tsehp
April 6th, 2002, 12:11
hi,
to continue a past thread.
I'm actually finishing to make the rv tracer work on windows xp, this tracer is ring0, and doesn't rely on windows 2000/xp usual expception handling, so we have to deal here with windows xp kernel code.
We have the same problem here with softice, for you to see this :
start notepad on windows xp and break at the oep, then bpx [GetSystemMetrics], step in this function and F10 on the first call :
notepad runs and softice doesn't break after the call.
what did happen ? By stepping on this first call, a dedicated instruction that appeared on pentium 2 and latest amd's, "SYSENTER", replaced win2k int2e , look at elic'z site infos that have some interesting docs about the two ways to switch from ring3 to ring0.
It appeard that the windows xp sysenter handler crushes the eflags trp flag, that surely allows softice to break after this call and also allows my tracer to work.
This flag is crushed inside this handler, without any apparent chances to be restored.
While waiting for a future softice version after 2.6, I'm actually
trying to find the best solutions to fix this problem, without touching the handler.
regards,
tsehp
to continue a past thread.
I'm actually finishing to make the rv tracer work on windows xp, this tracer is ring0, and doesn't rely on windows 2000/xp usual expception handling, so we have to deal here with windows xp kernel code.
We have the same problem here with softice, for you to see this :
start notepad on windows xp and break at the oep, then bpx [GetSystemMetrics], step in this function and F10 on the first call :
notepad runs and softice doesn't break after the call.
what did happen ? By stepping on this first call, a dedicated instruction that appeared on pentium 2 and latest amd's, "SYSENTER", replaced win2k int2e , look at elic'z site infos that have some interesting docs about the two ways to switch from ring3 to ring0.
It appeard that the windows xp sysenter handler crushes the eflags trp flag, that surely allows softice to break after this call and also allows my tracer to work.
This flag is crushed inside this handler, without any apparent chances to be restored.
While waiting for a future softice version after 2.6, I'm actually
trying to find the best solutions to fix this problem, without touching the handler.
regards,
tsehp