I disagree here. one anti debug / hiding technique is : 1)set regs 1a) push 3) location on the stack. 2) jump to 80h then the "iret" instruction in int 80h will jump to 3) > malicious non trusted dll: > 1) setup malicious regs (like erase file...) > 2) jump at the address of the int 80h above > 3) > (of course you won't be able to go back to 3), but this would still > allow you to make a valid syscall > looking at all trusted dlls you might even find some code where you > get > something like (in trusted dll) > a) setup regs for syscall > b) int 80h > c) ret > and in that case, jsr address of b from untrusted code would > circumvent > your scheme > > once again, since: > - wine is just seen from the linux kernel as a standard process > - wine core DLLs and the loaded code live in the same address space > it would be extremely difficult to implement this type of protection > on > wine (as it is today) > it might possible using some kind of code control tools. the new > skins > on valgrind would help here, but that would be done in a completly > different manner > > A+ > ___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com _______________________________________________ wine-users mailing list wine-users@winehq.com http://www.winehq.com/mailman/listinfo/wine-users
