Uninformed - vol 4 article 2

Informative Information for the Uninformed

Current

All

About

Vol 4» 2006.Jun

Next: Driver Objects Up: Object Specific Signatures Previous: Process Objects Contents

Thread Objects

Here are just a few of the most basic ETHREAD fields which can form a simple signature using rather predictable constant values which hold true for all ETHREAD structures in the same system.

$\begin{tabular}{\vert l\vert l\vert} \par \hline \par \textbf{Tcb.Header.Type} &... ...queThread} & 0 if bitwise AND with 0xFFFF0002 \\ \par \hline \par \end{tabular}$

Note that there are several other DISPATCH_HEADERs embedded within locks, events, timers, etc in the structure which also have a predicable Header.Type and Header.Size.