Quote:
|
Originally Posted by doug
It uses it to do synchronization (ex: wait until some dword in driver = 1) - probably due to the multi-threaded nature of the protection.
I'm not sure if this is still done, but the xprot driver used to give read/write access on the IDT as well; so the user-mode application was able to dynamically change the int1/int3 descriptors.
|
This new "version" might use a less primitive method, an Event created
by the client, named "XprotEvent".
About the access on the IDT, well it already has read write flags (the
page, at least on my puter) so it just (at least until what I've traced)
changes the super-visor flag to user-mode flag to the reasons we already know.
I havent much time to continue the study... maybe soon
