[PATCH v2 01/10] ntoskrnl.exe: Implement PsLookupThreadByThreadId.

Wed Apr 10 00:14:31 CDT 2019

On 4/10/19 12:12 AM, Derek Lesho wrote:
> On Tue, Apr 9, 2019 at 7:34 PM Zebediah Figura <z.figura12 at gmail.com 
> <mailto:z.figura12 at gmail.com>> wrote:
> 
>     On 04/09/2019 02:29 PM, Derek Lesho wrote:
>      > Signed-off-by: Derek Lesho <dereklesho52 at Gmail.com>
>      > ---
>      >  dlls/ntoskrnl.exe/ntoskrnl.c        | 20 ++++++++++++++++++++
>      >  dlls/ntoskrnl.exe/ntoskrnl.exe.spec |  2 +-
>      >  2 files changed, 21 insertions(+), 1 deletion(-)
>      >
>      > diff --git a/dlls/ntoskrnl.exe/ntoskrnl.c
>     b/dlls/ntoskrnl.exe/ntoskrnl.c
>      > index f5dee07e2f..770bdfd4fa 100644
>      > --- a/dlls/ntoskrnl.exe/ntoskrnl.c
>      > +++ b/dlls/ntoskrnl.exe/ntoskrnl.c
>      > @@ -3245,6 +3245,26 @@ NTSTATUS WINAPI
>     PsLookupProcessByProcessId(HANDLE processid, PEPROCESS *process)
>      >  }
>      >
>      >
>      > +/*****************************************************
>      > + *           PsLookupThreadByThreadId   (NTOSKRNL.EXE.@)
>      > + */
>      > +NTSTATUS WINAPI PsLookupThreadByThreadId(HANDLE threadid,
>     PETHREAD *thread)
>      > +{
>      > +    NTSTATUS status;
>      > +    HANDLE hThread = OpenThread( THREAD_ALL_ACCESS, FALSE,
>     HandleToUlong(threadid) );
>      > +
>      > +    if (!hThread)
>      > +        return STATUS_INVALID_PARAMETER;
>      > +
>      > +    status = kernel_object_from_handle( hThread, PsThreadType,
>     (void**)thread );
>      > +
>      > +    ObReferenceObject( *thread );
>      > +
>      > +    NtClose( hThread );
>      > +    return status;
>      > +}
>      > +
>      > +
>      >  /*****************************************************
>      >   *           IoSetThreadHardErrorMode  (NTOSKRNL.EXE.@)
>      >   */
>      > diff --git a/dlls/ntoskrnl.exe/ntoskrnl.exe.spec
>     b/dlls/ntoskrnl.exe/ntoskrnl.exe.spec
>      > index 43f47470a9..601506246e 100644
>      > --- a/dlls/ntoskrnl.exe/ntoskrnl.exe.spec
>      > +++ b/dlls/ntoskrnl.exe/ntoskrnl.exe.spec
>      > @@ -913,7 +913,7 @@
>      >  @ stub PsJobType
>      >  @ stdcall PsLookupProcessByProcessId(ptr ptr)
>      >  @ stub PsLookupProcessThreadByCid
>      > -@ stub PsLookupThreadByThreadId
>      > +@ stdcall PsLookupThreadByThreadId(ptr ptr)
>      >  @ extern PsProcessType
>      >  @ stub PsReferenceImpersonationToken
>      >  @ stub PsReferencePrimaryToken
>      >
> 
>     Can we have tests for this function?
> 
>     And while you're at it, can you add it to the public header?
> 
> 
> Sure, will do.  I Just based the return value on the MSDN, but I guess 
> it doesn't hurt to check.
> 
> 

As far as signatures go, it's better to look at the PSDK headers anyway; 
I've seen MSDN be wrong several times.