Process and Thread Identifier

The process and thread identifier are arguably the worst sources of entropy for the GS cookie, at least in the context of a local attack. The two high order bytes of the process and thread identifiers are almost always zero. This means they have absolutely no effect on the high order entropy. Additionally, the process and thread identifier can be determined with 100 percent accuracy in a local context using the same API described in the previous section on getting the system time. This involves making use of the NtQuerySystemInformation native API with the SystemProcessesAndThreadsInformation system information class to get the process identifier and thread identifier associated with a given process executable.

The end result, obviously, is that the process and thread identifier can be determined with great accuracy. The one exception to this rule would be Windows Vista, but, as was mentioned before, alternative methods of obtaining the process and thread identifier may exist.