Thread: kernel objects question ( NtQuerySystemInformation)

  1. #1
    Registered User
    Join Date
    Mar 2008
    Posts
    2

    kernel objects question ( NtQuerySystemInformation)

    Hi,

    Anyone knows if a kernel object "thread" obtained with NtQuerySystemInformation is it possible to find out who have created that object in memory

    or lets say, is it possible within a certain process lets say cmd.exe all the "thread" objects listed to identify which was not created by the process cmd.exe ??

    Note: I'm looking into identify an object that was created by a foreign process into the current process. Also I'm trying to understand if objects like "Event" "Mutex" activity increases in the event of an foreign process changes the normal behavior of a certain process .

    Thanks in advance
    Regards

  2. #2
    Registered User
    Join Date
    Mar 2005
    Location
    Mountaintop, Pa
    Posts
    1,058
    Quote Originally Posted by norox View Post
    Hi,

    Anyone knows if a kernel object "thread" obtained with NtQuerySystemInformation is it possible to find out who have created that object in memory

    or lets say, is it possible within a certain process lets say cmd.exe all the "thread" objects listed to identify which was not created by the process cmd.exe ??

    Note: I'm looking into identify an object that was created by a foreign process into the current process. Also I'm trying to understand if objects like "Event" "Mutex" activity increases in the event of an foreign process changes the normal behavior of a certain process .

    Thanks in advance
    Regards
    Possibly use the KTHREAD structure to trace back to the EPROCESS structure to determine which process owns the thread in question. Here is a link that provides detailed info on thread internals.

  3. #3
    Registered User
    Join Date
    Mar 2008
    Posts
    2
    thanks BobS

    you help me before with kernel objects

    I'm going to have look into that. even if doesn't say which process is the owner if I can find information saying that the "thread" is not from the orginal process is saying is from someone else

    btw do you know if this would be still valid in Vista ?

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. How to rotate child objects in 3D
    By Arianiv in forum Game Programming
    Replies: 11
    Last Post: 04-03-2008, 05:09 AM
  2. I need help to compile this code...
    By wise_ron in forum C Programming
    Replies: 17
    Last Post: 05-07-2006, 12:22 PM
  3. array of objects?
    By *~*~*~* in forum C++ Programming
    Replies: 4
    Last Post: 05-31-2003, 05:57 PM
  4. Very simple question, problem in my Code.
    By Vber in forum C Programming
    Replies: 7
    Last Post: 11-16-2002, 03:57 PM
  5. Objects, or pointers to objects?
    By Unregistered in forum C++ Programming
    Replies: 5
    Last Post: 12-18-2001, 12:57 AM