Author: ThunderCats
Subject: Thread Start Address and Call Stack
Posted: 16 June 2013 at 6:33pm
Hi GuyHoozdis,
Thanks alot for such an insightful explanation. The part of my problem is that i am not from computer science background and have never done application development but i have general idea how functions are called within a code/program.
One last thing that i would like to ask is as you mentioned in your post(with notepad example), its thread start address is Notepad.exe!WinMainCRtSartup.Here is what you wrote
"From our thread, which started at offset WinMainCRTStartup"
WinMainCRTStartup is starting at offset with regards to who? Notepad.exe module or something else. There is another example from Mark's book in which a thread named "rdyboost.sys+0xee0a" is consuming high cpu and he concluded that thread was starting in Rdyboost.sys module.
Thanks
Subject: Thread Start Address and Call Stack
Posted: 16 June 2013 at 6:33pm
Hi GuyHoozdis,
Thanks alot for such an insightful explanation. The part of my problem is that i am not from computer science background and have never done application development but i have general idea how functions are called within a code/program.
One last thing that i would like to ask is as you mentioned in your post(with notepad example), its thread start address is Notepad.exe!WinMainCRtSartup.Here is what you wrote
"From our thread, which started at offset WinMainCRTStartup"
WinMainCRTStartup is starting at offset with regards to who? Notepad.exe module or something else. There is another example from Mark's book in which a thread named "rdyboost.sys+0xee0a" is consuming high cpu and he concluded that thread was starting in Rdyboost.sys module.
Thanks
