Native API

Hi guys,

I have some questions regarding Native API for NT4.0.

I have to get a thread handle from a thread id in user-mode and it seems
imposible.
(Even more than that, I have to control that thread, like
suspend/resume/terminate)

I’ve found in KB that yo can’t do such a thing on Win NT4.0 (altough you can
do it in
Win2000 with OpenThread)

So I ran into NtOpenThread:

NTKERNELAPI NTSTATUS NtOpenThread (
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL
);
And also I’ve discovered NtResumeThread, NtSuspendThread, NtTerminateThread.

Here are the questions (first it’s a stupid one but I wanna be sure):

  1. Is any way to get in user-mode the handle for a thread from a given
    thread id?
  2. Can I pass the thread handle from kernel-mode driver to user-mode client
    using an IOCTL?
  3. Where I can find the signatures for those APIs ?
  4. How am I suppose to link to them? If I use ordinal number with a def file
    is ok?

Any help is needed cause I’m in a pretty desperate situation.

Thanks in advance,
Mircea Avram (xxxxx@platform.com)


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Hello Mircea,

  1. Yes. NtOpenThread will do it for you in pure usermode.
    2A. Yes. However, notice a handle is only valid within the
    process where it’s created (the handle that is). The DuplicateHandle
    function might do the trick if you have problems with this.
    2B. Signatures? Hope this is what you mean

#if !defined(NTSYSTEM)
#define NTSYSAPI DECLSPEC_IMPORT
#define NTSYSCALLAPI DECLSPEC_IMPORT
#else
#define NTSYSAPI
#if defined(NTDLLBUILD)
#define NTSYSCALLAPI
#else
#define NTSYSCALLAPI DECLSPEC_ADDRSAFE
#endif

#endif

#define NTAPI __stdcall

NTSYSAPI
NTSTATUS
NTAPI
NtOpenThread (
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL
);

NTSYSAPI
NTSTATUS
NTAPI
NtSuspendThread (
IN HANDLE ThreadHandle,
OUT PLONG SuspendCount OPTIONAL
);

NTSYSAPI
NTSTATUS
NTAPI
NtTerminateThread (
IN HANDLE ThreadHandle,
IN NTSTATUS ExitStatus
);

However - once you have the handle there is no reason not to use the
kernel32.dll SuspendThread() and TerminateThread()

The ultimative guide to the native api is Gary Nebbett’s book on the
subject.

  1. Ordinals will work. But I won’t recommend them - I wouldn’t bet on
    them not changing between releases. How about using
    ntdll.lib? Alternatively import them dynamically by name using
    GetProcAddress() (This way your program will run on Win9x too -
    although you won’t be able to use these functions).

regards,
Anders FOgh

Friday, March 30, 2001, 8:27:56 AM, you wrote:

MA> Hi guys,

MA> I have some questions regarding Native API for NT4.0.

MA> I have to get a thread handle from a thread id in user-mode and it seems
MA> imposible.
MA> (Even more than that, I have to control that thread, like
MA> suspend/resume/terminate)

MA> I’ve found in KB that yo can’t do such a thing on Win NT4.0 (altough you can
MA> do it in
MA> Win2000 with OpenThread)

MA> So I ran into NtOpenThread:

MA> NTKERNELAPI NTSTATUS NtOpenThread (
MA> OUT PHANDLE ThreadHandle,
MA> IN ACCESS_MASK DesiredAccess,
MA> IN POBJECT_ATTRIBUTES ObjectAttributes,
MA> IN PCLIENT_ID ClientId OPTIONAL
MA> );
MA> And also I’ve discovered NtResumeThread, NtSuspendThread, NtTerminateThread.

MA> Here are the questions (first it’s a stupid one but I wanna be sure):

MA> 1. Is any way to get in user-mode the handle for a thread from a given
MA> thread id?
MA> 2. Can I pass the thread handle from kernel-mode driver to user-mode client
MA> using an IOCTL?
MA> 2. Where I can find the signatures for those APIs ?
MA> 3. How am I suppose to link to them? If I use ordinal number with a def file
MA> is ok?

MA> Any help is needed cause I’m in a pretty desperate situation.

MA> Thanks in advance,
MA> Mircea Avram (xxxxx@platform.com)

MA> —
MA> You are currently subscribed to ntdev as: xxxxx@flaffer.com
MA> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com


Best regards,
Anders mailto:xxxxx@flaffer.com


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Thanks Anders,

that was really helpful.

Cheers, Mircea.

-----Original Message-----
From: Anders Fogh [mailto:xxxxx@flaffer.com]
Sent: Saturday, March 31, 2001 12:01 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Native API

Hello Mircea,

  1. Yes. NtOpenThread will do it for you in pure usermode.
    2A. Yes. However, notice a handle is only valid within the
    process where it’s created (the handle that is). The DuplicateHandle
    function might do the trick if you have problems with this.
    2B. Signatures? Hope this is what you mean

#if !defined(NTSYSTEM)
#define NTSYSAPI DECLSPEC_IMPORT
#define NTSYSCALLAPI DECLSPEC_IMPORT
#else
#define NTSYSAPI
#if defined(NTDLLBUILD)
#define NTSYSCALLAPI
#else
#define NTSYSCALLAPI DECLSPEC_ADDRSAFE
#endif

#endif

#define NTAPI __stdcall

NTSYSAPI
NTSTATUS
NTAPI
NtOpenThread (
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL
);

NTSYSAPI
NTSTATUS
NTAPI
NtSuspendThread (
IN HANDLE ThreadHandle,
OUT PLONG SuspendCount OPTIONAL
);

NTSYSAPI
NTSTATUS
NTAPI
NtTerminateThread (
IN HANDLE ThreadHandle,
IN NTSTATUS ExitStatus
);

However - once you have the handle there is no reason not to use the
kernel32.dll SuspendThread() and TerminateThread()

The ultimative guide to the native api is Gary Nebbett’s book on the
subject.

  1. Ordinals will work. But I won’t recommend them - I wouldn’t bet on
    them not changing between releases. How about using
    ntdll.lib? Alternatively import them dynamically by name using
    GetProcAddress() (This way your program will run on Win9x too -
    although you won’t be able to use these functions).

regards,
Anders FOgh

Friday, March 30, 2001, 8:27:56 AM, you wrote:

MA> Hi guys,

MA> I have some questions regarding Native API for NT4.0.

MA> I have to get a thread handle from a thread id in user-mode and it seems
MA> imposible.
MA> (Even more than that, I have to control that thread, like
MA> suspend/resume/terminate)

MA> I’ve found in KB that yo can’t do such a thing on Win NT4.0 (altough you
can
MA> do it in
MA> Win2000 with OpenThread)

MA> So I ran into NtOpenThread:

MA> NTKERNELAPI NTSTATUS NtOpenThread (
MA> OUT PHANDLE ThreadHandle,
MA> IN ACCESS_MASK DesiredAccess,
MA> IN POBJECT_ATTRIBUTES ObjectAttributes,
MA> IN PCLIENT_ID ClientId OPTIONAL
MA> );
MA> And also I’ve discovered NtResumeThread, NtSuspendThread,
NtTerminateThread.

MA> Here are the questions (first it’s a stupid one but I wanna be sure):

MA> 1. Is any way to get in user-mode the handle for a thread from a given
MA> thread id?
MA> 2. Can I pass the thread handle from kernel-mode driver to user-mode
client
MA> using an IOCTL?
MA> 2. Where I can find the signatures for those APIs ?
MA> 3. How am I suppose to link to them? If I use ordinal number with a def
file
MA> is ok?

MA> Any help is needed cause I’m in a pretty desperate situation.

MA> Thanks in advance,
MA> Mircea Avram (xxxxx@platform.com)

MA> —
MA> You are currently subscribed to ntdev as: xxxxx@flaffer.com
MA> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com


Best regards,
Anders mailto:xxxxx@flaffer.com


You are currently subscribed to ntdev as: xxxxx@platform.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com