Quote:
|
Originally Posted by bilbo
on a theorethical point of view you are right. In the same way one replaces INT 3 handler with a preamble (e.g. for tracing purposes) and then jumps to the old handler, the same guy on Windows XP must replace MSR register 176 (EIP) - which points currently at KiFastCallEntry - with some preamble and then jump to KiFastCallEntry.
|
k
thx
but i have a new question:
do you think, it is possible to "instrument" all ntoskrnl exports like detours does? (detours inserts a jump at the function entry, that points to a custom trampoline, which calls the old code: http://research.microsoft.com/~galenh/Publications/HuntUsenixNt99.pdf)
or do you know an easier way to intercept ring0->ring0 calls?