Subject: | Re: wmf temporary fix |
Date: | Sat, 31 Dec 2005 17:10:28 -0800 |
From: | Steve Gibson <news2005@grc.com> |

[for the unabridged version, see "maloney" <this is not my real
email 633@gmail.com>'s post above]
> I have windows vista beta 2 and the patch appears to be compatible.
Cool.
The way the patch works is that IF it sees that a system is at
least Windows 2000 or later, it looks at the function entrypoint
for GDI32's ESCAPE function. If it finds a sequence of bytes
that it can confidently understand (this is what Ilfak and I
expanded upon just a bit by teaching it about Windows 2000), it
then dynamically patches the front of GDI32's ESCAPE function
with a jump to its own replacement "stub" which simply checks to
see whether the ESCAPE function being called is "SetAbort" (sub
function number 9) and, if so, returns to the original caller.
For all other functions it emulates the replaced code then
returns to the ESCAPE function processing.
The point of what became an overly long explanation is that the
dynamic patcher will likely be able to run and fix any version
of GDI with recognizable GDI entrypoints. It knows about two
types right now, and it's moderately unlikely that the code will
be changing a lot among sub-versions.
> However if some one could post the link to the infected site
> I could verify that it is working on vista. Make sure the you
> put danger beside the link or something. By the way excellent
> job on the fast response.
Time is everything on this. :)
--
________________________________________________________________
Steve.
|