Hi everybody, I've stumbled accross some code which reads a dword at memory location 0x7ffe000, which causes the program to crash and the wine debugger to start.
After some investigation, it seems that reading the memory location 0x7ffe0000 should return KeTickCount.LowPart to the user process. Has anyone ever heard about that ? I was wondering if it was a native windows NT behaviour, or if it was done by a special kernel-space exception handler installed by the program. The assembly code which does the trick is pusha mov $0x7ffe0000,%edx mov (%edx),%eax mov %eax,0xfffffffc(%ebp) popa mov 0xfffffffc(%ebp),%eax Any idea anyone ? Thanks for your help. Laurent Pinchart
