How to get thread handle?

NTDEV
1

Hello!

I’m writting a device driver from which I need to execute code in the
context of the Winlogon process, specifically in the context of one of its
threads. For this I have to queue a kernel mode APC to one of Winlogon
already-created threads but don’t know how to get the Winlogon thread list.
Does anyone knows how to do this? Also, what’s the definition for
NtQueueApcThread?

Thanks ahead,

-Albert Almeida

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

2

I do not know of a documented way to get a Win32 handle to a thread that
your code didn’t create. You can enumerate threads in a process from
user mode with PSAPI, but that gives you back thread IDs and not
handles.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Albert Almeida
Sent: Wednesday, January 16, 2002 2:24 PM
To: NT Developers Interest List
Subject: [ntdev] How to get thread handle?

Hello!

I’m writting a device driver from which I need to execute code in the
context of the Winlogon process, specifically in the context of one of
its
threads. For this I have to queue a kernel mode APC to one of Winlogon
already-created threads but don’t know how to get the Winlogon thread
list.
Does anyone knows how to do this? Also, what’s the definition for
NtQueueApcThread?

Thanks ahead,

-Albert Almeida

You are currently subscribed to ntdev as: xxxxx@owen-t.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

3

Is there anything wrong with doing OpenThread on the Thread ID you have?

Thread IDs are unique across the system (unlike handles that are unique
inside the process only). In fact thread ids were introduced for thread
reference accross the process space.
How exactly you come by the target thread ID is another question. ToolHelp
library can be an answer.

Be aware of the security issues - you might need to modify your security
token first.

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

4

OpenThread takes a thread ID and gives you a handle.

New to Win2K/WinMe.

On Fri, 18 Jan 2002, Owen T. Cunningham wrote:

I do not know of a documented way to get a Win32 handle to a thread that
your code didn’t create. You can enumerate threads in a process from
user mode with PSAPI, but that gives you back thread IDs and not
handles.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Albert Almeida
Sent: Wednesday, January 16, 2002 2:24 PM
To: NT Developers Interest List
Subject: [ntdev] How to get thread handle?

Hello!

I’m writting a device driver from which I need to execute code in the
context of the Winlogon process, specifically in the context of one of
its
threads. For this I have to queue a kernel mode APC to one of Winlogon
already-created threads but don’t know how to get the Winlogon thread
list.
Does anyone knows how to do this? Also, what’s the definition for
NtQueueApcThread?

Thanks ahead,

-Albert Almeida

You are currently subscribed to ntdev as: xxxxx@owen-t.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@inkvine.fluff.org
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com


Peter xxxxx@inkvine.fluff.org
http://www.inkvine.fluff.org/~peter/

logic kicks ass:
(1) Horses have an even number of legs.
(2) They have two legs in back and fore legs in front.
(3) This makes a total of six legs, which certainly is an odd number of
legs for a horse.
(4) But the only number that is both odd and even is infinity.
(5) Therefore, horses must have an infinite number of legs.

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

5

Well I’ll be damned! Thanks Peter.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of PeterB
Sent: Friday, January 18, 2002 9:53 PM
To: NT Developers Interest List
Subject: [ntdev] RE: How to get thread handle?

OpenThread takes a thread ID and gives you a handle.

New to Win2K/WinMe.

On Fri, 18 Jan 2002, Owen T. Cunningham wrote:

I do not know of a documented way to get a Win32 handle to a thread
that
your code didn’t create. You can enumerate threads in a process from
user mode with PSAPI, but that gives you back thread IDs and not
handles.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Albert Almeida
Sent: Wednesday, January 16, 2002 2:24 PM
To: NT Developers Interest List
Subject: [ntdev] How to get thread handle?

Hello!

I’m writting a device driver from which I need to execute code in the
context of the Winlogon process, specifically in the context of one of
its
threads. For this I have to queue a kernel mode APC to one of Winlogon
already-created threads but don’t know how to get the Winlogon thread
list.
Does anyone knows how to do this? Also, what’s the definition for
NtQueueApcThread?

Thanks ahead,

-Albert Almeida

You are currently subscribed to ntdev as: xxxxx@owen-t.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@inkvine.fluff.org
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com


Peter
xxxxx@inkvine.fluff.org
http://www.inkvine.fluff.org/~peter/

logic kicks ass:
(1) Horses have an even number of legs.
(2) They have two legs in back and fore legs in front.
(3) This makes a total of six legs, which certainly is an odd number of
legs for a horse.
(4) But the only number that is both odd and even is infinity.
(5) Therefore, horses must have an infinite number of legs.

You are currently subscribed to ntdev as: xxxxx@owen-t.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

6

OpenThread is supported since w2k.

Max

----- Original Message -----
From: “Owen T. Cunningham”
To: “NT Developers Interest List”
Sent: Saturday, January 19, 2002 12:33 AM
Subject: [ntdev] RE: How to get thread handle?

> I do not know of a documented way to get a Win32 handle to a thread that
> your code didn’t create. You can enumerate threads in a process from
> user mode with PSAPI, but that gives you back thread IDs and not
> handles.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Albert Almeida
> Sent: Wednesday, January 16, 2002 2:24 PM
> To: NT Developers Interest List
> Subject: [ntdev] How to get thread handle?
>
>
> Hello!
>
> I’m writting a device driver from which I need to execute code in the
> context of the Winlogon process, specifically in the context of one of
> its
> threads. For this I have to queue a kernel mode APC to one of Winlogon
> already-created threads but don’t know how to get the Winlogon thread
> list.
> Does anyone knows how to do this? Also, what’s the definition for
> NtQueueApcThread?
>
> Thanks ahead,
>
> -Albert Almeida
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@owen-t.com
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

7

>I’m writting a device driver from which I need to execute code in the

context of the Winlogon process, specifically in the context of one of its
threads. For this I have to queue a kernel mode APC to one of Winlogon
already-created threads but don’t know how to get the Winlogon thread
list. Does anyone knows how to do this? Also, what’s the definition for
NtQueueApcThread?

To enumerate the threads, use ToolHelp or PSAPI. You can do it with native
API, but it is way harder

If for some reason you can’t use Win32 API calls:

NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL
);

The info class you need is SystemProcessesAndThreadsInformation (5), you
have to pass as SystemInformation a buffer large enough to hold all the
SYSTEM_PROCESSES and the SYSTEM_THREADS structures you need to find
winlogon. They will be returned with this layout:

SYSTEM_PROCESSES // process entry for the first process
SYSTEM_THREADS // a thread entry for every thread in the process
SYSTEM_THREADS
SYSTEM_THREADS

SYSTEM_THREADS
SYSTEM_PROCESSES // process entry for the second process
SYSTEM_THREADS // a thread entry for every thread in the process

The number of threads (i.e. the number of elements in the following
SYSTEM_THREADS array) is in the field ThreadCount of every process entry,
the array’s head is Threads[0], if you simply want to skip all the threads
and go to the next process in the list, move the pointer by NextEntryDelta
bytes. WinLogon can be identified this way:

Idle
|
± System
|
± smss.exe
|
± csrss.exe
± winlogon.exe
± os2ss.exe (optionally)
± psxss.exe (optionally)

That is: idle is always pid 0, System is the only process inherited from
Idle, smss is the only process inherited from System, of all the processes
inherited from smss the one with “winlogon” inside the name is WinLogon,
the others are the subsystems (I wish there was a cleaner way, though)

To open the thread:

NTSYSAPI
NTSTATUS
NTAPI
ZwOpenThread(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId
);

You’ll need THREAD_SET_CONTEXT access to queue an APC. For the ClientId
parameter the process id is optional.

The prototype for NtQueueApcThread is:

NTSYSAPI
NTSTATUS
NTAPI
ZwQueueApcThread(
IN HANDLE ThreadHandle,
IN PKNORMAL_ROUTINE ApcRoutine,
IN PVOID ApcContext OPTIONAL,
IN PVOID Argument1 OPTIONAL,
IN PVOID Argument2 OPTIONAL
);

The APC routine must have this signature:

VOID (NTAPI *PKNORMAL_ROUTINE)(PVOID ApcContext, PVOID Argument1, PVOID
Argument2);

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com