Getting the Thread Context of a ring3 application

hello osr list,

i set up a PsSetCreateProcessNotifyRoutine()
when this callback now gets control i can obtain
the eprocess and the threadid with
PsLookupProcessByProcessId( ParentId, &ProcessPtr);
PsGetCurrentThreadId();
is it possible to obtain the whole register set of the ring3
process(ParentId), with this information?

i found this function, in the kernel exports
PsGetContextThread()
but i think there is no documentation about it.

how can a ring0 debugger like syser or softice, read this values?
with a user mode part, which uses the win32 debug api ?

i hope somebody can give me a hint , thanks a lot

Well …

The questions is why? Tell us what you why you want to do that and perhaps
we can give you a better answer, since, typically, what you asked is best
left to the HAL.

And … is a bit rude when the rest of us are not shy about using our
names.

Gary

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of …
Sent: Sunday, May 15, 2005 12:58 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Getting the Thread Context of a ring3 application

hello osr list,

i set up a PsSetCreateProcessNotifyRoutine()
when this callback now gets control i can obtain
the eprocess and the threadid with
PsLookupProcessByProcessId( ParentId, &ProcessPtr);
PsGetCurrentThreadId();
is it possible to obtain the whole register set of the ring3
process(ParentId), with this information?

i found this function, in the kernel exports
PsGetContextThread()
but i think there is no documentation about it.

how can a ring0 debugger like syser or softice, read this values?
with a user mode part, which uses the win32 debug api ?

i hope somebody can give me a hint , thanks a lot


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: glittle@mn.rr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

__________ NOD32 1.1097 (20050515) Information __________

This message was checked by NOD32 antivirus system.
http://www.nod32.com