On Wed Nov 29 01:27:26 2023 +0000, Dāvis Mosāns (davispuh) wrote:
Oops, I actually wanted to say it does patch `KiUserExceptionDispatcher` but got myself confused :D It patches 18 methods in ntdll.dll Patch for `KiUserExceptionDispatcher` looks like this (with this MR applied)
- 59750: 90 nop - 59751: 48 8b 05 38 03 04 00 mov rax,QWORD PTR [rip+0x40338] # 0x99a90 + 59750: 40 e9 95 eb cf f8 rex jmp 0xf8d582eb + 59756: 04 00 add al,0x0 59758: 48 8b 8c 24 98 00 00 mov rcx,QWORD PTR [rsp+0x98] 5975f: 00 59760: 48 8b 94 24 f8 00 00 mov rdx,QWORD PTR [rsp+0xf8] 59767: 00 59768: 48 89 51 f8 mov QWORD PTR [rcx-0x8],rdx 5976c: 48 89 69 f0 mov QWORD PTR [rcx-0x10],rbp 59770: 48 89 79 e8 mov QWORD PTR [rcx-0x18],rdi 59774: 48 89 71 e0 mov QWORD PTR [rcx-0x20],rsi 59778: 48 8d 69 e0 lea rbp,[rcx-0x20] 5977c: 48 85 c0 test rax,rax 5977f: 74 0d je 0x5978eAlso spoke too soon, stack overflow is not fixed it just seems to have become way more rarer.
Now checked without this MR, it patches it like this:
```diff - 55aac: 48 8b 8c 24 98 00 00 mov rcx,QWORD PTR [rsp+0x98] - 55ab3: 00 + 55aac: 40 e9 39 ea c6 f6 rex jmp 0xf6cc44eb + 55ab2: 00 00 add BYTE PTR [rax],al 55ab4: 66 8c c8 mov ax,cs 55ab7: 66 39 44 24 38 cmp WORD PTR [rsp+0x38],ax 55abc: 74 14 je 0x55ad2 55abe: 48 89 e2 mov rdx,rsp 55ac1: 48 8d 8c 24 f0 04 00 lea rcx,[rsp+0x4f0] 55ac8: 00 55ac9: 4c 89 f4 mov rsp,r14 55acc: e8 bf 27 00 00 call 0x58290 55ad1: cc int3 ```