|
softice hooks these interrupts, but obviously, for a successful hook to occur, it needs the "old handler address"... that's all that is being displayed to you when you view the idt within softice. SoftICE swaps the addresses back before displaying them - because it knows what's hooked.
It is the same thing as when you do :
bpx MessageBoxA
u MessageBoxA
in reality, softice changed the first byte of this function (to 0xCC), but when you do "u MessageBoxA" the function appears normally. SoftICE keeps track of this stuff internally and substitutes it before displaying.
btw, IceExt has an internal command (!idt) that displays the real values.
|