Thread: Thread32First / NtSuspendThread from DDK driver

    Thread32First / NtSuspendThread from DDK driver


    Does anyone happen to know how to enumerate threads of the current process from inside a DDK driver. i.e. what NtXXX/ZwXXX calls are used to implement it ?

    I have an exact moment during a syscall entry/exit inside ring0 that I want my target program to suspend all execution of itself. Ideally I wish to manually enumerate and then suspend all other threads with NtSuspendThread() and then issue an NtSuspendProcess() to halt the final thread.

    Tis is so that I can then attach a debugger to be able to single step about 50k instructions from that syscall return. I only wish the main thread (primary thread) to resume execution when the debugger attaches, so I am thinking by manually suspending threads first before the NtSuspendProcess() when the debugger restarts all but the main thread will continue to be asleep (due to Suspend Counts still being > 0). I presume NtSuspendProcess() effectively increments the suspend count to ALL threads, which means the non-main will have a count of 2, while the main a count of 1. So on process resume they are all decremented.

    I already have a working DDK driver framework I am hooking syscalls with that can identify the process and the exact moment I want it to suspended.

    Meanwhile I'll have to reveng the KERNEL32!CreateToolhelp32Snapshot() to see how that works.


    Example user-space pseudo code would look something like:
    hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
    if(hSnapshot == VALID && Thread32First(hSnapshot, &data)) {
     do {
       hThread = NtOpenThread(.... data.hThread ....);
       if(hThread != GetCurrentThread())
     } while(Thread32Next(hSnapshot, &data));

    NtQuerySystemInformation InfoClass SystemProcessThreadInformation.

    NtQuerySystemInformation InfoClass SystemHandleInformation.
    A example of this method mostly ready use is here:

    or you could go the blacklight route and bruteforce the ClientId.UniqueThread

    im sure there are many other ways especially if your in kernel mode..;}

    regards BanMe
