http://msmvps.com/blogs/kernelmustard/archive/2005/04/25/44413.aspxWell, how frustrating is this... as far as I can tell, .Text completely ate my last post, except for a couple of sentences at the top. I've switched to writing these posts off-line (like a real blogger!), so hopefully that's the last time this will happenenCommunityServer 2008.5 SP2 (Build: 40407.4157)http://msmvps.com/blogs/kernelmustard/archive/2005/04/25/44413.aspx#962457Thu, 14 Jun 2007 14:02:34 GMTd67277c4-116b-43f1-b688-e9ef184ea916:962457» Hot Patching<p>Pingback from &nbsp;&amp;raquo; Hot Patching</p> <img src="http://msmvps.com/aggbug.aspx?PostID=962457" width="1" height="1">http://msmvps.com/blogs/kernelmustard/archive/2005/04/25/44413.aspx#962456Thu, 14 Jun 2007 14:02:33 GMTd67277c4-116b-43f1-b688-e9ef184ea916:962456» Hot Patching<p>Pingback from &nbsp;&amp;raquo; Hot Patching</p> <img src="http://msmvps.com/aggbug.aspx?PostID=962456" width="1" height="1">http://msmvps.com/blogs/kernelmustard/archive/2005/04/25/44413.aspx#961956Thu, 14 Jun 2007 05:46:55 GMTd67277c4-116b-43f1-b688-e9ef184ea916:961956Kernel Mustard » Blog Archive » Whence came function hooking?<p>Pingback from &nbsp;Kernel Mustard &nbsp;&amp;raquo; Blog Archive &nbsp; &amp;raquo; Whence came function hooking?</p> <img src="http://msmvps.com/aggbug.aspx?PostID=961956" width="1" height="1">http://msmvps.com/blogs/kernelmustard/archive/2005/04/25/44413.aspx#106617Thu, 03 Aug 2006 14:55:03 GMTd67277c4-116b-43f1-b688-e9ef184ea916:106617Usermode Troubleshooooo..ting paper反馈收集和回复===请您在这里通过添加评论留下您对这篇文章的反馈信息，我会及时整理并且回复。如果您的反馈不想让别人看到，可以点击右边的Email链接给我发邮件： <br><a rel="nofollow" target="_new" href="http://blogs.msdn.com/lixiong/contact.aspx">http://blogs.msdn.com/lixiong/contact.aspx</a>...<img src="http://msmvps.com/aggbug.aspx?PostID=106617" width="1" height="1">http://msmvps.com/blogs/kernelmustard/archive/2005/04/25/44413.aspx#84238Mon, 20 Feb 2006 04:31:12 GMTd67277c4-116b-43f1-b688-e9ef184ea916:84238Khurram AzizOver the last few years; rebooting Windows frequency is decreased. People have started making good installers....<div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=84238" width="1" height="1">http://msmvps.com/blogs/kernelmustard/archive/2005/04/25/44413.aspx#46701Thu, 12 May 2005 11:53:00 GMTd67277c4-116b-43f1-b688-e9ef184ea916:46701Steve Dispensa&gt;&gt;The reason is easy - the MOV is called every time the <br>&gt;&gt;function is called, whether it is hooked or not (or, <br>&gt;&gt;more precisely, when it its not hooked). <br> <br>Actually it's about applying patches safely - if there were two NOPs the EIP in some thread at the moment when patch is being applied could point to second NOP which would result in execution of second byte of jmps as an instruction. But when there's a 2-byte instruction, you can always replace it with another 2-byte instruction, cause EIP points either at it or at next instruction (it's also SMP-safe, cause CPU will re-read instruction when it detects a write to any of the instruction bytes while)<div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=46701" width="1" height="1">http://msmvps.com/blogs/kernelmustard/archive/2005/04/25/44413.aspx#44780Wed, 27 Apr 2005 12:29:00 GMTd67277c4-116b-43f1-b688-e9ef184ea916:44780Steve DispensaTo try out this functionality yourself, simply call NtSetSystemInformation with the Information Class 69 (SystemApplyHotPatch). <br>You'll need a large undocumented structure, and a handle to a file contaninga a special hot patch PE section with special hot patch data. Once you have that, not only can you patch the data, but you can also install Rtl Debug Hooks which will hook everything you need and notify you. <br> <br>Best regards, <br>Alex Ionescu<div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=44780" width="1" height="1">