t_thread
Structure that describes thread of the debugged application. Many members in t_thread
are valid and actual only if application is paused. Never change the
elements of this structure directly (especially those marked "For internal use"), or debugging engine may get
unstable.
typedef
struct t_thread
{
// Information about active threads
ulong
threadid;
// Thread identifier
ulong
dummy;
// Always 1
ulong
type;
// Service information, TY_xxx+THR_xxx
int
ordinal;
// Thread's ordinal number (1-based)
wchar_t
name[SHORTNAME]; // Short name of the
thread
HANDLE
thread;
// Thread handle, for OllyDbg only!
ulong
tib;
// Thread Information Block
ulong
entry;
// Thread entry point
CONTEXT
context;
// Actual context of the thread
t_reg
reg;
// Actual contents of registers
int
regvalid;
// Whether reg and context are valid
t_reg
oldreg;
// Previous contents of registers
int
oldregvalid; //
Whether oldreg is valid
int
suspendrun;
// Suspended for run (0 or 1)
int
suspendcount; //
Temporarily suspended (0..inf)
int
suspenduser; //
Suspended by user (0 or 1)
int
trapset;
// Single-step trap set by OllyDbg
int
trapincontext; // Trap is
catched in exception context
ulong
rtprotocoladdr; // Address of
destination to protocol
int
ignoreonce;
// Ignore list, IGNO_xxx
int
drvalid;
// Contents of dr is valid
ulong
dr[NREG];
// Expected state of DR0..3,7
int
hwmasked;
// Temporarily masked hardware breaks
int
hwreported;
// Reported breakpoint expressions
// Thread-related information gathered by Updatethreaddata().
HWND
hw;
// One of windows owned by thread
ulong
usertime;
// Time in user mode, 100u units or -1
ulong
systime;
// Time in system mode, 100u units or -1
// Thread-related information gathered by Listmemory().
ulong
stacktop;
// Top of thread's stack
ulong
stackbottom; //
Bottom of thread's stack
} t_thread;
Members:
threadid
System-unique thread identifier
dummy
Must be 1
type
Thread type, a combination of bits TY_xxx with zero or more of the following flags:
THR_MAIN - this is the main thread
THR_NETDBG - .NET debug helper thread
THR_ORGHANDLE - handle thread is supplied by Windows debuggin API and may have insufficient rights
ordinal
1-based ordinal assigned by OllyDbg. Main thread has ordinal 1, temporary threads created by Windows - ordinal 0
name
Name
of the thread assigned by the application, usually empty string. MS
Visual suite uses exception MS_VC_EXCEPTION to report thread name to
debugger
thread
Handle of the thread. As any handle, valid only in the context of OllyDbg
tib
Address of the Thread Information Block associated with the thread
entry
Address
of the thread entry point (first instruction executed in the context of
the thread). May be zero, especially if OllyDbg was attached to the
running application
context
Copy of the CONTEXT structure that keeps context of all CPU registers, valid only if thread is "officially" paused
reg
Structure of type t_reg, copy of CPU registers extracted from the context, valid only if regvalid is non-zero. Plugins are allowed to change these registers, except for reg.dr[0] .. reg.dr[7] and bit T in reg.flags. Whenever they do it, they must first call Registermodifiedbyuser(), make all necessary modifications, update reg.status and finally redraw all open windows that may be influenced by this modifications, like CPU or watches
regvalid
Flag indicating whether the contents of reg is valid
oldreg
Structure of type t_reg, previous copy of CPU registers. Used by OllyDbg to highlight modified registers. Whenever execution continues or Registermodoifiedbyuser() is called for the first time after pause, OllyDbg copies reg and regvalid to oldreg and oldergvalid
oldregvalid
Flag indicating whether the contents of oldreg is valid
suspendrun
Flag that indicates whether this thread is suspended or not
suspendcount
Counter
that indicates how many times this thread was suspended. When this
counter changes from 0 to 1, OllyDbg calls SuspendThread(). When it
changes from 1 to 0, OllyDbg calls ResumeThread()
suspenduser
Flag that indicates whether this thread was suspended by user
trapset
Flag that indicates whether bit T (single step trap) in the flags register was set by OllyDbg
trapincontext
For internal use
rtprotocoladdr
For internal use, address of the jump destination to be protocolled to the run trace log
ignoreonce
For internal use, list of exceptions that must be ignored if several breakpoints are set on the same command
drvalid
For internal use, indicates whether debug registers are set
dr
For
internal use, expected state of the debug registers, used to assure
that registers are not modified by the debugged application
hwmasked
For internal use, list of hardware breakpoints that must be disabled on the next debugging step
hwreported
For internal use, list
of hardware breakpoints that were already reported and processed. Used
if several hardware breakpoints trigger on the same command
hw
For internal use
usertime
Time
that this thread has spent in the user mode, in 100-microsecond units.
OllyDbg updates this field only on debugging events or on explicit
requests to actualize data
systime
Time that
this thread has spent in the system mode, in 100-microsecond units.
OllyDbg updates this field only on debugging events or on explicit
requests to actualize data
stacktop
Address of the top of thread's stack. OllyDbg updates this field only on debugging events
stackbottom
Address of the bottom of thread's stack. OllyDbg updates this field only on debugging events
See
also: