Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am currently using
NtQueryInformationThread(.., ThreadQuerySetWin32StartAddress, addr, ..) for getting the thread address in addr.
The msdn doc says
NtQueryInformationThread may be altered or unavailable in future versions of Windows
Also,
Note that on versions of Windows prior to Windows Vista, the returned start address is only reliable before the thread starts running.
What is the suggested method for retrieving a thread’s address?
The NtQueryXxxx group of functions are internal Windows kernel functions that were undocumented. Until Microsoft was forced to document them in the settlement with the USA Department of Justice. They did so, but reserved the right to alter their implementation in any future version of Windows, necessary to allow them to innovate on Windows. And reserved the right to not have to make the function actually useful beyond its intended use in the kernel.
The warning is very accurate, you will not get a usable thread start address from this function after the thread was started. It will point to the real start address, an internal helper function named __RtlUserThreadStart() in ntdll.dll. You can see it back in any stack trace when you’ve got debugging symbols for Windows. The same start address for every started thread.
The writing is on the wall. Don’t use it.