On Sat, 26 Oct 2002, Sylvain Petreolle wrote: > I disagree here. > one anti debug / hiding technique is : > 1)set regs > 1a) push 3) location on the stack. > 2) jump to 80h > then the "iret" instruction in int 80h will jump to 3) Well, while I agree with the general sentiment, this is technically not quite right. In i386 protected mode, you cannot jump directly to code with a different privilege level (it'd cause a GPF/SIGSEGV to try), it must be done through a "gate" (typically an interrupt). Passing through such a privilege-transition gate also implies switching to a similarly-privileged stack (before the return address is pushed), so you cannot push your own return address onto the kernel's privileged stack. And you probably can't even get the address of the kernel interrupt handler (the IDT can be protected from being read). This doesn't make Wine any more secure though, of course... _______________________________________________ wine-users mailing list wine-users@winehq.com http://www.winehq.com/mailman/listinfo/wine-users
