View Single Post
  #7  
Old 04-14-2007, 04:32
deroko's Avatar
deroko deroko is offline
cr4zyserb
 
Join Date: Nov 2005
Posts: 217
Rept. Given: 13
Rept. Rcvd 30 Times in 14 Posts
Thanks Given: 7
Thanks Rcvd at 32 Times in 15 Posts
deroko Reputation: 30
Well answer is very simple, we are using 2 rings -> when exception is generated some of IDT entries is called but at this moment we are switching to r0 stack and all data is writen there -> if there is attached debugger data is passed to it and no modification is performed on r3 stack, on other hand, when there is no debugger, context is saved at r3 stack + exception code and execution is transfered to KiUserExceptionDispatcher. Code above would be impossible to trace iwth debugger if it is executed in r0 or if there were no rings (eg. only one ring used).
__________________
http://accessroot.com
Reply With Quote