On 2013-02-07 17:00, Alessandro Pignotti wrote:
+ opcode=(unsigned char*)context->Eip; + if (*opcode==0x65 && /* GS segment instruction prefix */ + context->SegGs!=ntdll_get_thread_data()->gs)
Segment-override prefix may be preceded by repeat or operand-size override prefixes. So instruction that refers to GS-segment doesn't always starts with 0x65.
-- Sergey
