Hi Kernelmode.info!
Upon attempting something (can't remember what exactly it was) that relied on the x64 ntdll.dll system call layout being unchanged I stumbled across the new system call layout.
Instead of simply loading eax with the system call number and then issuing the 0F 05 instruction as before it new checks the field "SystemCall" located at KUSER_SHARED_DATA+0x308.
If the field is 0 a standard syscall instruction is issued.
If, however, the field isn't zero the int 2e instruction is invoked which afaik stems from early NT days!
Note that I'm not talking about the Wow64 system calls.
The sudden change allegedly affected the Chrome Sandbox amongst other software.
Of course I would now pretty much like to learn why M$ made this change.
Whereas someone suggested it might have happened for compatibility reasons regarding older CPUs which doesn't incorporate the syscall instruction yet Alex Ionescu stated something regarding control flow guard for system call stubs.
If it was for compat reasons, are there really CPUs which are 64-bits capable yet don't support the syscall instruction?
Any hint is much appreciated, Google didn't help that much.
Best regards,
Microwave89
Upon attempting something (can't remember what exactly it was) that relied on the x64 ntdll.dll system call layout being unchanged I stumbled across the new system call layout.
Instead of simply loading eax with the system call number and then issuing the 0F 05 instruction as before it new checks the field "SystemCall" located at KUSER_SHARED_DATA+0x308.
If the field is 0 a standard syscall instruction is issued.
If, however, the field isn't zero the int 2e instruction is invoked which afaik stems from early NT days!
Note that I'm not talking about the Wow64 system calls.
The sudden change allegedly affected the Chrome Sandbox amongst other software.
Of course I would now pretty much like to learn why M$ made this change.
Whereas someone suggested it might have happened for compatibility reasons regarding older CPUs which doesn't incorporate the syscall instruction yet Alex Ionescu stated something regarding control flow guard for system call stubs.
If it was for compat reasons, are there really CPUs which are 64-bits capable yet don't support the syscall instruction?
Any hint is much appreciated, Google didn't help that much.
Best regards,
Microwave89
