On 12/1/21 19:29, Paul Gofman wrote:
"testl $0x3,%edx\n\t" /* CONTEXT_CONTROL | CONTEXT_INTEGER */ "jnz 1f\n\t" "movq 0x88(%rcx),%rsp\n\t" - "jmpq *0x70(%rcx)\n" /* frame->rip */ + "movq 0x70(%rcx),%rcx\n\t" /* frame->rip */ + "jmpq *%rcx\n\t" "1:\tleaq 0x70(%rcx),%rsp\n\t" "testl $0x2,%edx\n\t" /* CONTEXT_INTEGER */ - "jz 1f\n\t" - "movq 0x00(%rcx),%rax\n\t" + "jnz 1f\n\t" + "movq (%rsp),%rcx\n\t" /* frame->rip */ CONTEXT_CONTROL means we should restore the CS segment register as well. Since SYSRET cannot restore CS, Windows would have to use plain IRETQ instead of SYSRET. In this case I suspect there should be no reason to clobber RCX at all.
Note that this claim is unconfirmed; I might need some testing.
Does my patch change anything in this regard? I hope it doesn't, if it does that is an oversight. If there is something looking wrong with how it works now fixing that should not go in the same patch. But I think we currently restore CS (both before and after my patch) by using iretq in case of CONTEXT_CONTROL, isn't that the case?
If you mean that rcx should not be set this way in case of CONTEXT_CONTROL, I think my test with NtSetContextThread plainly shows that it should?