Saturday, 3 August 2013

Understanding the !thread extension

The !thread extension is probably one of most often used extensions when I'm debugging. It gives you several key pieces of information, which I will briefly describe in this post.

THREAD = This is the address of the current thread, we can use this address with the ETHREAD data structure.

 IRP List = The list of currently associated IRPs with the current thread.

 WAIT = Contains the current state of the thread, and any dispatcher objects in which the thread may waiting upon.

 Owning Process = The process which the thread is currently associated with, we can use this address with the EPROCESS data structure.

 Teb = Address of the Thread Environment Block (use !teb)

 Cid = Thread ID (useful with the !locks)

 Priority = The current priority of the thread.

Stack = The call stack of the current thread.


Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)