Identifying System Behavior
Intercepting Exceptions, Interrupts, and MSRs
In order to detect system behavior, we have 3 factors for this example. The first factor is intercepting the first 32 entries of IDT (Interrupt Descriptor Table). We use the !exception command for this purpose.
For instance, if we want to break on division-by-zero on process id 0x490.
If we want to monitor external-interrupts (IDT index from 0x21 to 0xff), we use the !interrupt command.
Imagine we want to break on entry 0x25 of IDT.
The last factor is the system-wide monitoring of the execution of RDMSR and WRMSR. We use the !msrread and the !msrwrite commands.
For example, MSR 0xc0000082 (LSTAR) is one of the MSRs used by malware and rootkits.
If we want to break on RDMSR to MSR 0xc0000082.
If we want to break on WRMSR to MSR 0xc0000082.
Last updated