0

i was wondering if anyone knows where the context of a thread running in usermode is stored in kernel ? and if there are any API's for dealing with getting and setting a usermode thread context ? i know that you should not be doing this for any reason, so please do not sidetrack into that. This is solely for the sake of research and will not be used by anything else than local projects of my own.

In usermode we have GetThreadContext and SetThreadContext, but i need to do this from a device driver in the kernel, i wish i had more to write but i can't find any information on this topic at all so i wish someone more educated than me can enlighten me on some of the windows internals at hand here.

Regards Paze.

Paze
  • 49
  • 7

1 Answers1

2

when thread enter in kernel mode it context stored in it kernel stack, in struct _KTRAP_FRAME - it declared in ntdkk.h. in ntoskrnl.exe (all versions from win2000 up to win10) exist exported api

NTKERNELAPI
NTSTATUS
NTAPI
PsGetContextThread(
    __in PETHREAD Thread,
    __inout PCONTEXT ThreadContext,
    __in KPROCESSOR_MODE Mode
    );

you can use it for get thread context (and PsSetContextThread for set thread context).

about how this work - look in wrk - when you try get/set context from another thread special kernel mode APC is inserted to this thread with pointer to internal GETSETCONTEXT structure, after this requestor begin wait on event (OperationComplete) from this structure. when thread (for which we query context) next time begin execute in kernel - APC routine (PspGetSetContextSpecialApc) is executed - it fill context from _KTRAP_FRAME and set event (OperationComplete)

RbMm
  • 31,280
  • 3
  • 35
  • 56
  • Yeah when the thread is in kernel mode, but how about a thread running in usermode ? does the same apply for usermode threads ? – Paze Jan 19 '17 at 20:14
  • @Paze - are you at all understand what i write and are you have knowledge windows internals ?! about what you asking ? – RbMm Jan 19 '17 at 20:30
  • dude, you don't have to be rude about it.. yes i do have knowledge about windows internals.. im not an expert and im still learning. You said that when the thread enter in kernel mode its context is stored in kernel stack, in the _KTRAP_FRAME structure, my question is if the context is still stored in the same structure when the thread enters usermode ? or where is the context stored then ? – Paze Jan 19 '17 at 21:37
  • @Paze - when thread return to user mode it context not need to store. for what ? and this is senseless - thread running - so context all time changed. again - for get context of thread - we inject apc to him. when thread next time go to the kernel mode (really thread only very short time can continuously executed in user mode) - he pop and execute this apc. and fill context from `KTRAP_FRAME` – RbMm Jan 19 '17 at 21:42
  • 1
    @Paze, there are only two cases where the context is saved: when the thread transitions to kernel mode but continues to run, or when the thread is swapped out. AFAIK, it works the same in either case, and the context can be recovered as RbMm described. – Harry Johnston Jan 20 '17 at 00:50
  • yeah i understand that now, thanks for explaining.i thought the context was saved both in usermode and kernel mode whenever the thread transitioned. – Paze Jan 20 '17 at 03:25