[programmer.cpp1986]

I wanna force a thread to execute its APCs through kernel mode.
I know that i have to set this thread to delay and alterable state, but I don't know haw can i do this?

[Cr4sh]

Code: Select all

KTHREAD->ApcState.UserApcPending = TRUE;

[Dmitry Varshavsky]

Code: Select all

KTHREAD->ApcState.UserApcPending = TRUE;

And you should have and maintain huge offset table for different OS/service packs.

Preffered solution:

Schedule kernel-mode APC. In normal routine schedule user-mode APC and then just simple:

Code: Select all

LARGE_INTEGER Timeout = {0};
KeDelayExecutionThread ( UserMode, TRUE, &Timeout );

This will force user apc delivery.

[Brock]

http://www.codeproject.com/Articles/723 ... ous-User-M

The above code uses the same KeDelayExecutionThread method to force the delivery of APCs as mentioned already and it works fine. I wouldn't mess with undocumented methods which require hardcoding offsets per OS version / SP. Another way to force APCs to be flushed is to call the non-wait function ZwTestAlert. It will empty the APC queue but it's not exported from the kernel, at least not here on XP x86, but you could always SYSENTER/INT2E etc. yourself. Of course the system call number is also apt to change so KeDelayExecutionThread seems to be the best documented choice.