Prev: WTSGetActiveConsoleSessionId() on W2K
Next: ntoskrnl.exe!ExpInterlockedFlushSList stuck on VistaX64SP1
From: Coca on 18 Jul 2008 23:56 Hey all I've been digging into Windows internals a bit more lately and I've come across the following section of code a few times. push 0Ch push offset nt!ObWatchHandles+0x684 call nt!_SEH_prolog The first value pushed changes sometimes and seems to define the amount of stackspace reserved by _SEH_prolog. ObWatchHandles seems to be a table of some sort, but I'm not sure what of. The offset into the table changes depending on the function calling _SEH_prolog. Does anyone have any idea on this? Thanks in advance Coca |