No, they use SYSENTER instruction instead. Previously it was int 2e. Examine
the second small piece of code I posted (at 7FFE0300).
Best regards,
Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]
From: xxxxx@fmr.com[SMTP:xxxxx@fmr.com]
Reply To: xxxxx@lists.osr.com
Sent: Thursday, November 15, 2001 2:54 AM
To: xxxxx@lists.osr.com
Subject: [ntdev] RE: Kernel mode device driver problem -
KeServiceDesc ript orTableThe invocation of interrupt 2F used to be the second instruction of every
NTDLL export (with the first instruction loading the system service call
number into the EAX register). In XP it would appear that now the NTDLL
export mills around for a few instructions before jumping to an entirely
different location in the DLL, at which point the interrupt gets invoked.
(I
can’t really see any value in this change other than making it harder for
people to do what you’re trying to do…)> :u ZwCreateProcess
> _NtCreateProcess
> 001B:77F7E6A3 B82F000000 MOV EAX,0000002F
> 001B:77F7E6A8 BA0003FE7F MOV EDX,7FFE0300
> 001B:77F7E6AD FFD2 CALL EDX
> 001B:77F7E6AF C22000 RET 0020
>
> :u 7FFE0300
> 001B:7FFE0300 8BD4 MOV EDX,ESP
> 001B:7FFE0302 0F34 SYSENTER
> 001B:7FFE0304 C3 RET
>
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com