Sign in to follow this  
Idov

Identifying a new thread in another process...

Recommended Posts

Hi!
Does anybody know if it's possible to identify a thread creation in another process?
The process must be asking it from the OS, so can we intercept this request somehow?
thanks :)

Share this post


Link to post
Share on other sites
Sure; there's a couple of ways at least. The easiest is probably to attach to the process as a debugger; that'll get you a list of events such as forking of threads that you can monitor. At the other end of the scale is kernel API hooking, although I'm not personally up to date on the techniques for that so I can't make any specific recommendations offhand.

Share this post


Link to post
Share on other sites
Quote:
Original post by Idov
Ok, then I will need to start that process with "DEBUG_PROCESS". will it affect the performance of the debugged process?


Possibly.

What are you really trying to do?

Share this post


Link to post
Share on other sites
Quote:
Original post by Antheus
Quote:
Original post by Idov
Ok, then I will need to start that process with "DEBUG_PROCESS". will it affect the performance of the debugged process?


Possibly. Or it might not be possible to attach any useful debugging hook at all, either due to security or due to active counter-measures within application itself.

What are you really trying to do?


Share this post


Link to post
Share on other sites
Quote:
Original post by Antheus
Quote:
Original post by Antheus
Quote:
Original post by Idov
Ok, then I will need to start that process with "DEBUG_PROCESS". will it affect the performance of the debugged process?


Possibly. Or it might not be possible to attach any useful debugging hook at all, either due to security or due to active counter-measures within application itself.

What are you really trying to do?


I'm trying to write a little profiler, so instead of going through all the threads in the system and picking those which belong to the other process, I'm trying to get them directly. :)

Share this post


Link to post
Share on other sites
Quote:
Original post by ApochPiQ
I don't understand your question. A snapshot is of a single process, and you need all the threads from a process, so how is that different from "the ones you want"?


Because it returns all the threads from all the processes in the time of the snapshot.

"Includes all threads in the system in the snapshot. To enumerate the threads, see Thread32First.

To identify the threads that belong to a specific process, compare its process identifier to the th32OwnerProcessID member of the THREADENTRY32 structure when enumerating the threads."

I want to know only about a specific process without getting threads I really don't care about...

Share this post


Link to post
Share on other sites
OK... so you're hung up on a single if() statement check to filter out the threads you don't want, versus having to do some serious low-level hackery to intercept thread spawn calls?

Priority check [wink]

Share this post


Link to post
Share on other sites
Quote:
Original post by ApochPiQ
OK... so you're hung up on a single if() statement check to filter out the threads you don't want, versus having to do some serious low-level hackery to intercept thread spawn calls?

Priority check [wink]


Yes, but I'm calling "Thread32Next" for each thread every time I'm looking for the threads I want. It's not just one "if" statement.

Share this post


Link to post
Share on other sites
Quote:
Original post by Idov
Quote:
Original post by ApochPiQ
OK... so you're hung up on a single if() statement check to filter out the threads you don't want, versus having to do some serious low-level hackery to intercept thread spawn calls?

Priority check [wink]


Yes, but I'm calling "Thread32Next" for each thread every time I'm looking for the threads I want. It's not just one "if" statement.


I'm assuming you are worried about performance? On my machine, I currently have 552 threads running. An overhead of ~550 if() statements per sample frame is completely negligible on any modern CPU. It's a fraction of a fraction of a percent of what a CPU is capable of, and won't skew your results in any meaningful way.

Share this post


Link to post
Share on other sites
Quote:
Original post by kuroioranda
Quote:
Original post by Idov
Quote:
Original post by ApochPiQ
OK... so you're hung up on a single if() statement check to filter out the threads you don't want, versus having to do some serious low-level hackery to intercept thread spawn calls?

Priority check [wink]


Yes, but I'm calling "Thread32Next" for each thread every time I'm looking for the threads I want. It's not just one "if" statement.


I'm assuming you are worried about performance? On my machine, I currently have 552 threads running. An overhead of ~550 if() statements per sample frame is completely negligible on any modern CPU. It's a fraction of a fraction of a percent of what a CPU is capable of, and won't skew your results in any meaningful way.


ok, but it's not the "if" statement that worry me.
it's the "Thread32Next" that i'm afraid of.
Is this what you meant? that the "Thread32Next" doesn't affect the performance?

Share this post


Link to post
Share on other sites
Quote:
Original post by Idov
Quote:
Original post by kuroioranda
Quote:
Original post by Idov
Quote:
Original post by ApochPiQ
OK... so you're hung up on a single if() statement check to filter out the threads you don't want, versus having to do some serious low-level hackery to intercept thread spawn calls?

Priority check [wink]


Yes, but I'm calling "Thread32Next" for each thread every time I'm looking for the threads I want. It's not just one "if" statement.


I'm assuming you are worried about performance? On my machine, I currently have 552 threads running. An overhead of ~550 if() statements per sample frame is completely negligible on any modern CPU. It's a fraction of a fraction of a percent of what a CPU is capable of, and won't skew your results in any meaningful way.


ok, but it's not the "if" statement that worry me.
it's the "Thread32Next" that i'm afraid of.
Is this what you meant? that the "Thread32Next" doesn't affect the performance?


Sorry, I misunderstood you, I actually was referring to the if() statements. But it applies to the Thread32Next() function as well.

Generally it's not worth worrying about the performance of individual function calls like that until you have actually had a profiler indicate they are using a significant amount of CPU time. It's easy to assume the worst (that it will be slow), but the reality is that it's probably not even going to be blip on your CPU.

If you're still nervous, though, why not try writing up a quick program that just loops over every thread in the system as many times as possible in one second, and see how many times you can do it? Then you will have quantifiable data to either back up or dispel your fears.

Share this post


Link to post
Share on other sites
NO!!!!!
I tried to run my program when it only gets the threads each sample and then again without getting the threads and found out that getting the threads takes almost all the CPU time...
I have about 700 threads in my system.

what should I do??? :(

Share this post


Link to post
Share on other sites
I think what MaulingMonkey means is that your loop that "does not get the threads" is probably being optimised away so that it doesn't even get run.

I assume your test code looks something like this:

// Getting threads
get time
for (...) {
call Thread32Next
}
get time
calculate time difference

// Not getting threads
get time
for (...) {
// do nothing
}
get time
calculate time difference





If that is the case, then the first loop will just run as fast as it can, using 100% CPU. And the second loop will be optimised away so that it doesn't even run.

If that is not the case, then your code could probably be optimised, because i doubt that a single function call could use that much CPU. And you should post your code so that we know what you are talking about without having to guess.

Share this post


Link to post
Share on other sites
No. It does stuff.
It really is a lot of code, so I'll use pseudo code.
basically it is something like that:


void GetThreads()
{
// Here I use the example from MSDN
http://msdn.microsoft.com/en-us/library/ms686852(v=VS.85).aspx
}

void Sample()
{
GetThreads(); // When I checked it, I just removed this line.
for (int i = 0; i < numOfThreads; i++)
Walk The Stack Of The Thread And Stuff
}

void Run()
{
GetThreads();
while(true)
{
Sample();
Sleep(20);
}
}




Share this post


Link to post
Share on other sites
Quote:
Original post by Idov
No. It does stuff.
It really is a lot of code, so I'll use pseudo code.
basically it is something like that:

*** Source Snippet Removed ***


I would assume numOfThreads to be 0 if you removed GetThreads().

So, your Sample() function is effectively:

void Sample() {
for ( int i = 0 ; i < 0 ; i++ ) {
...
}
}


This can be rewritten as:

void Sample() {
}


I recommend following kuroioranda's advice:

Quote:
If you're still nervous, though, why not try writing up a quick program that just loops over every thread in the system as many times as possible in one second, and see how many times you can do it? Then you will have quantifiable data to either back up or dispel your fears.


Note well that this is completely different from "compare doing something to doing nothing with a sleep thrown in and then panicking if the process explorer shows the CPU usage skyrocketing". In part because there's no hard data there, only vague assumptions. There's a reason I literally can't remember a time I've seen Sleep()s in a performance test like this before — and it's not because it's an ingenious idea I'm afraid :).

kuroioranda would instead suggest finding out how many times you can call Sample() in 1 second. 5 times? 10 times? 100 times? 1000? You can find out!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this