t_thread

Structure that describes thread of the debugged application. Many members in t_thread are valid and actual only if application is paused. Never change the elements of this structure directly (especially those marked "For internal use"), or debugging engine may get unstable.

typedef struct t_thread {              // Information about active threads
  ulong          threadid;             // Thread identifier
  ulong          dummy;                // Always 1
  ulong          type;                 // Service information, TY_xxx+THR_xxx
  int            ordinal;              // Thread's ordinal number (1-based)
  wchar_t        name[SHORTNAME];      // Short name of the thread
  HANDLE         thread;               // Thread handle, for OllyDbg only!
  ulong          tib;                  // Thread Information Block
  ulong          entry;                // Thread entry point
  CONTEXT        context;              // Actual context of the thread
  t_reg          reg;                  // Actual contents of registers
  int            regvalid;             // Whether reg and context are valid
  t_reg          oldreg;               // Previous contents of registers
  int            oldregvalid;          // Whether oldreg is valid
  int            suspendrun;           // Suspended for run (0 or 1)
  int            suspendcount;         // Temporarily suspended (0..inf)
  int            suspenduser;          // Suspended by user (0 or 1)
  int            trapset;              // Single-step trap set by OllyDbg
  int            trapincontext;        // Trap is catched in exception context
  ulong          rtprotocoladdr;       // Address of destination to protocol
  int            ignoreonce;           // Ignore list, IGNO_xxx
  int            drvalid;              // Contents of dr is valid
  ulong          dr[NREG];             // Expected state of DR0..3,7
  int            hwmasked;             // Temporarily masked hardware breaks
  int            hwreported;           // Reported breakpoint expressions
  // Thread-related information gathered by Updatethreaddata().
  HWND           hw;                   // One of windows owned by thread
  ulong          usertime;             // Time in user mode, 100u units or -1
  ulong          systime;              // Time in system mode, 100u units or -1
  // Thread-related information gathered by Listmemory().
  ulong          stacktop;             // Top of thread's stack
  ulong          stackbottom;          // Bottom of thread's stack
} t_thread;


Members:

threadid
System-unique thread identifier
dummy
Must be 1
type
Thread type, a combination of bits TY_xxx with zero or more of the following flags:
THR_MAIN - this is the main thread
THR_NETDBG - .NET debug helper thread
THR_ORGHANDLE - handle thread is supplied by Windows debuggin API and may have insufficient rights
ordinal
1-based ordinal assigned by OllyDbg. Main thread has ordinal 1, temporary threads created by Windows - ordinal 0
name
Name of the thread assigned by the application, usually empty string. MS Visual suite uses exception MS_VC_EXCEPTION to report thread name to debugger
thread
Handle of the thread. As any handle, valid only in the context of OllyDbg
tib
Address of the Thread Information Block associated with the thread
entry
Address of the thread entry point (first instruction executed in the context of the thread). May be zero, especially if OllyDbg was attached to the running application
context
Copy of the CONTEXT structure that keeps context of all CPU registers, valid only if thread is "officially" paused
reg
Structure of type t_reg, copy of CPU registers extracted from the context, valid only if regvalid is non-zero. Plugins are allowed to change these registers, except for reg.dr[0] .. reg.dr[7] and bit T in reg.flags. Whenever they do it, they must first call Registermodifiedbyuser(), make all necessary modifications, update reg.status and finally redraw all open windows that may be influenced by this modifications, like CPU or watches
regvalid
Flag indicating whether the contents of reg is valid
oldreg
Structure of type t_reg, previous copy of CPU registers. Used by OllyDbg to highlight modified registers. Whenever execution continues or Registermodoifiedbyuser() is called for the first time after pause, OllyDbg copies reg and regvalid to oldreg and oldergvalid
oldregvalid
Flag indicating whether the contents of oldreg is valid
suspendrun
Flag that indicates whether this thread is suspended or not
suspendcount
Counter that indicates how many times this thread was suspended. When this counter changes from 0 to 1, OllyDbg calls SuspendThread(). When it changes from 1 to 0, OllyDbg calls ResumeThread()
suspenduser
Flag that indicates whether this thread was suspended by user
trapset
Flag that indicates whether bit T (single step trap) in the flags register was set by OllyDbg
trapincontext
For internal use
rtprotocoladdr
For internal use, address of the jump destination to be protocolled to the run trace log
ignoreonce
For internal use, list of exceptions that must be ignored if several breakpoints are set on the same command
drvalid
For internal use, indicates whether debug registers are set
dr
For internal use, expected state of the debug registers, used to assure that registers are not modified by the debugged application
hwmasked
For internal use, list of hardware breakpoints that must be disabled on the next debugging step
hwreported
For internal use, list of hardware breakpoints that were already reported and processed. Used if several hardware breakpoints trigger on the same command
hw
For internal use
usertime
Time that this thread has spent in the user mode, in 100-microsecond units. OllyDbg updates this field only on debugging events or on explicit requests to actualize data
systime
Time that this thread has spent in the system mode, in 100-microsecond units. OllyDbg updates this field only on debugging events or on explicit requests to actualize data
stacktop
Address of the top of thread's stack. OllyDbg updates this field only on debugging events
stackbottom
Address of the bottom of thread's stack. OllyDbg updates this field only on debugging events


See also:
Threads, Findthread(), Findthreadbyordinal(), Getlasterror(), Registermodifiedbyuser()