Well done,
evaluator!
The trick I told before is just avoiding to copy the INT 2E snippet on top of SYSENTER snippet: in this way you would fuck all the pending system calls!
You are copying it at a displacement of 16 bytes: good.
You have also done a lot of checks... even address FFDF0300 (which is the same physical memory as 7FFE0300), SYSEXIT(at KiSystemService), the code inside KiSystemService (which force you to detect eventually softice) and two times the SYSENTER snippet... but better sure than unsure...
I found also it is not necessary to patch KiSystemCallExitBranch from 7506 (jnz KiSystemCallExit2) to 7505 (jnz KiSystemCallExit).
Quote:
do someone see usage of these on AMD at 7FFE0300h?
|
No, my experiments were done on a rather old AMD K6 and there INT 2E was used.
niom: it looks like you are interested to ring0 detouring. This is for you: http://www.rootkit.com/newsread.php?newsid=152
It comes with nice code too
Regards, bilbo
Edited for evaluator...
Regarding ring0 detouring suggestion, it was for niom, as I wrote, not for you...
Regarding 9th post: look where I posted the answer, and look to my previous posts, please...
Regarding SYSEXIT patching... I have posted on WOODMANN a snippet which does not patch anything more than necessary...
Please don't be so aggressive... We are here to learn, not to flame each other
Best regards!
P.S. only 3 addresses for phys 41000? or 4? Do PHYS 41000 and you will know!!!