.1. 使用系统线程


_Out_PHANDLE ThreadHandle,
_In_ULONG DesiredAccess, //所需访问权限
_In_opt_POBJECT_ATTRIBUTES ObjectAttributes,
_In_opt_HANDLE ProcessHandle,
_Out_opt_PCLIENT_ID ClientId,
_In_PKSTART_ROUTINE StartRoutine,//线程中要执行的函数
_In_opt_PVOID StartContext//传递给上述要执行的函数的参数

ThreadHandle[out] 线程句柄[输出参数]
指向一个用于接收此句柄的变量。一旦此句柄 不再使用,驱动必须用ZwClose关闭此句柄。此句柄在WindowsVista 及以后版本的Windows系统中是内核句柄。在较早版本的Windows 里,此句柄不可以是内核句柄。


ObjectAttributes[in, optional]对象属性[输入参数,可选]
指向一个结构,它指定对象的属性。OBJ_PERMANENT,OBJ_EXCLUSIVE,和OBJ_OPENIF不是线程对象的有效属性。在Windows XP和更高版本的Windows,如果对方不在系统进程的上下文中运行,它必须为ObjectAttributes设置OBJ_KERNEL_HANDLE属性。对微软的Windows 2000和Windows 98/Me的驱动必须只在系统进程上下文中调用PsCreateSystemThread。对于WindowsVista 及其后版本的WindowsVista,此句柄将是一个内核句柄。

ProcessHandle[in, optional] 进程句柄[输入参数,可选]

ClientId[out, optional]客户标识[输出参数,可选]


StartContext[in, optional]开始语境[输入参数,可选]

2. 线程中睡眠

NTSTATUS KeDelayExecutionThread(
  _In_ BOOLEAN         Alertable,
  _In_ PLARGE_INTEGER  Interval


WaitMode [in]
Specifies the processor mode in which the caller is waiting, which can be either KernelMode or UserMode. Lower-level drivers should specify KernelMode.

Alertable [in]
Specifies TRUE if the wait is alertable. Lower-level drivers should specify FALSE.

Interval [in]
Specifies the absolute or relative time, in units of 100 nanoseconds, for which the wait is to occur. A negative value indicates relative time. Absolute expiration times track any changes in system time; relative expiration times are not affected by system time changes.

Return value
KeDelayExecutionThread returns one of the following values that describes how the delay was completed:
3. 使用同步事件

IN PRKEVENT  Event,     // 这个参数是初始化事件对象的指针
IN EVENT_TYPE  Type,  // 这个参数是事件的类型。一类是“通知事件”对应参数为 NotificationEvent。另一类是“同步事件”,对应参数 SynchronizationEvent
IN BOOLEAN State         // TRUE:事件对象初始化状态为激发。FALSE:事件对象初始化状态为未激发
NTSTATUS KeWaitForSingleObject(
  _In_     PVOID           Object,
  _In_     KWAIT_REASON    WaitReason,
  _In_     KPROCESSOR_MODE WaitMode,
  _In_     BOOLEAN         Alertable,
  _In_opt_ PLARGE_INTEGER  Timeout


Object [in]
Pointer to an initialized dispatcher object (event, mutex, semaphore, thread, or timer) for which the caller supplies the storage.

WaitReason [in]
Specifies the reason for the wait. A driver should set this value to Executive, unless it is doing work on behalf of a user and is running in the context of a user thread, in which case it should set this value to UserRequest.

WaitMode [in]
Specifies whether the caller waits in KernelMode or UserMode. Lowest-level and intermediate drivers should specify KernelMode. If the given Object is a mutex, the caller must specify KernelMode.

Alertable [in]
Specifies a Boolean value that is TRUE if the wait is alertable and FALSE otherwise.

Timeout [in, optional]
Pointer to a time-out value that specifies the absolute or relative time, in 100-nanosecond units, at which the wait is to be completed.
A positive value specifies an absolute time, relative to January 1, 1601. A negative value specifies an interval relative to the current time. Absolute expiration times track any changes in the system time; relative expiration times are not affected by system time changes.
If *Timeout = 0, the routine returns without waiting. If the caller supplies a NULL pointer, the routine waits indefinitely until the dispatcher object is set to the signaled state. For more information, see the following Remarks section.

Return value
KeWaitForSingleObject can return one of the following:
4. 示例代码

static KEVENT s_Event

//  功能 :  测试线程函数
//  参数 :    
//  (入口)  
//  (出口)  无
//  返回 :  VOID
//  主要思路 : 
//  调用举例 : 
//  日期 : 2016年7月7日 07:24:03 - 2016年7月7日 07:44:41
    static UNICODE_STRING str = RTL_CONSTANT_STRING(L"test thread");
    HANDLE ThreadHandle = NULL;

    //  当是TRUE 时初始化事件是有信号状态.,当是FALSE时初始化事件是没信号状态,
    KeInitializeEvent(&s_Event, SynchronizationEvent, FALSE);

    Status = PsCreateSystemThread(
    if (!NT_SUCCESS(Status))
        return Status;

    //Do Something

    KeWaitForSingleObject(&s_Event, Executive, KernelMode, 0, 0);
    return Status;

//  功能 :  线程函数
//  参数 :    
//  (入口)  
//  (出口)  无
//  返回 :  VOID
//  主要思路 : 
//  调用举例 : 
//  日期 : 2016年7月7日 07:44:29 - 2016年7月7日 08:51:17
ThreadProc(__in PVOID Context)
    LARGE_INTEGER Interval;
    LONG Msec = 3000;

    KdPrint(("进入线程函数 : %wZ\n", str));

    //Msec若为1000,则 睡眠的时间为: 1000 * 100 ns * 10 *1000 =1s 
    Interval.QuadPart = DELAY_ONE_MILLISECOND;
    Interval.QuadPart *= Msec;

    KeDelayExecutionThread(KernelMode, 0, &Interval);

    KeSetEvent(&s_Event, 0, TRUE);
