Hi, all,
The article from Jamey Kirby in the last issue of The NT Insider
mentioned a two-byte NOP instruction “mov edi, edi” at the begin
of an API exported by NTOSKRNL.exe. I have always wonder
why is such NOP instruction there.
Could anyone explain me why the compiler inserts it there ?
Will it speed-up something ?
Or will it make something better ?
Or is it just a signature of DDK compiler ?
L.
My speculation: facilitates the application of hot fixes/patches
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
Ladislav Zezula
Sent: Wednesday, April 20, 2005 9:01 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Two-byte NOP
Hi, all,
The article from Jamey Kirby in the last issue of The NT
Insider mentioned a two-byte NOP instruction “mov edi, edi”
at the begin of an API exported by NTOSKRNL.exe. I have
always wonder why is such NOP instruction there. Could anyone
explain me why the compiler inserts it there ? Will it
speed-up something ? Or will it make something better ? Or is
it just a signature of DDK compiler ?
You mean something like “If the NOP is there, the patch
is/isn’t installed” ? Umm, no, I don’t believe that.
The patch might be verifier by checking the version
of the particular DLL, EXE or SYS.
L.
As in overlay the NOP with some other instruction sequence…just a
guess…
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
Ladislav Zezula
Sent: Wednesday, April 20, 2005 9:23 AM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Two-byte NOP
You mean something like “If the NOP is there, the patch
is/isn’t installed” ? Umm, no, I don’t believe that. The
patch might be verifier by checking the version of the
particular DLL, EXE or SYS.
MOV EDI,EDI is used for hot-patching. A hot-fix cand
be applied to a function without need to reboot or to
restart the application. At runtime it is replaced by
a short jump to a long jump instruction - the hot-fix.
I saw it on SP2 binaries.
— Ladislav Zezula wrote:
> Hi, all,
>
> The article from Jamey Kirby in the last issue of
> The NT Insider
> mentioned a two-byte NOP instruction “mov edi, edi”
> at the begin
> of an API exported by NTOSKRNL.exe. I have always
> wonder
> why is such NOP instruction there.
> Could anyone explain me why the compiler inserts it
> there ?
> Will it speed-up something ?
> Or will it make something better ?
> Or is it just a signature of DDK compiler ?
>
> L.
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
> MOV EDI,EDI is used for hot-patching. A hot-fix cand
be applied to a function without need to reboot or to
restart the application. At runtime it is replaced by
a short jump to a long jump instruction - the hot-fix.
I saw it on SP2 binaries.
Well, if this is true (let’s say it is), the patch must
rebuild the binary (find a funcion, then add a new
function code and replace the first instruction).
I doubt this is safe for patching OS kernel.
L.