[rexor]

Can someone explain how the thread starting address could be retrieved in kernel driver on windows 7 64 bit ?

[EP_X0FF]

Can someone explain how the thread starting address could be retrieved in kernel driver on windows 7 64 bit ?

Which one thread start address do you want, system or user? All of them inside ETHREAD.

http://www.kernelmode.info/forum/viewto ... f=10&t=960
http://msdn.microsoft.com/en-us/library ... s.85).aspx

[rexor]

I'm interested in retrieving user-mode thread starting address. For reference, I'm using http://www.nirsoft.net/kernel_struct/vista/ETHREAD.html
So, if I'll use

Code: Select all

PTHREAD thread = PsGetCurrentThread(); thread->StartAddress

should get me the address?

Can u also explain, when the union

Code: Select all

...
     union
     {
          LIST_ENTRY PostBlockList;
          struct
          {
               PVOID ForwardLinkShadow;
               PVOID StartAddress;
          };
     };
...

in aforementioned struct will be actually initialized to StartAddress?

[EP_X0FF]

Yes.

PspCreateThread


user

Code: Select all

    try {
            //
            // Initialize kernel thread object for user mode thread.
            //

            Thread->StartAddress = (PVOID)CONTEXT_TO_PROGRAM_COUNTER(ThreadContext);

#if defined(_AMD64_)

            Thread->Win32StartAddress = (PVOID)ThreadContext->Rdx;

#elif defined(_X86_)

            Thread->Win32StartAddress = (PVOID)ThreadContext->Eax;

system

Code: Select all

        //
        // Initialize kernel thread object for kernel mode thread.
        //

        Thread->StartAddress = (PKSTART_ROUTINE) StartRoutine;
        Status = KeInitThread (&Thread->Tcb,
                               NULL,
                               PspSystemThreadStartup,
                               StartRoutine,
                               StartContext,
                               NULL,
                               NULL,
                               &Process->Pcb);