Identifying System Behavior
Intercepting Exceptions, Interrupts, and MSRs
In order to detect system behavior, we have 3 factors for this example. The first factor is intercepting the first 32 entries of IDT (Interrupt Descriptor Table). We use the !exception command for this purpose.
For instance, if we want to break on division-by-zero on process id 0x490.
HyperDbg> !exception 0x0 pid 490
Imagine we want to break on entry 0x25 of IDT.
HyperDbg> !interrupt 0x25
For example, MSR 0xc0000082 (LSTAR) is one of the MSRs used by malware and rootkits.
If we want to break on RDMSR to MSR 0xc0000082.
HyperDbg> !msrread 0xc0000082
If we want to break on WRMSR to MSR 0xc0000082.
HyperDbg> !msrwrite 0xc0000082