Process Hacker Forums

[keremg]

Reading the documentation for the TerminateThread says, that it will not cleanup the target thread's initial stack,....and afaik this is a leak. I found a function in ntdll.dll that has a interesting name: RtlFreeUserThreadStack(W2K) and RtlFreeUserStack(VISTA+),...is this the possible solution for this? It uses NtFreeVirtualMemory to free something pushing MEM_RELEASE (0x8000) on the stack before calling NtFreeVirtualMemory,...but what is freed and what are the two DWORD sized parameters it expects? Can someone tell me more about this please,...


best

K.

[wj32]

Since Vista the kernel frees the stack.

[keremg]

Since Vista the kernel frees the stack.

Ok, thats good to know. But what about windows 2000 and XP? There is a member on TEB named DeallocationStack of type PVOID referring to http://en.wikipedia.org/wiki/Thread_Environment_Block. Can this be used in some way?

[wj32]

Since Vista the kernel frees the stack.

Ok, thats good to know. But what about windows 2000 and XP? There is a member on TEB named DeallocationStack of type PVOID referring to http://en.wikipedia.org/wiki/Thread_Environment_Block. Can this be used in some way?

I'm not sure...

[keremg]

Since Vista the kernel frees the stack.

Ok, thats good to know. But what about windows 2000 and XP? There is a member on TEB named DeallocationStack of type PVOID referring to http://en.wikipedia.org/wiki/Thread_Environment_Block. Can this be used in some way?

I'm not sure...

Looks like simply terminating a thread seems not to be a good idea, there seem to be many more resources "orphaned" not just only stack memory,...

[nicklowe]

It is very possible to easily free user mode thread stacks under versions of Windows that otherwise leak them when they're forcefully terminated with a call to NTDLL's RtlFreeUserThreadStack().

I have just started a blog and made a post on this very issue explaining how to use it.

http://www.nicklowe.org/2012/01/thread-termination-dont-leak-the-stack/

Regards,

Nick

[keremg]

It is very possible to easily free user mode thread stacks under versions of Windows that otherwise leak them when they're forcefully terminated with a call to NTDLL's RtlFreeUserThreadStack().

I have just started a blog and made a post on this very issue explaining how to use it.

http://www.nicklowe.org/2012/01/thread-termination-dont-leak-the-stack/

Regards,

Nick

Ok, thanks,...

[nicklowe]

Coming back to this thread a year later... The internals of RtlFreeUserThreadStack are:

Code: Select all

NTSTATUS RtlFreeUserThreadStack(
    HANDLE hProcess,
    HANDLE hThread)
{
    NTSTATUS Status;
    PTEB Teb;
    THREAD_BASIC_INFORMATION ThreadInfo;
    PVOID StackDeallocationBase;
    ULONG Length;
    SIZE_T Size;
    Status = NtQueryInformationThread(hThread,
        ThreadBasicInformation,
        &ThreadInfo,
        sizeof(ThreadInfo),
        NULL);
    Teb = ThreadInfo.TebBaseAddress;
    if (NT_SUCCESS(Status) && Teb)
    {
        Status = NtReadVirtualMemory(hProcess,
            &Teb->DeallocationStack,
            &StackDeallocationBase,
            sizeof(StackDeallocationBase),
            &Length);
        if (NT_SUCCESS(Status) && StackDeallocationBase)
        {
            Size = 0;
            Status = NtFreeVirtualMemory(hProcess,
                &StackDeallocationBase,
                &Size,
                MEM_RELEASE);
        }
    }

    return Status;
}

The internals of RtlFreeUserStack are:

Code: Select all

NTSTATUS RtlFreeUserStack(
    PVOID StackDeallocationBase)
{
    SIZE_T Size;
    Size = 0;
    return NtFreeVirtualMemory(-1,
        &StackDeallocationBase,
        &Size,
        MEM_RELEASE);
}