Interrupt Debug Service (0×2D), Boot loader, Vista 64bits (On the fly)

Posted by Matthieu Suiche on Saturday, March 10, 2007 · Leave a Comment 

 DebugPrint      proc near
                 mov     r9d, r8d
                 mov     r8d, edx
                 mov     dx, [rcx]
                 mov     rcx, [rcx+8]
                 mov     eax, 1
                 int     2Dh             ; Internal routine for MSDOS (IRET)
                 int     3               ; Trap to Debugger
                 retn
 DebugPrint      endp

 DebugPrompt     proc near
                 mov     r9w, [rdx+2]
                 mov     r8, [rdx+8]
                 mov     dx, [rcx]
                 mov     rcx, [rcx+8]
                 mov     eax, 2
                 int     2Dh             ; Internal routine for MSDOS (IRET)
                 int     3               ; Trap to Debugger
                 retn
 DebugPrompt     endp

 DebugService2   proc near
                 mov     eax, r8d
                 int     2Dh             ; Internal routine for MSDOS (IRET)
                 int     3               ; Trap to Debugger
                 retn
 DebugService2   endp

 BlBdStart+11C:
                 lea     rdx, [rsp+78h+var_28]
                 lea     rcx, [rsp+78h+var_58]
                 mov     r8d, 3
                 call    DebugService2

BlBdStop        proc near
                 lea     rdx, [rax-28h]
                 mov     r8d, 4
                 xor     ecx, ecx
		[...]
                 call    DebugService2

typedef enum _STATUS_DEBUG_SERVICE {
STATUS_PRINT = 1,
STATUS_PROMPT = 2,
STATUS_START = 3,
STATUS_STOP = 4
} STATUS_DEBUG_SERVICE;

Filed under On the fly, Reverse Engineering, Windows · Tagged with

About Matthieu Suiche

Comments are closed.