« Back to home

Thread 0:0 is special

Thread IDs uniquely identify a thread – this certainly holds for user mode threads and should also hold for kernel mode threads. But there is one kind of thread where the ID does not uniquely identify a KTHREAD – the Idle thread. On a uniprocessor system, there is only one Idle thread and this idle thread will have the thread ID 0 (in process 0). On a multiprocessor system, however, Windows creates one Idle thread per CPU. Continue »

Explicit Symbol Loading with dbghelp

When working with symbols, the default case is that you either analyze the current process, a concurrently running process or maybe even the kernel. dbghelp provides special support for these use cases and getting the right symbols to load is usually easy – having access to the process being analyzed, dbghelp can obtain the necessary module information by itself and will come up with the matching symbols. Things are not quite as easy when analyzing symbols for a process (or kernel) that is not running any more or executes on a different machine. Continue »

About Johannes

Johannes Passing lives in Melbourne, Australia, and works as a Staff Solutions Architect at Google Cloud where he helps customers around the globe make the most of Google Cloud IAM to secure their identities and resources.

Johannes also maintains several open-source projects and is the author of many security best practices published on the Google Cloud website.

Besides IAM, Johannes has a passion for software architecture and lean software development.

Johannes holds an M.Sc. in software systems engineering from Hasso Plattner Institute, is a Google-certitified Professional Cloud Architect and Professional Cloud Security Engineer and is ITILv3- and PRINCE2-certified.

Any opinions expressed on this blog are Johannes' own.

Contact Johannes at jpassing (at) hotmail com