I disagree here. one anti debug / hiding technique is : 1)set regs 1a) push 3) location on the stack. 2) jump to 80h then the "iret" instruction in int 80h will jump to 3)
malicious non trusted dll:
- setup malicious regs (like erase file...)
- jump at the address of the int 80h above
(of course you won't be able to go back to 3), but this would still allow you to make a valid syscall looking at all trusted dlls you might even find some code where you get something like (in trusted dll) a) setup regs for syscall b) int 80h c) ret and in that case, jsr address of b from untrusted code would circumvent your scheme
once again, since:
- wine is just seen from the linux kernel as a standard process
- wine core DLLs and the loaded code live in the same address space
it would be extremely difficult to implement this type of protection on wine (as it is today) it might possible using some kind of code control tools. the new skins on valgrind would help here, but that would be done in a completly different manner
A+
___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com