Flag: Tornado! Hurricane!

Blogs >> everdox's Blog

Created: Wednesday, March 6 2013 10:48.32 CST  
Printer Friendly ...
Branch tracing and LBR access from user-mode in windows.
Author: everdox # Views: 11199

This article is an in-depth explanation of leveraging access to the debug_ctl MSR's from user-mode and how windows provides access to LBRs in it's ExceptionInformation[] structure.

The article goes on to explain a quick trick I discovered where the last branch can be located when a caller nukes it's call stack prior to a branch.

The article also explains how the features can be used to detect whether or not the program runs under the control of certain hyper-visors.

The in depth article can be found here: http://www.codeproject.com/Articles/517466/Last-branch-records-and-branch-tracing

An older article not by me discussing these features can also be found here: http://www.openrce.org/blog/view/535/Branch_Tracing_with_Intel_MSR_Registers




Add New Comment
Comment:









There are 31,016 total registered users.


Recently Created Topics
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Immunity Debugger Re...
Aug/03


Recent Forum Posts
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack


Recent Blog Entries
nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit