It's been a while since I haven't shared anything concerning Windows internals and I'm back to talk in detail about how Windows thread suspension and resumption works. I'm going to discuss the mentioned topics in this blog post and incoming ones. Even though it can be discussed in one or two entries but I'm quite busy with studies.
As you might already know Windows uses APCs (Asynchronous Procedure Calls) to perform thread suspension. This may form an incomplete image of what's going on in detail as other tasks are being performed besides queuing the suspend APC. I will share throughout this article the details about what's happening and some pseudo code snippets of the reversed routines (Windows 7 32-bit SMP).
Let's say that a usermode thread 'A' wanted to suspend a second usermode thread 'B' , it has to simply call SuspendThread with a previously opened handle to the target thread.
DWORD WINAPI SuspendThread(HANDLE hThread);
Upon the call we'll be taken to kernel32.dll then to kernelbase.dll which simply provides a supplementary argument to NtSuspendThread and calls it from ntdll.dll .
NTSTATUS NtSuspendThread(HANDLE ThreadHandle,PULONG PreviousSuspendCount );
The thread's previous suspend count is basically copied from kernel to *PreviousSuspendCount.
Ntdll then takes us to kernel land where we'll be executing NtSuspendThread.
- NtSuspendThread :
If we came from usermode (CurrentThread->PreviousMode == UserMode), probing the PreviousSuspendCount pointer for write is crucial. Next, a pointer to the target thread object is obtained by calling ObReferenceObjectByHandle , if we succeed PsSuspendThread is called ; its return type is NTSTATUS and that is the status code returned to the caller (in PreviousMode) after calling ObDereferenceObject and storing the previous count value in the OUT (PreviousSuspendCount) argument if it's not NULL.
- PsSuspendThread :
Prototype : NTSTATUS PsSuspendThread(PETHREAD Thread,PULONG PreviousSuspendCount)
Here's a pseudo C manual decompilation of the routine code :
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| NTSTATUS PsSuspendThread(PETHREAD Thread,PULONG PreviousSuspendCount) | |
| { | |
| NTSTATUS Status; | |
| ULONG PrevSuspCount; | |
| PKTHREAD CurrentThread = KeGetCurrentThread(); | |
| /*Disable normal APCs delivery*/ | |
| KeEnterCriticalRegion(); | |
| if( ExAcquireRundownProtection(&Thread->RundownProtect) ) | |
| { | |
| /*loc_68E5A0*/ | |
| /*Check the terminated bit*/ | |
| if( ! Thread->Terminated) | |
| { | |
| /* | |
| KeSuspendThread raises a fatal exception when the suspend count is exceeded | |
| be sure to include it within a try-except statement. | |
| */ | |
| __try { | |
| PrevSuspCount = KeSuspendThread((PKTHREAD)Thread); | |
| Status = STATUS_SUCCESS; | |
| } | |
| __except(EXCEPTION_EXECUTE_HANDLER) | |
| { | |
| Status = GetExceptionCode(); | |
| } | |
| /*Recheck if the target thread is terminating,If it is force it to resume*/ | |
| if(Thread->Terminated) | |
| { | |
| KeForceResumeThread((PKTHREAD)Thread); | |
| PrevSuspCount = 0; | |
| } | |
| } | |
| /*loc_68E60A*/ | |
| else | |
| Status = STATUS_THREAD_IS_TERMINATING; | |
| /*loc_68E611*/ | |
| ExReleaseRundownProtection(&Thread->RundownProtection); | |
| } | |
| /*loc_68E634*/ | |
| else | |
| Status = STATUS_THREAD_IS_TERMINATING; | |
| KeLeaveCriticalRegion(); | |
| *PreviousSuspendCount = PrevSuspCount; | |
| return Status; | |
| } |
That's all for this short entry , in the next parts about thread suspension I'll talk about KeSuspendThread , the suspend semaphore and the KiSuspendThread kernel APC routine.
Follow me on twitter : Here
Thanks,
- Souhail.
No comments:
Post a Comment