[vbox-dev] How VBox handle system calls ('sysenter' or 'int 0x2e' instructions) on WinXP
QiangHuang
qianghuang87 at gmail.com
Thu Jan 10 13:29:01 GMT 2013
Hi All:
I am doing some research on how VBox handling system calls for WindowsXP.
I found a function "PATMPatchSysenterXP" in PATMGuest.cpp. It transformed
the 'sysenter' into old "int 0x2e".
And I intercepted all 'int 0x2e' in TRPM. But I found that the system call
number, regarded to be stored in EAX was not correct. The numbers were
usually greater that 0xFF. I also disassembled the opcode around the 'int
0x2e'. They are not the way how ‘int 0x2e’ system calls were invoked, which
made me confused.
lea esp, [esp+0]
lea edx, [esp+8]
int 0x2e
ret
Could someone give me some clues to move on ?
Thanks in advance.
Qiang Huang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.virtualbox.org/pipermail/vbox-dev/attachments/20130110/e05b588a/attachment.html>
More information about the vbox-dev
mailing list