Re: [PATCH] ntdll: Set rcx and r11 on exit from syscall dispatcher on x64.

1 Dec 2021


      On 12/1/21 14:34, Jinoh Kang wrote:
...
My speculation is that there's a flag that determines whether it's OK to clobber
RCX/R11 on syscall exit.  If it's enabled, KiFastSystemCall will use SYSRET
instead of IRETQ.  Issuing NtSetContextThread with CONTEXT_INTEGER on supposedly
turns this flag off, disabling the use of SYSRET.  From the observations so far,
this flag more or less corresponds to CONTEXT_CONTROL in
CONTEXT_INTEGER*.  My apologies.
...
syscall_frame::restore_flags, but more testing is required...
-- 
Sincerely,
Jinoh Kang

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

Re: [PATCH] ntdll: Set rcx and r11 on exit from syscall dispatcher on x64.