Hi

We have a thread context (user thread context, system thread context),
and we have user mode code (ring 3) and kernel mode code (ring 0).

- A system thread (e.g. PsCreateSystemThread[1], Work Item with IoXxxWorkItem,...) cannot
execute user mode code, but can execute kernel mode code.
- A user thread (e.g. CreateThread[2]) can execute both, user mode code, and kernel mode code
(by sysenter,sysexit,syscall (or even int2e )).


It is my understanding that the change from ring 3 to ring 0 (and vice versa)
does not change the thread context.


If a user thread is requesting some I/O operation, a high-level driver's dispatch routine
will be called in the context of that user thread. The dispatch routine will forward the
request to a low-level driver thread in a independent thread context. Until the low-level
routine has finished its task, the user thread will be in wait state.


These are your questions and the answers:
Can ZwXxx be called by the Thread-F and be able to have a Thread Context of the Operating System
kernel? [which leads me to another question, Can a Thread run under more than one Thread Context?]
First question: Yes. Per se, the high-level dispatch routine does not have more privileges
than you do. Hence, you can directly access low-level driver routines and vice versa (not
trivial!), e.g. based on IOCTL with DeviceIoControl[3]. Here, best practice to do this is, as
you implied, to use a freshly spawned user thread. But that user thread calls and waits,
and does not change it thread context.

Second question: No. A thread runs under one thread context.


Now, you are diving deep into system programming - and security. From kernel-mode
drivers it is not too far to kernel-mode rootkits


Cheers.


[1] http://msdn.microsoft.com/library/de...3bd235.xml.asp
[2] http://msdn.microsoft.com/library/de...eatethread.asp
[3] http://windowssdk.msdn.microsoft.com.../ms680830.aspx