Understanding the !thread extension

The !thread extension is probably one of most often used extensions when I’m debugging. It gives you several key pieces of information, which I will briefly describe in this post.

THREAD = This is the address of the current thread, we can use this address with the ETHREAD data structure.

IRP List = The list of currently associated IRPs with the current thread.

WAIT = Contains the current state of the thread, and any dispatcher objects in which the thread may waiting upon.

Owning Process = The process which the thread is currently associated with, we can use this address with the EPROCESS data structure.

Teb = Address of the Thread Environment Block (use !teb)

Cid = Thread ID (useful with the !locks)

Priority = The current priority of the thread.

Stack = The call stack of the current thread.

Advertisements

About 0x14c

I'm a Computer Science student and writer. My primary interests are Graph Theory, Number Theory, Programming Language Theory, Logic and Windows Debugging.
This entry was posted in WinDbg. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s