Nido
June 15th, 2009, 01:01
Hello,
Does anyone happen to know how to enumerate threads of the current process from inside a DDK driver. i.e. what NtXXX/ZwXXX calls are used to implement it ?
I have an exact moment during a syscall entry/exit inside ring0 that I want my target program to suspend all execution of itself. Ideally I wish to manually enumerate and then suspend all other threads with NtSuspendThread() and then issue an NtSuspendProcess() to halt the final thread.
Tis is so that I can then attach a debugger to be able to single step about 50k instructions from that syscall return. I only wish the main thread (primary thread) to resume execution when the debugger attaches, so I am thinking by manually suspending threads first before the NtSuspendProcess() when the debugger restarts all but the main thread will continue to be asleep (due to Suspend Counts still being > 0). I presume NtSuspendProcess() effectively increments the suspend count to ALL threads, which means the non-main will have a count of 2, while the main a count of 1. So on process resume they are all decremented.
I already have a working DDK driver framework I am hooking syscalls with that can identify the process and the exact moment I want it to suspended.
Meanwhile I'll have to reveng the KERNEL32!CreateToolhelp32Snapshot() to see how that works.
Thanks,
Does anyone happen to know how to enumerate threads of the current process from inside a DDK driver. i.e. what NtXXX/ZwXXX calls are used to implement it ?
I have an exact moment during a syscall entry/exit inside ring0 that I want my target program to suspend all execution of itself. Ideally I wish to manually enumerate and then suspend all other threads with NtSuspendThread() and then issue an NtSuspendProcess() to halt the final thread.
Tis is so that I can then attach a debugger to be able to single step about 50k instructions from that syscall return. I only wish the main thread (primary thread) to resume execution when the debugger attaches, so I am thinking by manually suspending threads first before the NtSuspendProcess() when the debugger restarts all but the main thread will continue to be asleep (due to Suspend Counts still being > 0). I presume NtSuspendProcess() effectively increments the suspend count to ALL threads, which means the non-main will have a count of 2, while the main a count of 1. So on process resume they are all decremented.
I already have a working DDK driver framework I am hooking syscalls with that can identify the process and the exact moment I want it to suspended.
Meanwhile I'll have to reveng the KERNEL32!CreateToolhelp32Snapshot() to see how that works.
Thanks,
Code:
Example user-space pseudo code would look something like:
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if(hSnapshot == VALID && Thread32First(hSnapshot, &data)) {
do {
hThread = NtOpenThread(.... data.hThread ....);
if(hThread != GetCurrentThread())
SuspendThread(hThread);
CloseHandle(hThread);
} while(Thread32Next(hSnapshot, &data));
CloseHandle(hSnapshot);
}
NtSuspendProcess(GetCurrentProcess());