best
K.
Process Hacker Forums
Process Hacker and Windows discussion
TerminateThread,...but what happens to thread stack?
Reading the documentation for the TerminateThread says, that it will not cleanup the target thread's initial stack,....and afaik this is a leak. I found a function in ntdll.dll that has a interesting name: RtlFreeUserThreadStack(W2K) and RtlFreeUserStack(VISTA+),...is this the possible solution for this? It uses NtFreeVirtualMemory to free something pushing MEM_RELEASE (0x8000) on the stack before calling NtFreeVirtualMemory,...but what is freed and what are the two DWORD sized parameters it expects? Can someone tell me more about this please,...
best
K.
best
K.
Re: TerminateThread,...but what happens to thread stack?
Since Vista the kernel frees the stack.
Re: TerminateThread,...but what happens to thread stack?
wj32 wrote:Since Vista the kernel frees the stack.
Ok, thats good to know. But what about windows 2000 and XP? There is a member on TEB named DeallocationStack of type PVOID referring to http://en.wikipedia.org/wiki/Thread_Environment_Block. Can this be used in some way?
Re: TerminateThread,...but what happens to thread stack?
keremg wrote:wj32 wrote:Since Vista the kernel frees the stack.
Ok, thats good to know. But what about windows 2000 and XP? There is a member on TEB named DeallocationStack of type PVOID referring to http://en.wikipedia.org/wiki/Thread_Environment_Block. Can this be used in some way?
I'm not sure...
Re: TerminateThread,...but what happens to thread stack?
wj32 wrote:keremg wrote:wj32 wrote:Since Vista the kernel frees the stack.
Ok, thats good to know. But what about windows 2000 and XP? There is a member on TEB named DeallocationStack of type PVOID referring to http://en.wikipedia.org/wiki/Thread_Environment_Block. Can this be used in some way?
I'm not sure...
Looks like simply terminating a thread seems not to be a good idea, there seem to be many more resources "orphaned" not just only stack memory,...
Re: TerminateThread,...but what happens to thread stack?
It is very possible to easily free user mode thread stacks under versions of Windows that otherwise leak them when they're forcefully terminated with a call to NTDLL's RtlFreeUserThreadStack().
I have just started a blog and made a post on this very issue explaining how to use it.
http://www.nicklowe.org/2012/01/thread-termination-dont-leak-the-stack/
Regards,
Nick
I have just started a blog and made a post on this very issue explaining how to use it.
http://www.nicklowe.org/2012/01/thread-termination-dont-leak-the-stack/
Regards,
Nick
Re: TerminateThread,...but what happens to thread stack?
nicklowe wrote:It is very possible to easily free user mode thread stacks under versions of Windows that otherwise leak them when they're forcefully terminated with a call to NTDLL's RtlFreeUserThreadStack().
I have just started a blog and made a post on this very issue explaining how to use it.
http://www.nicklowe.org/2012/01/thread-termination-dont-leak-the-stack/
Regards,
Nick
Ok, thanks,...
Re: TerminateThread,...but what happens to thread stack?
Coming back to this thread a year later... The internals of RtlFreeUserThreadStack are:
The internals of RtlFreeUserStack are:
Code: Select all
NTSTATUS RtlFreeUserThreadStack(
HANDLE hProcess,
HANDLE hThread)
{
NTSTATUS Status;
PTEB Teb;
THREAD_BASIC_INFORMATION ThreadInfo;
PVOID StackDeallocationBase;
ULONG Length;
SIZE_T Size;
Status = NtQueryInformationThread(hThread,
ThreadBasicInformation,
&ThreadInfo,
sizeof(ThreadInfo),
NULL);
Teb = ThreadInfo.TebBaseAddress;
if (NT_SUCCESS(Status) && Teb)
{
Status = NtReadVirtualMemory(hProcess,
&Teb->DeallocationStack,
&StackDeallocationBase,
sizeof(StackDeallocationBase),
&Length);
if (NT_SUCCESS(Status) && StackDeallocationBase)
{
Size = 0;
Status = NtFreeVirtualMemory(hProcess,
&StackDeallocationBase,
&Size,
MEM_RELEASE);
}
}
return Status;
}The internals of RtlFreeUserStack are:
Code: Select all
NTSTATUS RtlFreeUserStack(
PVOID StackDeallocationBase)
{
SIZE_T Size;
Size = 0;
return NtFreeVirtualMemory(-1,
&StackDeallocationBase,
&Size,
MEM_RELEASE);
}Who is online
Users browsing this forum: No registered users and 2 guests