Saturday 3 August 2013

Understanding the !thread extension

The !thread extension is probably one of most often used extensions when I'm debugging. It gives you several key pieces of information, which I will briefly describe in this post.

THREAD = This is the address of the current thread, we can use this address with the ETHREAD data structure.

IRP List = The list of currently associated IRPs with the current thread.

WAIT = Contains the current state of the thread, and any dispatcher objects in which the thread may waiting upon.

Owning Process = The process which the thread is currently associated with, we can use this address with the EPROCESS data structure.

Teb = Address of the Thread Environment Block (use !teb)

Cid = Thread ID (useful with the !locks)

Priority = The current priority of the thread.

Stack = The call stack of the current thread.

No comments:

Post a Comment