Triggering Special Instructions
A description about hooking RDTSC, RDTSCP, I/O IN & OUT, RDPMC, etc.
Last updated
A description about hooking RDTSC, RDTSCP, I/O IN & OUT, RDPMC, etc.
Last updated
There are special instructions in x86 and AMD64 processors that might be configured to cause vm-exits when executed; thus, we can intercept them.
For example, we might be interested in the execution of I/O instructions (IN & OUT). We can monitor memory-mapped I/O using the command, but for I/O mapped devices, we can use and commands.
Do not try to monitor all I/O ports or the I/O port for the serial device connected to the debugger if you are operating on Debugger Mode.
Using these commands, we can monitor I/O ports. For examples, let say we want to monitor the I/O port 0x3f8 for INinstruction.
If we want to monitor port 0x3f8 for OUT instruction, we use the following command.
Let's intercept another instruction.
We know that CPUID is an important instruction that tries to get processor features to see if a processor supports a special feature or not.
For example, we want to intercept all the CPUIDs that a process with process ID 0x490 tries to execute.
You can also break on the execution of other instructions like:
RDTSC and RDTSCP using command
RDPMC using command
VMCALLs using command