does anyone have any idea about following thing.
I hooked int 0xe (by changing idt) in windows XP.
it worked well, but when I run a 16bit program, the program does not work
well
ntvdm just present an error message.
so, accoding to the understanding the problem,
I just changed the the code of int 0xe into jmp nt!KiTrap0E(relative
jmp,such code e9 ea 49 68 86) by kernel debuger
and it work well to pass through.
However when I change the code jmp jmp nt!KiTrap0E(indirect jmp ,such code
ff 25 a8 f0 e5),
NTVDM again present the error message.
I can’t understand the difference between indirect jmp, and relative jmp
that circumstance.
It’s very unhealthy to hook the kernel in such a brutal way. You may
encounter further more problems regarding kernel context state mismatching;
not to mentions future Windows updates and their implications.
However there is missing information in your questions (one unknown opcode
byte):
FF 25 A8 F0 E5 ?? jmp ds:??E5F0A8
Also if you can give me more information regarding your stub, it will be
helpful… (Heap,stack,code?)
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Andy Jung
Sent: Thursday, September 01, 2005 11:22 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] the problem , to hook int 0xe (page fault handler)
does anyone have any idea about following thing.
I hooked int 0xe (by changing idt) in windows XP.
it worked well, but when I run a 16bit program, the program does not work
well
ntvdm just present an error message.
so, accoding to the understanding the problem,
I just changed the the code of int 0xe into jmp nt!KiTrap0E(relative
jmp,such code e9 ea 49 68 86) by kernel debuger
and it work well to pass through.
However when I change the code jmp jmp nt!KiTrap0E(indirect jmp ,such code
ff 25 a8 f0 e5),
NTVDM again present the error message.
I can’t understand the difference between indirect jmp, and relative jmp
that circumstance.
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@raztech.co.il
To unsubscribe send a blank email to xxxxx@lists.osr.com
Hi. Your problem is that you are thinking register DS will be loaded with a valid value at entry and that is not the case in 16bit programs. When you are in a Win16 program DS will be zero in your interrupt service !
So, the solution is easy: load the DS register with a suitable value prior to use any reference to your data.
Usually the following code would do the trick:
mov eax, 0x23
mov ds, ax
Now you can use the DS segment as expected.
Your indirect JMP code does not work because DS is zero.
-----Mensaje original-----
De: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]En nombre de Andy Jung
Enviado el: jueves, 01 de septiembre de 2005 11:22
Para: Windows System Software Devs Interest List
Asunto: [ntdev] the problem , to hook int 0xe (page fault handler)
does anyone have any idea about following thing.
I hooked int 0xe (by changing idt) in windows XP.
it worked well, but when I run a 16bit program, the program does not work
well
ntvdm just present an error message.
so, accoding to the understanding the problem,
I just changed the the code of int 0xe into jmp nt!KiTrap0E(relative
jmp,such code e9 ea 49 68 86) by kernel debuger
and it work well to pass through.
However when I change the code jmp jmp nt!KiTrap0E(indirect jmp ,such code
ff 25 a8 f0 e5),
NTVDM again present the error message.
I can’t understand the difference between indirect jmp, and relative jmp
that circumstance.
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@pandasoftware.es
To unsubscribe send a blank email to xxxxx@lists.osr.com
Thanks for your responses…
to Elad)
I already compared the stacks and registers to find out any diffences before
I call and after.
but there are no differences.
when I get int 0xe)
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00000806
after I called nt!KiTrap0E)
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00080002
to Inaki)
ds is already changed because DS was changed by CPU when transter protected
mode from V86 mode referenced TSS.
“Andy Jung” wrote in message news:xxxxx@ntdev…
> does anyone have any idea about following thing.
> I hooked int 0xe (by changing idt) in windows XP.
> it worked well, but when I run a 16bit program, the program does not work
> well
> ntvdm just present an error message.
>
> so, accoding to the understanding the problem,
> I just changed the the code of int 0xe into jmp nt!KiTrap0E(relative
> jmp,such code e9 ea 49 68 86) by kernel debuger
> and it work well to pass through.
> However when I change the code jmp jmp nt!KiTrap0E(indirect jmp ,such code
> ff 25 a8 f0 e5),
> NTVDM again present the error message.
>
> I can’t understand the difference between indirect jmp, and relative jmp
> that circumstance.
>
>
>
>
>
You are wrong. DS is not changed !
-----Mensaje original-----
De: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]En nombre de Andy Jung
Enviado el: viernes, 02 de septiembre de 2005 2:42
Para: Windows System Software Devs Interest List
Asunto: Re:[ntdev] the problem , to hook int 0xe (page fault handler)
Thanks for your responses…
to Elad)
I already compared the stacks and registers to find out any diffences before
I call and after.
but there are no differences.
when I get int 0xe)
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00000806
after I called nt!KiTrap0E)
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00080002
to Inaki)
ds is already changed because DS was changed by CPU when transter protected
mode from V86 mode referenced TSS.
“Andy Jung” wrote in message news:xxxxx@ntdev…
> does anyone have any idea about following thing.
> I hooked int 0xe (by changing idt) in windows XP.
> it worked well, but when I run a 16bit program, the program does not work
> well
> ntvdm just present an error message.
>
> so, accoding to the understanding the problem,
> I just changed the the code of int 0xe into jmp nt!KiTrap0E(relative
> jmp,such code e9 ea 49 68 86) by kernel debuger
> and it work well to pass through.
> However when I change the code jmp jmp nt!KiTrap0E(indirect jmp ,such code
> ff 25 a8 f0 e5),
> NTVDM again present the error message.
>
> I can’t understand the difference between indirect jmp, and relative jmp
> that circumstance.
>
>
>
>
>
—
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@pandasoftware.es
To unsubscribe send a blank email to xxxxx@lists.osr.com