Hello,
I use KeStackAttachProcess to map the handle in the user-mode process context, but I’m afraid the process could be terminated (and the attached thread as well) before reaching KeUnstackDetachProcess. Is there a way how to protect the code between KeStackAttachProcess / KeUnstackDetachProcess?
thanks,
Petr
Petr Kurtin wrote:
I use KeStackAttachProcess to map the handle in the user-mode
process context, but I’m afraid the process could be terminated (and the
attached thread as well) before reaching KeUnstackDetachProcess. Is
there a way how to protect the code between KeStackAttachProcess /
KeUnstackDetachProcess?
Wouldn’t it be enough to reference the target process object as well as
the thread object (i.e. increase the reference count). This should keep
the system from destroying the object.
However, I would wonder if KeStackAttachProcess wouldn’t increase the
reference count itself or use some other kind of locking mechanism. At
least the potential for deadlocks - as described in the DDK - suggests
this for me.
Oliver
Sounds like the NtInsider made its way to Europe. Funny, I read about the same stuff today.
/Daniel
“Petr Kurtin” wrote in message news:xxxxx@ntdev…
Hello,
I use KeStackAttachProcess to map the handle in the user-mode process context, but I’m afraid the process could be terminated (and the attached thread as well) before reaching KeUnstackDetachProcess. Is there a way how to protect the code between KeStackAttachProcess / KeUnstackDetachProcess?
thanks,
Petr