SystemThread

NTDEV
1

Hi.

I have just created a system thread and as my driver unloads I call ZwClose(hHandle); Yet I am receiving Driver Unloaded without cancelling pending operations. I may have miss another line of code previously but am I unloading the thread correctly.

Also when a thread does unload, does it stop at its immediate execution?

Thanks,

2

Calling ZwCloseHandle() just releases a reference to the thread object - it does not affect the target thread’s state in any possible way.

All system threads run in context of so-called" system process" which is just a collection of all threads that have no UM representation. They have no relationship to any particular module’s lifetime/state whatsoever. Therefore, if thread has not yet been terminated by the time you unload a driver module and its EIP points to something that is supposed to be driver code, in actuality its EIP points to the middle of nowhere after driver module gets unloaded. This is why you get a bugcheck.

What you have to do here is to wait on thread object in DriverUnload()…

Anton Bassov

3

Thankyou.

Calling ZwCloseHandle() just releases a reference to the thread object - it does
not affect the target thread’s state in any possible way.

All system threads run in context of so-called" system process" which is just a
collection of all threads that have no UM representation. They have no
relationship to any particular module’s lifetime/state whatsoever. Therefore,
if thread has not yet been terminated by the time you unload a driver module
and its EIP points to something that is supposed to be driver code, in actuality
its EIP points to the middle of nowhere after driver module gets unloaded. This
is why you get a bugcheck.

What you have to do here is to wait on thread object in DriverUnload()…

Anton Bassov

4

System threads cannot be terminated, they can only be gently asked to exit themselves.

Design such a mechanism for your driver. ZwClose is not such.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntdev…
> Hi.
>
> I have just created a system thread and as my driver unloads I call ZwClose(hHandle); Yet I am receiving Driver Unloaded without cancelling pending operations. I may have miss another line of code previously but am I unloading the thread correctly.
>
> Also when a thread does unload, does it stop at its immediate execution?
>
> Thanks,
>