Does the Windows loading routine alter the state of the debug registers (particularly DR0, DR1, and DR2) ?
The debug registers default values just after reset/power-up are summarised in Intel's manual. Thus, if Windows doesn't alter them, the values wouldl be identical to the reset/power-up default values. I want to ensure about this ;)
I would like to know the contents of these registers in Windows 98/98SE and Windows 2000 just after boot completes, prior to any application being activated. Currently, I don't have systems with both of these OS installed ;) .
Google and MSDN doesn't help much :sad:
Anyone have clues?
TIA,
Pinczakko
The debug registers default values just after reset/power-up are summarised in Intel's manual. Thus, if Windows doesn't alter them, the values wouldl be identical to the reset/power-up default values. I want to ensure about this ;)
I would like to know the contents of these registers in Windows 98/98SE and Windows 2000 just after boot completes, prior to any application being activated. Currently, I don't have systems with both of these OS installed ;) .
Google and MSDN doesn't help much :sad:
Anyone have clues?
TIA,
Pinczakko
if windows (ie microsoft code) doesn't alter them, some other driver might, that, and the drx registers (and all others) are non global and can be set to different settings by other software.. some protection program out there even uses the drx registers to store decrypt keys (which makes bpx fail) and so on... whats your idea? :)
Also (I'm too lazy to look up intel and AMD manuals right now :)), are the reserved bits in some of the DRx registers? If so, you shouldn't depend on register values, at least not without masking them first. And depending on those values seems like a pretty bad idea anyway.
well, I'm not coding a protection code so far ;). I'm analyzing a code that makes an assumption about the values of the debug register ;). Thanks anyway :D
code that makes an assumption eh?
well i know a certain prot that does drx checks, if dr7 == 0x400 then softice is present, is that the sort of thing you're looking at?
well i know a certain prot that does drx checks, if dr7 == 0x400 then softice is present, is that the sort of thing you're looking at?
nope, I'm reversing a malware ;)