Hello,
when thread A calls (Nt/Zw)TerminateThread in order to terminate thread B, the B thread does not disappear at once. A special user APC is scheduled to it and is serviced only in certain points of execution.
Does anybody have some information about when the special user (termination) APC is actually serviced? I know that one execution point is when the target thread just performed a system call (NtXXX function) triggered from user mode, and is just about to return there (to user mode). Are special user APCs serviced in the same place even if the target thread is returning from a system call triggered from kernel mode (ZwXXX function)? Are there other execution points as well?
Thanks in advance
Vrtule
when thread A calls (Nt/Zw)TerminateThread in order to terminate thread B, the B thread does not disappear at once. A special user APC is scheduled to it and is serviced only in certain points of execution.
Does anybody have some information about when the special user (termination) APC is actually serviced? I know that one execution point is when the target thread just performed a system call (NtXXX function) triggered from user mode, and is just about to return there (to user mode). Are special user APCs serviced in the same place even if the target thread is returning from a system call triggered from kernel mode (ZwXXX function)? Are there other execution points as well?
Thanks in advance
Vrtule
