The instruction-size limit is 15 bytes. Actual size?

isnsdlk · ‎04-21-2007

In stack:

[esp+30h] //EIP

[esp+34] //CS

[esp+38] //EFLAG

[esp+3C] //ESP

[esp+40] //SS

Length of instruction at address EIP=[ESP+34]?

__declspec(naked) NewDebugHandler1()
{
__asm {
push ebp
push ebx
push esi
push edi
push fs
push ebx
push eax
push ecx
push edx
push ds
push es
push gs

inc cbuf2
cmp cbuf2,0f4240h
jg pf_skip3

movbx, 0x30
movfs, bx
}
OIrql=KeGetCurrentIrql();
cbuf = OIrql;

__asm {
// IRQL <= DISPATCH_LEVEL

cmp cbuf,2

ja pf_skip

mov eax,[esp+38h]
or eax,100h
mov [esp+38h],eax
}

__asm{
pf_skip3:
mov eax,[esp+38h]
and eax,0fffffeffh
mov [esp+38h],eax
pf_skip:

pop gs
pop es
pop ds
pop edx
pop ecx
pop eax
pop ebx
pop fs
pop edi
pop esi
pop ebx
pop ebp
iretd;

}

Intel_Software_Netw1 · ‎04-30-2007

As our engineers understand your question, it sounds like you are writing an int service routine and want to mock with the instruction which is next to be executed after the int returns; to do it,you needto decode the actual instruction size.

It was suggested in a response to your previous postthat you look at gnu objdump; members of our engineering team have suggested that this isalso a good idea in reference toyour newquestion above.If we have misunderstood what you are looking for, please provide some additional details and we will do our best to assist.

==

Lexi S.

IntelSoftware NetworkSupport

http://www.intel.com/software

Contact us