Welcome to the new Woodmann RCE Messageboards Regroupment

This Forum is now strictly read-only. New Memberships and Postings have stopped.

Remember that under the RCE Links tab are the classic sites:

Fravia's Archive of Reverse Engineering
Fravia's Searchlores
CrackZ's Reverse Engineering Page
Yates - Reverse-Engineering.info

Enjoy 20+ years of Reverse Engineering discussions!
So Long.

Phantom of XP Ring0 Tracer

Locked
User avatar
evaluator
Posts: 1539
Joined: Tue Sep 18, 2001 2:00 pm

Phantom of XP Ring0 Tracer

Post by evaluator »

yah, i want remember our old days. fighting for finding OEP, praying on magic tracing tools, Ring0 tracer.. i am lazy, but hope, i will force meself to write memos about it.. here i will try start draft :) video in attachment
Attachments
XPsp0R0TRACER.zip
(777.29 KiB) Downloaded 68 times
User avatar
evaluator
Posts: 1539
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

forming memo topics:
1. helping tsehp with RVtracer, installing this xp system..
2. fight with SYSENTER magic. but we can back to INT2E instead..
3. tsehp leaves scene.. 'amd jumps -20h'
4. discovering m$ SYSENTER trick
5 thus, INTEL not documented capability of DF?
6. writing tracer code inside BEEP.SYS with HIEW about half year. how work with tracer without program?! myKernel32 :)
7. cmon, lets start learn some masm using
8. tracer traces all, SYSENTER friendly smiles, as it should. why m$ did that?
9. after death breath from terminated process..
10. unexpected exception from debug regiters..
User avatar
Kayaker
Posts: 4179
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

That raises questions. You were single step tracing in kernel mode? Why in beep.sys? How did you accomplish that? Logging trace?

Memo topics.
Softice Backtrace Buffer was good for tracing, buffer dumper better.
Remember beta-testing Revirgin Win95/98, 2001...led to deluge of asprotect dumping threads past the point of ad nauseam.
Kernel mode programming with Masm32, disappearing down a rabbit hole.
Bowing to Windbg.
Locked