Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page SYSENTER hook
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #3  
Old 07-30-2004, 19:32
niom niom is offline
Friend
  
Join Date: Jul 2004
Posts: 21
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
niom Reputation: 0
Quote:
Originally Posted by bilbo
on a theorethical point of view you are right. In the same way one replaces INT 3 handler with a preamble (e.g. for tracing purposes) and then jumps to the old handler, the same guy on Windows XP must replace MSR register 176 (EIP) - which points currently at KiFastCallEntry - with some preamble and then jump to KiFastCallEntry.
k
thx


but i have a new question:

do you think, it is possible to "instrument" all ntoskrnl exports like detours does? (detours inserts a jump at the function entry, that points to a custom trampoline, which calls the old code: http://research.microsoft.com/~galenh/Publications/HuntUsenixNt99.pdf)

or do you know an easier way to intercept ring0->ring0 calls?
Reply With Quote
 

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Threaded Mode Threaded Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
How can I hook DllMain ? ioannis General Discussion 12 07-29-2015 01:09
SST Hook -> Bluescreen!? Cobi General Discussion 12 05-04-2005 09:37


All times are GMT +8. The time now is 04:56.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )