search
DownloadResearchTutorialhwdbg
githubEdit

wrmsr (write model-specific register)

Description of the 'wrmsr' command in HyperDbg.

hashtag
Command

wrmsr

hashtag
Syntax

wrmsr [Msr (hex)] [Value (hex)] [core CoreNumber (hex)]

hashtag
Description

Write on the model-specific register using 'wrmsr' instruction.

hashtag
Parameters

[Msr (hex)]

The index of MSR (ECX Register for 'wrmsr' instruction).

[Value (hex)]

The value to write on MSR (EDX:EAX for 'wrmsr' instruction).

[core CoreNumber (hex)] (optional)

The core that we want to write the MSR on it.

circle-check

If you don't specify the 'core' by default, it will be applied to all the cores.

hashtag
Examples

The following command shows how we can change the MSR register c0000082 to fffff807`73553180 using wrmsr command.

The following command shows how we can change the MSR register c0000082 to the result of evaluating nt!ExAllocatePoolWithTag+10 using wrmsr command.

The following command shows how we can change the MSR register c0000082 to fffff807`73553180 using wrmsr command for core 2.

hashtag
IOCTL

This function works by calling DeviceIoControl with IOCTL = IOCTL_DEBUGGER_READ_OR_WRITE_MSR, you have to send it in the following structure.

Where Msr is ecx value for 'rdmsr' or 'wrmsr' instruction, CoreNumber is the target core that you want to read or write on it and ActionType shows whether it's an 'rdmsr' or 'wrmsr'.

circle-info

If you want to execute 'wrmsr' or 'rdmsr', you should set CoreNumber to DEBUGGER_READ_AND_WRITE_ON_MSR_APPLY_ALL_CORES.

hashtag
Remarks

This command will continue the debuggee for some time (in Debugger Mode). This means that you lose the current context (registers & memory) after executing this command.

hashtag
Requirements

None

hashtag
Related

rdmsr (read model-specific register)arrow-up-right

Previousrdmsr (read model-specific register)Nextflush (remove pending kernel buffers and messages)

Last updated