Getting the EBP of a thread in a different process
I was wondering if there's a way to obtain the EBP of a thread in a different process (in C++ on windows) other than using "GetThreadContext". I suspect that this method takes too much time (I use it a lot) and if I could get just the EBP and not all the values of CONTEXT, it would be faster. I was thinking of using "ReadProcessMemory" and then getting the EBP with the rest of the callstack, but I don't where the stack should be and from where should I get it. If anybody knows a better way, I'd be happy to hear about it. thanks :)
The running value of EBP of another thread is, of course, in the EBP register if the thread is running. If it's not running, it's saved away by the scheduler in the kernel. GetThreadContext is retrieving what's in the kernel; nothing else will be faster.
The performance situation is worse than I understood when I wrote this. If the thread is running, the kernel uses the APC mechanism to grab an up-to-date value for you. This is not speedy, but there's no other alternative API.