OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: February 19, 2009 08:02 CST by remc .

Hello,
I need to know the state(running, waiting) of a thread in the same process.
The state of a thread is kept in the member kthread.state, is it possible to read this value some how from user-mode?

rem-c

Kayaker		February 19, 2009 21:19.09 CST
The NtQuerySystemInformation function called with the SystemProcessInformation information class will give you a SYSTEM_PROCESS_INFORMATION array containing a list of processes and threads. The Threads field of this array points to a further array of SYSTEM_THREAD structures describing the process's threads. The State field should describe what you're looking for. According to MS, the SYSTEM_PROCESS_INFORMATION structure is not fully documented enough to be able to do this: http://msdn.microsoft.com/en-us/library/ms724509.aspx But in practice it should work: http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/System%20Information/Structures/SYSTEM_PROCESS_INFORMATION.html http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/System%20Information/Structures/SYSTEM_THREAD.html You need to allocate a large enough return buffer when working with any of the Nt/ZwQuerySystemInformation Classes since you're usually dealing with an array of unknown size. There are 3 strategies for this, and you might use a different one for each Class. 1. Allocate a large enough buffer to begin with. 2. Call NtQuerySystemInformation twice, the first time with a 0 buffer size. This will return STATUS_INFO_LENGTH_MISMATCH and give the required buffer size in ReturnLength. Then you allocate a buffer of the correct size and call the function again. This will work for the SystemModuleInformation Class. 3. If STATUS_INFO_LENGTH_MISMATCH is returned but ReturnLength doesn't return the required buffer length you can create a loop. Say, allocate 1 page size of memory, call NtQuerySystemInformation, free the memory, allocate a larger buffer and repeat until STATUS_INFO_LENGTH_MISMATCH is not returned. This might be required for the SystemProcessInformation Class. I've parsed these structures with these definitions in kernel mode using ZwQuerySystemInformation, it should work from user mode as well. Kayaker

remc		February 21, 2009 05:21.37 CST
Thanks Kayaker, I will give it a spin and see if it works. I looked at the structures before on Msdn, but that was kind of a show stopper since they are not fully documented. rem-c

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit