stackwalker Posted October 12, 2008 Posted October 12, 2008 (edited) Hi guys, i was wondering if there's any clever people out there that can help me with a little problem?I'm setting up a vectored exception handler in a certain target process and applying a DR Context breakpoint at the location which writes to the FPU. Upon recieving the exception in my handler i simply 'FLD <reg>' so my own float gets loaded into the FPU register, then overwrite 'EIP' to the next instruction.I was wondering if theres anyway to modify the register directly, or how to avoid the software detecting my Context modifications. I cant memory-hook the GetThreadContext api at the application level because it detects it.I was wondering if a DR breakpoint on GetThreadContext would mess things up?or, is the only way to do this by writing a ring0 driver to fake the low level ntXXX api response to GetThreadContext?Many Thanks. Edited October 12, 2008 by stackwalker
Peter Ferrie Posted October 14, 2008 Posted October 14, 2008 If you want to intercept the FPU access without using the breakpoint, you can use a driver to set bit 2 of CR0 and intercept interrupt 2. Then you can transparently insert any value that you like.Of course, you'll also get hit by every other use of the FPU, along with MMX and SSE instructions, but you can filter those easily enough.Would that work for you?
stackwalker Posted October 16, 2008 Author Posted October 16, 2008 Yea that sounds awesome, ill work on it. Thanks peter, i appreciate it.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now