Re: Two-byte NOP

(A bit late) FYI, it’s even been documented:

http://msdn2.microsoft.com/library/ms173524(en-us,vs.80).aspx

M-A

“Ladislav Zezula” a écrit dans le message de news:
xxxxx@ntfsd…
>> MOV EDI,EDI is used for hot-patching. A hot-fix cand
>> be applied to a function without need to reboot or to
>> restart the application. At runtime it is replaced by
>> a short jump to a long jump instruction - the hot-fix.
>> I saw it on SP2 binaries.
>
> Well, if this is true (let’s say it is), the patch must
> rebuild the binary (find a funcion, then add a new
> function code and replace the first instruction).
> I doubt this is safe for patching OS kernel.
>
> L.

I wrote more about this here, for what it’s worth:

http://kernelmustard.com/archive/2005/04/25/44413.aspx

-sd

On Jun 7, 2005, at 10:45 AM, Marc-Antoine Ruel wrote:

(A bit late) FYI, it’s even been documented:

http://msdn2.microsoft.com/library/ms173524(en-us,vs.80).aspx

M-A

“Ladislav Zezula” a ?crit dans le message de news:
> xxxxx@ntfsd…
>
>>> MOV EDI,EDI is used for hot-patching. A hot-fix cand
>>> be applied to a function without need to reboot or to
>>> restart the application. At runtime it is replaced by
>>> a short jump to a long jump instruction - the hot-fix.
>>> I saw it on SP2 binaries.
>>>
>>
>> Well, if this is true (let’s say it is), the patch must
>> rebuild the binary (find a funcion, then add a new
>> function code and replace the first instruction).
>> I doubt this is safe for patching OS kernel.
>>
>> L.
>>
>
>
>
> —
> Questions? First check the IFS FAQ at https://www.osronline.com/
> article.cfm?id=17
>
> You are currently subscribed to ntfsd as:
> xxxxx@positivenetworks.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>