HyperDbg Documentation
HyperDbgResearchDownloadSource code
Search…
HyperDbg
Getting Started
Quick Start
FAQ
Build & Install
Attach to HyperDbg
Using HyperDbg
Prerequisites
User-mode Debugging
Kernel-mode Debugging
Commands
Debugging Commands
Meta Commands
Extension Commands
!pte (display page-level address and entries)
!db, !dc, !dd, !dq (read physical memory)
!eb, !ed, !eq (edit physical memory)
!sb, !sd, !sq (search physical memory)
!u, !u2 (disassemble physical address)
!dt (display and map physical memory to structures)
!epthook (hidden hook with EPT - stealth breakpoints)
!epthook2 (hidden hook with EPT - detours)
!monitor (monitor read/write to a page)
!syscall, !syscall2 (hook system-calls)
!sysret, !sysret2 (hook SYSRET instruction execution)
!cpuid (hook CPUID instruction execution)
!msrread (hook RDMSR instruction execution)
!msrwrite (hook WRMSR instruction execution)
!tsc (hook RDTSC/RDTSCP instruction execution)
!pmc (hook RDPMC instruction execution)
!vmcall (hook hypercalls)
!exception (hook first 32 entries of IDT)
!interrupt (hook external device interrupts)
!dr (hook access to debug registers)
!ioin (hook IN instruction execution)
!ioout (hook OUT instruction execution)
!hide (enable transparent-mode)
!unhide (disable transparent-mode)
!measure (measuring and providing details for transparent-mode)
!va2pa (convert a virtual address to physical address)
!pa2va (convert physical address to virtual address)
Scripting Language
Commands Map
Tips & Tricks
Considerations
Nested-Virtualization Environments
Misc
Contribution
Style Guide
Logo & Artworks
Design
Features
Debugger Internals
Links
Twitter
YouTube
Doxygen
Contribution
Powered By GitBook
!msrread (hook RDMSR instruction execution)
Description of the '!msrread' command in HyperDbg.

Command

!msrread

Syntax

!msrread [Msr (hex)] [pid ProcessId (hex)] [core CoreId (hex)] [imm IsImmediate (yesno)] [buffer PreAllocatedBuffer (hex)] [script { Script (string) }] [condition { Condition (hex) }] [code { Code (hex) }]

Description

Triggers when the debugging machine executes an RDMSR instruction or, in other words, when Windows or a driver tries to read a Model-Specific Register (MSR).

Parameters

[Msr (hex)]
Trigger in the case of a special Model-Specific Register (MSR). If you don't specify this parameter, then it will be triggered for all RDMSR executions.
Generally, it's not a good practice to intercept all the MSR Reads (RDMSR) or MSR Writes (WRMSRs) because it makes your system substantially slower and undefined behavior in some cases. By the way, HyperDbg supports intercepting all the MSRs. If you don't specify any parameters to intercept all the MSRs, HyperDbg automatically IA32_KERNEL_GSBASE (0xC0000102), IA32_MPERF (0x000000e7) and IA32_APERF (0x000000e8).
If you explicitly specify these MSRs, you'll get the events for these MSRs like other regular MSRs but only use the '!msrread' on these MSRs when you know what you want to do.
[pid ProcessId (hex)] (optional)
Optional value to trigger the event in just a specific process. Add pid xx to your command; thus, the command will be executed if the process id is equal to xx. If you don't specify this option, then by default, you receive events on all processes.
Still, in the case of user-mode debugging, HyperDbg will apply it only to the current active debugging process (not all the processes). In that case, you can specify pid all to intercept events from the entire system.
[core CoreId (hex)] (optional)
Optional value to trigger the event in just a specific core. Add core xx to your command thus command will be executed if core id is equal to xx. If you don't specify this option, then by default, you receive events on all cores.
[imm IsImmediate (yesno)] (optional)
Optional value in which yes means the results (printed texts in scripts) should be delivered immediately to the debugger. no means that the results can be accumulated and delivered as a couple of messages when the buffer is full; thus, it's substantially faster, but it's not real-time. By default, this value is set to yes.
[buffer PreAllocatedBuffer (hex)] (optional)
Optional value which reserves a safe pre-allocated buffer to be accessed within the event codes.
[script { Script (string) }] (optional)
A HyperDbg script will be executed each time the event is triggered.
[condition { Condition (hex) }] (optional)
Optional hex assembly codes which check for conditions in assembly.
[code { Code (hex) }] (optional)
Optional hex assembly codes will be executed each time the event is triggered.

Context

As the Context ($context pseudo-register in the event's script, r8 in custom code, and rdx in condition code register) to the event trigger, HyperDbg sends the rcxregister of when RDMSR is executed.

Debugger

This event supports three debugging mechanisms.
  • Break
  • Script
  • Custom Code
Please read "How to create a condition?" if you need a conditional event, a conditional event can be used in all "Break", "Script", and "Custom Code".

Break

Imagine we want to break on all RDMSRs.
HyperDbg> !msrread
If we want to break on MSR 0xc0000082.
HyperDbg> !msrread 0xc0000082

Script

Using the following command, you can use HyperDbg's Script Engine. You should replace the string between braces (HyperDbg Script Here) with your script. You can find script examples here.
HyperDbg> !msrread 0xc0000082 script { HyperDbg Script Here }
The above command when messages don't need to be delivered immediately.
HyperDbg> !msrread 0xc0000082 script { HyperDbg Script Here } imm no
Script (From File)
If you saved your script into a file, then you can add file: instead of a script and append the file path to it. For example, the following examples show how you can run a script from file:c:\users\sina\desktop\script.txt.
HyperDbg> !msrread 0xc0000082 script {file:c:\users\sina\desktop\script.txt}
You can use event forwarding to forward the event monitoring results from this event and other events to an external source, e.g., File, NamedPipe, or TCP Socket. This way, you can use HyperDbg as a monitoring tool and gather your target system's behavior and use it later or analyze it on other systems.

Custom Code

Please read "How to create an action?" to get an idea about how to run the custom buffer code in HyperDbg.
Your custom code will be executed in vmx-root mode. Take a look at this topic for more information. Running code in vmx-root is considered "unsafe".
Run Custom Code (Unconditional)
Monitoring execution of RDMSR for MSR 0xc0000082 and run 3 nops whenever the event is triggered. Take a look at Run Custom Code for more information.
HyperDbg> !msrread 0xc0000082 code {90 90 90}
Run Custom Code (Conditional)
Monitoring execution of RDMSR for MSR 0xc0000082 and run 3 nops whenever the event condition is triggered and run 3 nops whenever the event is triggered. Take a look at Run Custom Code and how to create a condition for more information.
HyperDbg> !msrread 0xc0000082 code {90 90 90} condition {90 90 90}
Keep in mind that a conditional event can be used in Breaking to Debugger and Running Script too.

IOCTL

This command uses the same method to send IOCTL for regular events.
As EventType use RDMSR_INSTRUCTION_EXECUTION and send the special MSR rcx (if any) if you want to monitor just a special MSR in OptionalParam1 in DEBUGGER_GENERAL_EVENT_DETAIL.

Design

Both !msrread and !msrwrite use the vm-exits caused by setting bits in the MSR Bitmap field of the hypervisor VMCS.
For !msrread vm-exit with (EXIT_REASON_MSR_READ) or exit-reason 31 is used.
For !msrwrite vm-exit with (EXIT_REASON_MSR_WRITE) or exit-reason 32 is used.

Remarks

When you enable this event, only your specific MSR will be hooked, so this command won't trigger on all MSRs thus won't make your computer slow.
This is an event command, but in the current version of HyperDbg (in Debugger Mode), this command will continue the debuggee for some time; however, you can use this trick to make sure you won't lose any event.

Requirements

None
Previous
!cpuid (hook CPUID instruction execution)
Next
!msrwrite (hook WRMSR instruction execution)
Last modified 5mo ago
Copy link
Edit on GitHub
On this page
Command
Syntax
Description
Parameters
Context
Debugger
Custom Code
IOCTL
Design
Remarks
Requirements
Related