Branch tracing and LBR access from user-mode in windows.
 Nick (everdox) <everdox gmail com> |
Wednesday, March 6 2013 10:48.32 CST |
This article is an in-depth explanation of leveraging access to the debug_ctl MSR's from user-mode and how windows provides access to LBRs in it's ExceptionInformation[] structure.
The article goes on to explain a quick trick I discovered where the last branch can be located when a caller nukes it's call stack prior to a branch.
The article also explains how the features can be used to detect whether or not the program runs under the control of certain hyper-visors.
The in depth article can be found here: http://www.codeproject.com/Articles/517466/Last-branch-records-and-branch-tracing
An older article not by me discussing these features can also be found here: http://www.openrce.org/blog/view/535/Branch_Tracing_with_Intel_MSR_Registers
Comments
| Posted: Wednesday, December 31 1969 18:00.00 CST | |