Structure that describes thread of the debugged application. Many members in t_thread are valid and actual only if application is paused. Never change the elements of this structure directly (especially those marked "For internal use"), or debugging engine may get unstable.
typedef struct t_thread { // Information about active threads
ulong threadid; // Thread identifier
ulong dummy; // Always 1
ulong type; // Service information, TY_xxx+THR_xxx
int ordinal; // Thread's ordinal number (1-based)
wchar_t name[SHORTNAME]; // Short name of the thread
HANDLE thread; // Thread handle, for OllyDbg only!
ulong tib; // Thread Information Block
ulong entry; // Thread entry point
CONTEXT context; // Actual context of the thread
t_reg reg; // Actual contents of registers
int regvalid; // Whether reg and context are valid
t_reg oldreg; // Previous contents of registers
int oldregvalid; // Whether oldreg is valid
int suspendrun; // Suspended for run (0 or 1)
int suspendcount; // Temporarily suspended (0..inf)
int suspenduser; // Suspended by user (0 or 1)
int trapset; // Single-step trap set by OllyDbg
int trapincontext; // Trap is catched in exception context
ulong rtprotocoladdr; // Address of destination to protocol
int ignoreonce; // Ignore list, IGNO_xxx
int drvalid; // Contents of dr is valid
ulong dr[NREG]; // Expected state of DR0..3,7
int hwmasked; // Temporarily masked hardware breaks
int hwreported; // Reported breakpoint expressions
// Thread-related information gathered by Updatethreaddata().
HWND hw; // One of windows owned by thread
ulong usertime; // Time in user mode, 100u units or -1
ulong systime; // Time in system mode, 100u units or -1
// Thread-related information gathered by Listmemory().
ulong stacktop; // Top of thread's stack
ulong stackbottom; // Bottom of thread's stack
} t_thread;
Members:
threadid
System-unique thread identifier
dummy
Must be 1
type
Thread type, a combination of bits TY_xxx with zero or more of the following flags:
THR_MAIN - this is the main thread
THR_NETDBG - .NET debug helper thread
THR_ORGHANDLE - handle thread is supplied by Windows debuggin API and may have insufficient rights
ordinal
THR_MAIN - this is the main thread
THR_NETDBG - .NET debug helper thread
THR_ORGHANDLE - handle thread is supplied by Windows debuggin API and may have insufficient rights
1-based ordinal assigned by OllyDbg. Main thread has ordinal 1, temporary threads created by Windows - ordinal 0
name
Name
of the thread assigned by the application, usually empty string. MS
Visual suite uses exception MS_VC_EXCEPTION to report thread name to
debugger
thread
Handle of the thread. As any handle, valid only in the context of OllyDbg
tib
Address of the Thread Information Block associated with the thread
entry
Address
of the thread entry point (first instruction executed in the context of
the thread). May be zero, especially if OllyDbg was attached to the
running application
context
Copy of the CONTEXT structure that keeps context of all CPU registers, valid only if thread is "officially" paused
reg
Structure of type t_reg, copy of CPU registers extracted from the context, valid only if regvalid is non-zero. Plugins are allowed to change these registers, except for reg.dr[0] .. reg.dr[7] and bit T in reg.flags. Whenever they do it, they must first call Registermodifiedbyuser(), make all necessary modifications, update reg.status and finally redraw all open windows that may be influenced by this modifications, like CPU or watches
regvalid
Flag indicating whether the contents of reg is valid
oldreg
Structure of type t_reg, previous copy of CPU registers. Used by OllyDbg to highlight modified registers. Whenever execution continues or Registermodoifiedbyuser() is called for the first time after pause, OllyDbg copies reg and regvalid to oldreg and oldergvalid
oldregvalid
Flag indicating whether the contents of oldreg is valid
suspendrun
Flag that indicates whether this thread is suspended or not
suspendcount
Counter
that indicates how many times this thread was suspended. When this
counter changes from 0 to 1, OllyDbg calls SuspendThread(). When it
changes from 1 to 0, OllyDbg calls ResumeThread()
suspenduser
Flag that indicates whether this thread was suspended by user
trapset
Flag that indicates whether bit T (single step trap) in the flags register was set by OllyDbg
trapincontext
For internal use
rtprotocoladdr
For internal use, address of the jump destination to be protocolled to the run trace log
ignoreonce
For internal use, list of exceptions that must be ignored if several breakpoints are set on the same command
drvalid
For internal use, indicates whether debug registers are set
dr
For
internal use, expected state of the debug registers, used to assure
that registers are not modified by the debugged application
hwmasked
For internal use, list of hardware breakpoints that must be disabled on the next debugging step
hwreported
For internal use, list
of hardware breakpoints that were already reported and processed. Used
if several hardware breakpoints trigger on the same command
hw
For internal use
usertime
Time
that this thread has spent in the user mode, in 100-microsecond units.
OllyDbg updates this field only on debugging events or on explicit
requests to actualize data
systime
Time that
this thread has spent in the system mode, in 100-microsecond units.
OllyDbg updates this field only on debugging events or on explicit
requests to actualize data
stacktop
Address of the top of thread's stack. OllyDbg updates this field only on debugging events
stackbottom
Address of the bottom of thread's stack. OllyDbg updates this field only on debugging events
See also: