Hello,
I’m looking for a way to create\open thread handle for a thread represented
by it’s PETHREAD object. I already tried to use ObOpenObjectByPointer
function, but the handle returned by the call reported as invalid by further
call to ZwQueryInformationThread. I’m looking for solution that will work on
all platforms starting from WinNT and will give me thread handle that can be
used by function like ZwQueryInformationThread.
The ObOpenObjectByPointer being called next way:
ObOpenObjectByPointer( pThread, OBJ_KERNEL_HANDLE, 0, GENERIC_ALL, 0,
KernelMode, &hThread )
The call return success.
I’m interested to know thread ID and process ID for process that owns the
thread.
Thanks,
Alex
Express yourself instantly with MSN Messenger! Download today it’s FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Where did you get the PETHREAD from?
=====================
Mark Roddy DDK MVP
Windows 2003/XP/2000 Consulting
Hollis Technology Solutions 603-321-1032
www.hollistech.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alex Korthny
Sent: Tuesday, August 01, 2006 6:55 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Retrieve thread handle based on PETHREAD object
Hello,
I’m looking for a way to create\open thread handle for a
thread represented by it’s PETHREAD object. I already tried
to use ObOpenObjectByPointer function, but the handle
returned by the call reported as invalid by further call to
ZwQueryInformationThread. I’m looking for solution that will
work on all platforms starting from WinNT and will give me
thread handle that can be used by function like
ZwQueryInformationThread.
The ObOpenObjectByPointer being called next way:
ObOpenObjectByPointer( pThread, OBJ_KERNEL_HANDLE, 0,
GENERIC_ALL, 0, KernelMode, &hThread ) The call return success.
I’m interested to know thread ID and process ID for process
that owns the thread.
Thanks,
Alex
Express yourself instantly with MSN Messenger! Download today
it’s FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online
at http://www.osronline.com/page.cfm?name=ListServer
The PETHREAD object taken from from Irp->Tail.Overlay.Thread. We talking
about file system filter driver intercepted a IRP_MJ_CREATE request context.
The same data filed being used by IoGetRequestorProcess API( it uses
equivalent of IoThreadToProcess function call inside ).
Thanks,
Alex.
Where did you get the PETHREAD from?
=====================
Mark Roddy DDK MVP
Windows 2003/XP/2000 Consulting Hollis Technology Solutions 603-321-1032
www.hollistech.com
>-----Original Message-----
>From: xxxxx@lists.osr.com
>[mailto:xxxxx@lists.osr.com] On Behalf Of Alex Korthny
>Sent: Tuesday, August 01, 2006 6:55 AM
>To: Windows System Software Devs Interest List
>Subject: [ntdev] Retrieve thread handle based on PETHREAD object
>
>Hello,
>
>I’m looking for a way to create\open thread handle for a thread
>represented by it’s PETHREAD object. I already tried to use
>ObOpenObjectByPointer function, but the handle returned by the call
>reported as invalid by further call to ZwQueryInformationThread. I’m
>looking for solution that will work on all platforms starting from WinNT
>and will give me thread handle that can be used by function like
>ZwQueryInformationThread.
>
>The ObOpenObjectByPointer being called next way:
>ObOpenObjectByPointer( pThread, OBJ_KERNEL_HANDLE, 0, GENERIC_ALL, 0,
>KernelMode, &hThread ) The call return success.
>I’m interested to know thread ID and process ID for process that owns the
>thread.
>
>Thanks,
>Alex
Don’t just search. Find. Check out the new MSN Search!
http://search.msn.com/
Hi mate
I tried to reproduce your problem on my XP SP2 machine, but failed - everything works perfectly well. Can it somehow happen that you just made some mistake in your call to ZwQueryInformationThread()??? Could you please show us your code
Anton Bassov
Please try next code with Irp from IRP_MJ_CREATE context.
ULONG QueryProcessIdFromIrp( PIRP Irp )
{
PETHREAD pThread;
HANDLE hThread;
THREAD_BASIC_INFORMATION Info;
ULONG Size = 0;
ULONG Result;
NTSTATUS Status;
PEPROCESS pProcess;
if ( ( KeGetCurrentIrql() != PASSIVE_LEVEL ) )
return (ULONG)PsGetCurrentProcessId();
pThread = Irp->Tail.Overlay.Thread;
if ( !pThread )
return (ULONG)PsGetCurrentProcessId();
if ( pThread == PsGetCurrentThread() )
return (ULONG)PsGetCurrentProcessId();
pProcess = IoThreadToProcess( pThread );
if ( pProcess == PsGetCurrentProcess() )
return (ULONG)PsGetCurrentProcessId();
if ( !pProcess )
return (ULONG)PsGetCurrentProcessId();
if ( !NT_SUCCESS(ObOpenObjectByPointer( pThread, OBJ_KERNEL_HANDLE, 0,
GENERIC_ALL, 0, KernelMode, &hThread ) ) )
{
return (ULONG)PsGetCurrentProcessId();
}
Status = ZwQueryInformationThread( hThread, ThreadBasicInformation,
(PVOID)&Info, sizeof(Info), &Size );
if ( NT_SUCCESS( Status ) )
{
Result = (ULONG)Info.ClientId.UniqueProcess;
}
else
{
Result = (ULONG)PsGetCurrentProcessId();
}
ZwClose( hThread );
return Result;
}
Hi mate
I tried to reproduce your problem on my XP SP2 machine, but failed -
everything works perfectly >well. Can it somehow happen that you just made
some mistake in your call to >ZwQueryInformationThread()??? Could you
please show us your code
Anton Bassov
Express yourself instantly with MSN Messenger! Download today it’s FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/