[Vrtule]

Hello,

I just want to know If am getting the facts right:

The point of my interest now are special kernel-mode APCs. Let's have a thread that is executing code somewhere inside my driver. The code performs memory allocations and other standard operations. If special kernel-mode APCs are enabled, the thread can "disappear" (be terminated by a call to TerminateThread from user-mode) in any moment, am I right? Well, threads of the System process maybe not but let's talk about the regular threads.

So, if my code performs a series of memory allocations it have to use guarded region, so the thread cannot be terminated just in the middle of the allocations which would imply a memory leak. And when the series of memory allocations finishes and the thread is about to leave the guarded region, it should make a note somewhere because it must deallocate the memory even in case somebody terminates it violently. I think these deallocations can be performed inside Thread Notify Callback registered by a call to PsSetCreateThreadNotifyRoutine.

Am I correct? Or am I missing something that leads me to posting these (maybe stupid) questions?

[Vrtule]

Hello,

it seems that I found some articles that explain the stuff a little bit.

http://www.osronline.com/article.cfm?id=75
According to this article (I know, it is quite old), thread termination APCs are in fact a special kind of user mode APC. They are delivered only on certain points of code execution, such as system service exit, so the problem seems not to be so dramatic as I feared.

http://msdn.microsoft.com/en-us/library ... s.85).aspx
This article seems to be with accordance with the preivous one.

[xdeadcode]

Hello,

If you are interested in how really termination of process works - you have to understand how APC scheduling works - here you have some good materials:
http://www.drdobbs.com/inside-nts-async ... /184416590
http://www.opening-windows.com/download ... ernals.pdf

Those two covers this topic well (especially second one). It will also show you how and when system is trying to deliver APCs.

As you already found this is true that process termination is realized with APCs.
Brief (very brief) process of termination looks like this: First system is queueing kernelmode APC that is queueing same but usermode APC (this looks like nonsense, but when you read above papers you will get why it is realized like that), additionally on preVista systems system is doing small 'hack' with flags (UserApcPending) - this also has 'additional sense' (look how system behaves when thread is during KeWaitForXX function).
On postVista termination is nearly same, but no hacks are done (instead of 'flagging' system is alerting thread from km).

I think that you are thinking about corner cases scenarios.

Best regards,

[Vrtule]

Thank you very much for the links/papers!