Ethread StartAddress Win7 x64

Re: Ethread StartAddress Win7 x64

#6928 by Alex
Fri Jun 24, 2011 9:47 am

This is a quota of Nebbett's book (Windows NT/2000 Native API):

PVOID Win32StartAddress; // Information Class 9

This information class can be both queried and set.
For the Intel platform, the initial value of this variable is the value of the Eax register
in the Context structure passed to ZwCreateThread. If the thread is started using the
thread start thunk in kernel32.dll, Eax contains the “Win32 start address.”
The field in the ETHREAD structure that is queried and set by this information class is
also used to hold the “LpcReceivedMessageId.”Any thread that has called
ZwReplyWaitReplyPort or ZwReplyWaitReceivePort will have modified this field.
In David Solomon’s Inside Windows NT (second edition, Microsoft Press, 1998) the
output of the resource kit utility “tlist” is included to illustrate the difference
between the actual start address and the Win32 start address; one of the Win32 start
addresses in the tlist output is less than 0x10000 (normally a reserved region of the
address space)—this thread is called ZwReplyWaitReceivePort.

I am Jack's NULL pointer (actual e-mail contact.ntinternals_at_gmail.com)

Username

Alex

Posts

268

Joined

Sun Mar 07, 2010 11:34 am