Am 07.06.20 um 11:47 schrieb Stefan Dösinger:
Check the nop opcode in Windows DLLs. If Microsoft's kernel32.dll switched to 66 90 we're safe to switch too. If they still use 8b ff we probably should stick to that.
I just checked my Win10 19.09, it still uses 8b ff. So either Microsoft compiles Windows with an old Visual Studio or they kept the old style nops for Windows itself.
Also worth noting is that I have not seen any application that uses the 2 byte instructions the way Microsoft uses it themselves for on the fly updates: Put an absolute jump in the 5 bytes (0xcc or 0x90) before the function and then replace the two byte instruction with a relative -5 jump. The applications I dealt with all replace the first 5 bytes with an absolute jump, with varying degrees of care. The idea of the 2 byte nop is that it can be replaced without caring about races, whereas replacing the 5 bytes will crash and burn if a thread is in the middle of executing them. Steam hotpatches on process creation or DLL load, so it is fine. Others I am not so sure...