OpenRCE Blog Entry

Radim Picha (EliCZ) <apihooks

com

seznam

cz>

Wednesday, July 25 2007 10:22.21 CDT

They told me they later crashed when they executed:
"
mov ax, gs
mov gs, ax
"
on x64 in kernel mode.
This is clear.

I tried to 'examine' user mode:
"
.CODE
wmain PROC
;mov rdx, 1
;mov rcx, -2
;call __imp_SetThreadAffinityMask

;mov al, byte ptr gs:[wmain] ;no
;mov ah, gs:[33] ;yes
;mov ah, cs:[33] ;no

mov r8d, gs
mov r9d, cs

mov gs, r9d
;mov ah, gs:[33] ;no
mov al, byte ptr gs:[wmain] ;yes
;mov cl, byte ptr gs:[wmain] ;yes
mov ah, gs:[33] ;yes ?! what is this?
;mov ch, byte ptr gs:[wmain] ;no

mov gs, r8d
mov dl, byte ptr gs:[wmain] ;yes
mov cl, byte ptr gs:[wmain] ;yes
mov dh, gs:[33]; yes
;mov ch, byte ptr gs:[wmain] ;no

;just for info - loop until swapgs
mov gs, r9d
xor ecx, ecx
@@:
mov al, byte ptr gs:[wmain]
loop @b

ret
wmain ENDP
"

	Posted: Wednesday, December 31 1969 18:00.00 CST