阅读:1153回复:3
从Irp中取线程句柄或者ID?
在文件系统驱动中怎么取得当前收到的Irp的发送者的线程ID呢?
是Irp->Tail.Overlay.Thread这里的一个ETHREAD结构中取吗?该怎么取呢? 请大牛指点。 附一段ETHREAD结构: typedef struct _ETHREAD { KTHREAD Tcb; LARGE_INTEGER CreateTime; union { LARGE_INTEGER ExitTime; LIST_ENTRY LpcReplyChain; }; union { NTSTATUS ExitStatus; PVOID OfsChain; }; // // Registry // LIST_ENTRY PostBlockList; LIST_ENTRY TerminationPortList; // also used as reaper links KSPIN_LOCK ActiveTimerListLock; LIST_ENTRY ActiveTimerListHead; CLIENT_ID Cid; // // Lpc // KSEMAPHORE LpcReplySemaphore; PVOID LpcReplyMessage; // -> Message that contains the reply ULONG LpcReplyMessageId; // MessageId this thread is waiting for reply to // // Security // // // Client - If non null, indicates the thread is impersonating // a client. // ULONG PerformanceCountLow; PPS_IMPERSONATION_INFORMATION ImpersonationInfo; // // Io // LIST_ENTRY IrpList; // // File Systems // ULONG TopLevelIrp; // either NULL, an Irp or a flag defined in FsRtl.h struct _DEVICE_OBJECT *DeviceToVerify; // // Mm // ULONG ReadClusterSize; BOOLEAN ForwardClusterOnly; BOOLEAN DisablePageFaultClustering; BOOLEAN DeadThread; BOOLEAN HasTerminated; // // Client/server // PEEVENT_PAIR EventPair; ACCESS_MASK GrantedAccess; PEPROCESS ThreadsProcess; PVOID StartAddress; union { PVOID Win32StartAddress; ULONG LpcReceivedMessageId; }; BOOLEAN LpcExitThreadCalled; BOOLEAN HardErrorsAreDisabled; BOOLEAN LpcReceivedMsgIdValid; BOOLEAN ActiveImpersonationInfo; LONG PerformanceCountHigh; } ETHREAD; typedef ETHREAD *PETHREAD; |
|
沙发#
发布于:2007-02-01 17:05
记得以前在这看过一篇介绍这个的你搜下的
|
|
板凳#
发布于:2007-02-01 16:40
ETHREAD 这个结构在IFS中是指向KTHREAD的
Cid是无效的. |
|
地板#
发布于:2007-02-01 16:35
CLIENT_ID Cid
|
|