Descriptions for PETHREAD & PEPROCESS?

OSR_Community_User · February 22, 2007, 12:56pm

I’m looking for descriptions for PETHREAD & PEPROCESS.

More concrete, where is CONTEXT inside _ETHREAD …

Thanks for help,
Michael.

Don_Burn_1 · February 22, 2007, 1:01pm

You cannot rely on it being in the same place, from version to verision so
trying to use it is a fools errand. Poking in ETHREAD and EPROCESS is
always a great way to crash the system. Now if you are just debugging look
at the dt command.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

“Grabelkovsky, Michael” <michael.grabelkovsky> wrote in message
news:xxxxx@ntdev…
I’m looking for descriptions for PETHREAD & PEPROCESS.

More concrete, where is CONTEXT inside _ETHREAD …

Thanks for help,
Michael.</michael.grabelkovsky>

Maxim_S_Shatskih · February 23, 2007, 11:20am

For what? This can change with a security hotfix for a kernel

To print the layout for a particular kernel, connect WinDbg to it and say:

dt _ETHREAD
dt _EPROCESS

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

“Grabelkovsky, Michael” <michael.grabelkovsky> wrote in message
news:xxxxx@ntdev…
I’m looking for descriptions for PETHREAD & PEPROCESS.

More concrete, where is CONTEXT inside _ETHREAD …

Thanks for help,
Michael.</michael.grabelkovsky>

OSR_Community_User · February 23, 2007, 2:43pm

Perhaps my memory is failing me, but I don’t believe that there is a
CONTEXT structure contained directly in an ETHREAD/KTHREAD, unless
you’re counting some the pointers inside of the various APC structures,
KPRCB, perhaps in the referenced user mode portions (for those processes
that have them), or maybe KTRAP_FRAME, but I kind of doubt that these
are what you seek. What is it you are trying to accomplish? As it has
already been mentioned (correctly) that KPROCESS does tend to change, I
don’t really care whether your reasons are good, bad or otherwise, but
if you provide some details, we might be able to help.

mm

>> xxxxx@storagecraft.com 2007-02-23 11:21 >>>
For what? This can change with a security hotfix for a kernel

To print the layout for a particular kernel, connect WinDbg to it
and say:

dt _ETHREAD
dt _EPROCESS

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

“Grabelkovsky, Michael” <michael.grabelkovsky> wrote in message
news:xxxxx@ntdev…
I’m looking for descriptions for PETHREAD & PEPROCESS.

More concrete, where is CONTEXT inside _ETHREAD …

Thanks for help,
Michael.

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer</michael.grabelkovsky>