Informative Information for the Uninformed

Current

v9

v8

v7

v6

v5

v4

v3

v2

v1

All

About

Vol 4» 2006.Jun

Next: Driver Objects Up: Found An Object, Now Previous: Process Objects Contents

Thread Objects

Here is a brief list of things to check when scanning for ETHREAD objects.

Compare against a high level API such as kernel32!CreateToolhelp32Snapshot.
Compare against a system call such as nt!NtQuerySystemInformation.
Does the process have a valid owning process?
Can PsLookupThreadByThreadId open its Cid.UniqueThread?
What does Win32StartAddress point to? Is it a valid module address?
What is its ServiceTable value?
If it is in a wait state, for how long?
Where is its stack? What does its stack trace look like?