On 4/10/19 12:12 AM, Derek Lesho wrote:
On Tue, Apr 9, 2019 at 7:34 PM Zebediah Figura <z.figura12@gmail.com mailto:z.figura12@gmail.com> wrote:
On 04/09/2019 02:29 PM, Derek Lesho wrote: > Signed-off-by: Derek Lesho <dereklesho52@Gmail.com> > --- > dlls/ntoskrnl.exe/ntoskrnl.c | 20 ++++++++++++++++++++ > dlls/ntoskrnl.exe/ntoskrnl.exe.spec | 2 +- > 2 files changed, 21 insertions(+), 1 deletion(-) > > diff --git a/dlls/ntoskrnl.exe/ntoskrnl.c b/dlls/ntoskrnl.exe/ntoskrnl.c > index f5dee07e2f..770bdfd4fa 100644 > --- a/dlls/ntoskrnl.exe/ntoskrnl.c > +++ b/dlls/ntoskrnl.exe/ntoskrnl.c > @@ -3245,6 +3245,26 @@ NTSTATUS WINAPI PsLookupProcessByProcessId(HANDLE processid, PEPROCESS *process) > } > > > +/***************************************************** > + * PsLookupThreadByThreadId (NTOSKRNL.EXE.@) > + */ > +NTSTATUS WINAPI PsLookupThreadByThreadId(HANDLE threadid, PETHREAD *thread) > +{ > + NTSTATUS status; > + HANDLE hThread = OpenThread( THREAD_ALL_ACCESS, FALSE, HandleToUlong(threadid) ); > + > + if (!hThread) > + return STATUS_INVALID_PARAMETER; > + > + status = kernel_object_from_handle( hThread, PsThreadType, (void**)thread ); > + > + ObReferenceObject( *thread ); > + > + NtClose( hThread ); > + return status; > +} > + > + > /***************************************************** > * IoSetThreadHardErrorMode (NTOSKRNL.EXE.@) > */ > diff --git a/dlls/ntoskrnl.exe/ntoskrnl.exe.spec b/dlls/ntoskrnl.exe/ntoskrnl.exe.spec > index 43f47470a9..601506246e 100644 > --- a/dlls/ntoskrnl.exe/ntoskrnl.exe.spec > +++ b/dlls/ntoskrnl.exe/ntoskrnl.exe.spec > @@ -913,7 +913,7 @@ > @ stub PsJobType > @ stdcall PsLookupProcessByProcessId(ptr ptr) > @ stub PsLookupProcessThreadByCid > -@ stub PsLookupThreadByThreadId > +@ stdcall PsLookupThreadByThreadId(ptr ptr) > @ extern PsProcessType > @ stub PsReferenceImpersonationToken > @ stub PsReferencePrimaryToken > Can we have tests for this function? And while you're at it, can you add it to the public header?
Sure, will do. I Just based the return value on the MSDN, but I guess it doesn't hurt to check.
As far as signatures go, it's better to look at the PSDK headers anyway; I've seen MSDN be wrong several times.