Hi guys, i was wondering if there's any clever people out there that can help me with a little problem?

I'm setting up a vectored exception handler in a certain target process and applying a DR Context breakpoint at the location which writes to the FPU.

Upon recieving the exception in my handler i simply 'FLD <reg>' so my own float gets loaded into the FPU register, then overwrite 'EIP' to the next instruction.

I was wondering if theres anyway to modify the register directly, or how to avoid the software detecting my Context modifications. I cant memory-hook the GetThreadContext api at the application level because it detects it.

I was wondering if a DR breakpoint on GetThreadContext would mess things up?

or, is the only way to do this by writing a ring0 driver to fake the low level ntXXX api response to GetThreadContext?

Many Thanks.

Edited October 12, 200816 yr by stackwalker

If you want to intercept the FPU access without using the breakpoint, you can use a driver to set bit 2 of CR0 and intercept interrupt 2. Then you can transparently insert any value that you like.

Of course, you'll also get hit by every other use of the FPU, along with MMX and SSE instructions, but you can filter those easily enough.

Would that work for you?

Yea that sounds awesome, ill work on it.

Thanks peter, i appreciate it.