Properly set the ref count of ethread, fixes Amped

2022-01-29 20:03:05 +01:00 · 2022-01-29 20:03:05 +01:00 · e85af190d5
parent 733670c7f8
commit e85af190d5
2 changed files with 10 additions and 3 deletions
--- a/src/core/kernel/common/types.h
+++ b/src/core/kernel/common/types.h
@ -1916,10 +1916,10 @@ KTHREAD, *PKTHREAD, *RESTRICTED_POINTER PRKTHREAD;
 typedef struct _ETHREAD
 {
    struct _KTHREAD    Tcb;
-    LARGE_INTEGER      CreateTime;
-    LARGE_INTEGER      ExitTime;
+    LARGE_INTEGER      CreateTime;     // 0x110
+    LARGE_INTEGER      ExitTime;       // 0x118
    ntstatus_xt        ExitStatus;     // 0x120
-    uchar_xt           UnknownB[0x8];  // 0x124
+    uchar_xt           Unknown[0x8];   // 0x124
    HANDLE             UniqueThread;   // 0x12C
 }
 ETHREAD, *PETHREAD;
--- a/src/core/kernel/exports/EmuKrnlPs.cpp
+++ b/src/core/kernel/exports/EmuKrnlPs.cpp
@ -288,6 +288,11 @@ XBSYSAPI EXPORTNUM(255) xbox::ntstatus_xt NTAPI xbox::PsCreateSystemThreadEx
 			RETURN(X_STATUS_INSUFFICIENT_RESOURCES);
 		}

+		// Increment the ref count of the thread once more. This is to guard against the case the title closes the thread handle
+		// before this thread terminates with PsTerminateSystemThread
+		// Test case: Amped
+		ObfReferenceObject(eThread);
+
 		KeQuerySystemTime(&eThread->CreateTime);
 		KiUniqueProcess.StackCount++;
 		RegisterXboxHandle(*ThreadHandle, handle);
@ -376,6 +381,8 @@ XBSYSAPI EXPORTNUM(258) xbox::void_xt NTAPI xbox::PsTerminateSystemThread
 	}

 	EmuKeFreeThread(ExitStatus);
+	// Don't do this in EmuKeFreeThread because we only increment the thread ref count in PsCreateSystemThreadEx
+	ObfDereferenceObject(eThread);
 	KiUniqueProcess.StackCount--;

 	_endthreadex(ExitStatus);