After calling DebugBreakProcess() - What does the event's dwThreadId represents?
Let's say some process debugs another process (by calling DebugActiveProcess()).
Then some other process/thread generates break-points exceptions at that debugged process (by calling DebugBreakProcess()). The debugger then receives this EXCEPTION_DEBUG_EVENT->EXCEPTION_BREAKPOINT event and in the DEBUG_EVENT structure the field dwThreadId will hold some ID.
My root question is - What does this dwThreadId represents? (MSDN says it is "The identifier of the thread in which the debugging event occurred").
My concerns are of the following:
What does it mean "in which the debugging event occurred"? Isn't it that all the threads of the process are somehow signaled this way and therefor the process is entirely blocked?
Moreover, from stuff I read, this mechanism works something like this:
The DebugBreakProcess() API works by creating a thread in the target process that invokes a breakpoint instruction, which causes the normal SEH mechanism to take over.
Which means there's a possibility that this dwThreadId is actually the ID of this newly created thread and not an ID of any of the original process' threads. Am i correct?
What if the debugged process is multi-threaded (actually it is almost certain it is)? Is this the ID of the thread that was "in the processor" at the moment of calling the DebugBreakProcess() API?
UPDATE: all this block was answered. See the first answer.
- What about the case of a dual-core system and two threads of the same process are currently running in parallel? Which one will win and will be stated in this ID? Or maybe it will cause two different EXCEPTION_BREAKPOINT exceptions?
Thank you very much for any help that is provided.
You pretty much answered your own question, it would be the thread that called DebugBreak() which in turn is the new thread created by DebugBreakProcess().