[xqrzd]

I am trying to get Win32StartAddress from a thread on x64 Win7. When I get a thread from PsLookupThreadByThreadId() or PsGetCurrentThread(), the following code returns NULL for Win32StartAddress:
*(PVOID*)((PCHAR)Thread + 0x410)
but when I walk through threads with the following code, it works fine

Code: Select all

PETHREAD thread;
PLIST_ENTRY startListEntry;
PLIST_ENTRY listEntry;

startListEntry = *(PLIST_ENTRY*)((PCHAR)Process + 0x420);
listEntry = startListEntry;

do
{
	thread = (PETHREAD)((PCHAR)listEntry - 0x420);
	DbgPrint("ETHREAD: %016llX, Win32StartAddress: %016llX", thread, *(PVOID*)((PCHAR)thread + 0x410));
	listEntry = listEntry->Flink;
}
while (listEntry != startListEntry);

The ethread address returned by PsLookupThreadByThreadId/PsGetCurrentThread is always 8 bytes smaller than the address from my ThreadListEntry walker. Why do they differ? :?

[Vrtule]

Hello,

I think the problem might be caused by wrong offset of ThreadListEntry member inside ETHREAD structure. The 8-byte difference suggests that you are actually walking the list through the Blink member.

[Vrtule]

Well, when I look to the ETHREAD structure on Windows 7 x64 SP1, the offset to the ThreadListEntry member is really 0x428, not 0x420.

Code: Select all

  +0x428 ThreadListEntry  : _LIST_ENTRY

[xqrzd]

Yes you are right. I was using incorrect symbols. thanks :)
edit: Did MS change the ETHREAD structure? When I download Win7 64 SP1 retail symbols from here, http://msdn.microsoft.com/en-us/windows ... 63028.aspx
Win32StartAddress is still at offset 0x420, but with WinDbg downloading symbols it is 0x428
it seems _XSAVE_FORMAT* StateSaveArea was added to the end of KTHREAD