in Silhouette/Silhouette.cpp [137:165]
void WorkingSetThread(PVOID StartContext)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
LARGE_INTEGER delay = { 0 };
delay.QuadPart = -(ONE_MS_IN_FILETIME * 100); // 100ms
PVOID waitEvents[2] = { &gWorkerThreadShutdown, &gWorkerThreadSignal };
UNREFERENCED_PARAMETER(StartContext);
do
{
ntStatus = KeWaitForMultipleObjects(2, waitEvents, WaitAny, Executive, KernelMode, FALSE, &delay, NULL);
switch (ntStatus)
{
case STATUS_WAIT_0:
break;
case STATUS_WAIT_1:
//DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "Silhouette: Performing async WS reduction\n");
// fall through
case STATUS_TIMEOUT:
EmptyWorkingSet(FALSE);
break;
default:
__debugbreak();
}
} while (ntStatus != STATUS_WAIT_0);
PsTerminateSystemThread(ntStatus);
}