
Director of Engineering, Windows NT/2000 Division
Cybermedia Software Private Limited
http://www.cybermedia.co.in
Co-author of the book “Undocumented Windows NT”
ISBN 0764545698

Do You Yahoo!?
Kick off your party with Yahoo! Invites.
http://invites.yahoo.com/

You are currently subscribed to ntdev as: xxxxx@sodatsw.cz
To unsubscribe send a blank email to $subst(‘Email.Unsub’)