Hi
I set breakpoints for KeUserModeCallback, KiCallbackReturn (int2b) and NtCallbackReturn. Then I tried to understand the behavior by debugging a simple c application which calls MessageBoxW. I got the following behavior:
Thread start
KeUserModeCallback
NtCallbackReturn
KeUserModeCallback
KiCallbackReturn
KeUserModeCallback
KiCallbackReturn
KeUserModeCallback
KiCallbackReturn
KeUserModeCallback
KiCallbackReturn
…
KeUserModeCallback
KiCallbackReturn
KiCallbackReturn
KiCallbackReturn
I don’t understand the last two KiCallbackReturn, there is no KeUserModeCallback, how does this work?
Cheers
Joe