Tuesday, February 19, 2013

Branch tracing and LBR's

A few months ago I wrote an article on how windows provides user-mode access to debug_ctl MSR's for branch tracing and LBR stack records. I also explain how this method can be used to catch the last branch to a function when the caller nukes the call stack in an attempt to obscure where it originated from.

The article then goes on to explain how this method can be used in VM detection due to most hyper-visor's not making use of LBR virtualization.

You can find the article here
Posted by at

3 comments:

  1. giuliaMarch 30, 2013 at 3:24 PM

    Hi,

    I've read your article and I find it very interesting, I tried myself to write a small launcher to run a process and set bits 8 and 9 in DR7, but it does not seem to work. From your article it looks like you are testing on WinXp 32 bit, while my tests are on Windows 7 64bit, do you know if this feature is not working on 64bit?
    Specifically, I create a process in debug mode + suspended, I get the context of the main thread, enable bit 8 and 9 in dr7, enable Eflags.TF, set the thread context and then resume the thread. I have a debug loop that waits for debug events, and traps all the single step ones. Unfortunately, the single step works as normally expected, and the EXCEPTION_RECORD->ExceptionInformation[0] in the single step debug event always contains 0.

    As a further test, I tried doing:
    - Start process in debug + suspended
    - get thread context
    - enable bit 8 and 9 in Dr7
    - set thread context
    - get thread context again
    and now, after this second get, i see that only bit 8 was set (not 9).

    Do you know what could be the problem? Have you seen anything like this in your tests?

    Thank you! And well done for your blog, it's very interesting!

    ReplyDelete
  2. UnknownAugust 12, 2015 at 8:22 AM

    Hey Giulia,

    I'm trying to write kind of debugger and I'm using the debug registers in order to do that.
    I have a problem with turning on the 8th bit in DR7 (from user mode) and I think that you had the same problem as me.
    I'm using a 64 bit computer too and I wondered if you've managed to solve it.

    hope you can help,
    thanks in advance!

    ReplyDelete
  3. UnknownAugust 12, 2015 at 8:25 AM

    This comment has been removed by the author.

    ReplyDelete

Subscribe to: Post Comments (Atom)