I see checks of the address of nt!_KTHREAD against 0x3 in some NT functions. What significance do those lower 2 bits have?
Which functions?
In kernel each alloaction is 16 byte aligned. So last 4 bits must be zeroed. In this case it would be checking last 4 byte alignment. Which function are you looking at?
They encode something in the nt!_ERESOURCE with those lower two bits in the owner KTHREAD. Doran, can you comment on that?
Not sure if this helps but…
If the “locked owned by” field in an ERESOURCE has these bits set it means that the ERESOURCE is no longer “owned” by the thread but rather (or usually) owned by a structure address. See for instance ExSetResourceOwnerPointerEx function (wdm.h) - Windows drivers | Microsoft Learn
3 Likes
Yay, a good one. Thanks, @rod_widdowson. That sounds right, a "disowned resource."