Thanks for yet another great Going Deep video! I am however, a little confused about one of the points in the video: I wonder if someone could be as kind as to clarify how exactly a TerminateThread call causes any kernel mode calls being made by that function
to unwind immediately?
I can see how this might work for explicit waits (Sleep, WaitForSingleObjectEx) since you already have handing for being interrupted by APCs there in the form of alertable waits, but what about in the general case of e.g. ReadFile? Does your explanation imply
that there a way to cause arbitrary kernel functions to unwind instantly without corrupting internal kernel state, or do you just wait for all such calls to terminate naturally before doing the cleanup just before the kernel -> user transition as normal? But
in the case of long running calls kernel mode functions I could see that being a problem..