
best
K.
Process Hacker and Windows discussion
Ok, thats good to know. But what about windows 2000 and XP? There is a member on TEB named DeallocationStack of type PVOID referring to http://en.wikipedia.org/wiki/Thread_Environment_Block. Can this be used in some way?wj32 wrote:Since Vista the kernel frees the stack.
I'm not sure...keremg wrote:Ok, thats good to know. But what about windows 2000 and XP? There is a member on TEB named DeallocationStack of type PVOID referring to http://en.wikipedia.org/wiki/Thread_Environment_Block. Can this be used in some way?wj32 wrote:Since Vista the kernel frees the stack.
Looks like simply terminating a thread seems not to be a good idea, there seem to be many more resources "orphaned" not just only stack memory,...wj32 wrote:I'm not sure...keremg wrote:Ok, thats good to know. But what about windows 2000 and XP? There is a member on TEB named DeallocationStack of type PVOID referring to http://en.wikipedia.org/wiki/Thread_Environment_Block. Can this be used in some way?wj32 wrote:Since Vista the kernel frees the stack.
Ok, thanks,...nicklowe wrote:It is very possible to easily free user mode thread stacks under versions of Windows that otherwise leak them when they're forcefully terminated with a call to NTDLL's RtlFreeUserThreadStack().
I have just started a blog and made a post on this very issue explaining how to use it.
http://www.nicklowe.org/2012/01/thread- ... the-stack/
Regards,
Nick
NTSTATUS RtlFreeUserThreadStack(
HANDLE hProcess,
HANDLE hThread)
{
NTSTATUS Status;
PTEB Teb;
THREAD_BASIC_INFORMATION ThreadInfo;
PVOID StackDeallocationBase;
ULONG Length;
SIZE_T Size;
Status = NtQueryInformationThread(hThread,
ThreadBasicInformation,
&ThreadInfo,
sizeof(ThreadInfo),
NULL);
Teb = ThreadInfo.TebBaseAddress;
if (NT_SUCCESS(Status) && Teb)
{
Status = NtReadVirtualMemory(hProcess,
&Teb->DeallocationStack,
&StackDeallocationBase,
sizeof(StackDeallocationBase),
&Length);
if (NT_SUCCESS(Status) && StackDeallocationBase)
{
Size = 0;
Status = NtFreeVirtualMemory(hProcess,
&StackDeallocationBase,
&Size,
MEM_RELEASE);
}
}
return Status;
}
NTSTATUS RtlFreeUserStack(
PVOID StackDeallocationBase)
{
SIZE_T Size;
Size = 0;
return NtFreeVirtualMemory(-1,
&StackDeallocationBase,
&Size,
MEM_RELEASE);
}