best
K.
Process Hacker Forums
Process Hacker and Windows discussion
TerminateThread,...but what happens to thread stack?
Reading the documentation for the TerminateThread says, that it will not cleanup the target thread's initial stack,....and afaik this is a leak. I found a function in ntdll.dll that has a interesting name: RtlFreeUserThreadStack(W2K) and RtlFreeUserStack(VISTA+),...is this the possible solution for this? It uses NtFreeVirtualMemory to free something pushing MEM_RELEASE (0x8000) on the stack before calling NtFreeVirtualMemory,...but what is freed and what are the two DWORD sized parameters it expects? Can someone tell me more about this please,...
best
K.
best
K.
Re: TerminateThread,...but what happens to thread stack?
Since Vista the kernel frees the stack.
Re: TerminateThread,...but what happens to thread stack?
Ok, thats good to know. But what about windows 2000 and XP? There is a member on TEB named DeallocationStack of type PVOID referring to http://en.wikipedia.org/wiki/Thread_Environment_Block. Can this be used in some way?wj32 wrote:Since Vista the kernel frees the stack.
Re: TerminateThread,...but what happens to thread stack?
I'm not sure...keremg wrote:Ok, thats good to know. But what about windows 2000 and XP? There is a member on TEB named DeallocationStack of type PVOID referring to http://en.wikipedia.org/wiki/Thread_Environment_Block. Can this be used in some way?wj32 wrote:Since Vista the kernel frees the stack.
Re: TerminateThread,...but what happens to thread stack?
Looks like simply terminating a thread seems not to be a good idea, there seem to be many more resources "orphaned" not just only stack memory,...wj32 wrote:I'm not sure...keremg wrote:Ok, thats good to know. But what about windows 2000 and XP? There is a member on TEB named DeallocationStack of type PVOID referring to http://en.wikipedia.org/wiki/Thread_Environment_Block. Can this be used in some way?wj32 wrote:Since Vista the kernel frees the stack.
Re: TerminateThread,...but what happens to thread stack?
It is very possible to easily free user mode thread stacks under versions of Windows that otherwise leak them when they're forcefully terminated with a call to NTDLL's RtlFreeUserThreadStack().
I have just started a blog and made a post on this very issue explaining how to use it.
http://www.nicklowe.org/2012/01/thread- ... the-stack/
Regards,
Nick
I have just started a blog and made a post on this very issue explaining how to use it.
http://www.nicklowe.org/2012/01/thread- ... the-stack/
Regards,
Nick
Re: TerminateThread,...but what happens to thread stack?
Ok, thanks,...nicklowe wrote:It is very possible to easily free user mode thread stacks under versions of Windows that otherwise leak them when they're forcefully terminated with a call to NTDLL's RtlFreeUserThreadStack().
I have just started a blog and made a post on this very issue explaining how to use it.
http://www.nicklowe.org/2012/01/thread- ... the-stack/
Regards,
Nick
Re: TerminateThread,...but what happens to thread stack?
Coming back to this thread a year later... The internals of RtlFreeUserThreadStack are:
The internals of RtlFreeUserStack are:
Code: Select all
NTSTATUS RtlFreeUserThreadStack(
HANDLE hProcess,
HANDLE hThread)
{
NTSTATUS Status;
PTEB Teb;
THREAD_BASIC_INFORMATION ThreadInfo;
PVOID StackDeallocationBase;
ULONG Length;
SIZE_T Size;
Status = NtQueryInformationThread(hThread,
ThreadBasicInformation,
&ThreadInfo,
sizeof(ThreadInfo),
NULL);
Teb = ThreadInfo.TebBaseAddress;
if (NT_SUCCESS(Status) && Teb)
{
Status = NtReadVirtualMemory(hProcess,
&Teb->DeallocationStack,
&StackDeallocationBase,
sizeof(StackDeallocationBase),
&Length);
if (NT_SUCCESS(Status) && StackDeallocationBase)
{
Size = 0;
Status = NtFreeVirtualMemory(hProcess,
&StackDeallocationBase,
&Size,
MEM_RELEASE);
}
}
return Status;
}Code: Select all
NTSTATUS RtlFreeUserStack(
PVOID StackDeallocationBase)
{
SIZE_T Size;
Size = 0;
return NtFreeVirtualMemory(-1,
&StackDeallocationBase,
&Size,
MEM_RELEASE);
}Who is online
Users browsing this forum: No registered users and 4 guests