Uninformed: Informative Information for the Uninformed

Vol 3» 2006.Jan


... architecture2.1
While some places used x64 to mean both AMD64 and IA64, this document will generally refer to x64 as an alias for AMD64 only, though many of the comments may also apply to IA64
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
... below3.1
For those curious as to how the authors were able to debug the PatchGuard initialization vector that is intended to be disabled when a debugger is attached, one method is to simply break on the div instruction in nt!KiDivide6432 and change r8d to zero. This will generate the divide error fault and lead to the calling of the PatchGuard initialization routines. In order to allow the machine to boot normally, a breakpoint must be set on nt!KiDivide6432 after the fact to automatically restore r8d to 0xcb5fa3
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
... image3.2
This could presumably be related to detecting whether or not hot patches have been applied, but this has not been confirmed
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.