|
HyperDbg Debugger
|
Last Branch Record (LBR) tracing implementation for HyperTrace module. More...
#include "pch.h"Functions | |
| BOOLEAN | LbrCheckAndReadArchitecturalLbrDetails () |
| Check if the current CPU supports architectural LBR. | |
| BOOLEAN | LbrCheckAndReadLegacyLbrDetails () |
| Check if the current CPU supports LBR by examining the CPU family and model and looking up the corresponding LBR capacity. | |
| VOID | LbrAdjustArchBasedFilteringCompatibility (IA32_LBR_CTL_REGISTER *Ia32LbrCtl) |
| Check and adjust compatibility of LBR filterings for ARCH based LBR. | |
| VOID | LbrBuildArchBasedFilterOptions (UINT64 FilterOptions, IA32_LBR_CTL_REGISTER *Ia32LbrCtl) |
| Convert a filter options bitmask into IA32_LBR_CTL format for architectural LBR. | |
| VOID | LbrSetLbrSelectFilter (UINT64 FilterOptions) |
| Set the LBR select filter MSR (MSR_LEGACY_LBR_SELECT) for legacy LBR, dispatching via VMCALL when in VMX non-root mode. | |
| VOID | LbrClearHardwareState () |
| Zero out the LBR hardware state (TOS and all from/to MSR pairs). | |
| VOID | LbrEnableArchBased (IA32_LBR_CTL_REGISTER *Ia32LbrCtl) |
| Enable LBR collection on architectural (ARCH) based LBR. | |
| VOID | LbrEnableLegacyBased (ULONGLONG *DbgCtlMsr) |
| Enable LBR collection on legacy based LBR. | |
| VOID | LbrStartOnNativeMode (IA32_LBR_CTL_REGISTER Ia32LbrCtl) |
| Start LBR collection when running natively (outside any hypervisor environment). | |
| VOID | LbrGetValuesOnVmxRootMode (ULONGLONG *DbgCtlMsr, IA32_LBR_CTL_REGISTER *Ia32LbrCtl) |
| Read current LBR control register values while in VMX root-mode. | |
| VOID | LbrGetValuesOnVmxNonRootMode (ULONGLONG *DbgCtlMsr, IA32_LBR_CTL_REGISTER *Ia32LbrCtl) |
| Read current LBR control register values while in VMX non-root mode (via VMCALL). | |
| VOID | LbrDisableArchBased (IA32_LBR_CTL_REGISTER *Ia32LbrCtl) |
| Disable LBR collection on architectural (ARCH) based LBR. | |
| VOID | LbrDisableLegacyBased (ULONGLONG *DbgCtlMsr) |
| Disable LBR collection on legacy based LBR. | |
| VOID | LbrSetValuesOnVmxRootMode (ULONGLONG DbgCtlMsr, IA32_LBR_CTL_REGISTER Ia32LbrCtl) |
| Write back modified LBR control register values while in VMX root-mode. | |
| VOID | LbrSetValuesOnVmxNonRootMode (ULONGLONG DbgCtlMsr, IA32_LBR_CTL_REGISTER Ia32LbrCtl) |
| Write back modified LBR control register values while in VMX non-root mode (via VMCALL). | |
| VOID | LbrStopOnNativeMode () |
| Stop LBR collection when running natively (outside any hypervisor environment). | |
| VOID | LbrResetArchControlOnVmxRootMode () |
| Zero the ARCH LBR control register while in VMX root-mode. | |
| VOID | LbrResetArchControlOnVmxNonRootMode () |
| Zero the ARCH LBR control register while in VMX non-root mode (via VMCALL). | |
| VOID | LbrResetControlRegisters () |
| Reset the LBR control registers to zero, covering both ARCH and legacy LBR across all execution environments (native, VMX root-mode, VMX non-root mode). | |
| VOID | LbrAdjustFilterOptionsForCallStack (UINT64 *FilterOptions) |
| Adjust filter options for call stack. | |
| VOID | LbrAdjustFilterOptions (UINT64 FilterOptions, IA32_LBR_CTL_REGISTER *Ia32LbrCtl) |
| Adjust filter options. | |
| BOOLEAN | LbrCheckArchBased (IA32_LBR_CTL_REGISTER Ia32LbrCtl) |
| Check if architectural LBR is enabled based on the IA32_LBR_CTL register value. | |
| BOOLEAN | LbrCheckLegacyBased (ULONGLONG DbgCtlMsr) |
| Check if legacy LBR is enabled based on the IA32_DEBUGCTL MSR value. | |
| BOOLEAN | LbrCheckOnVmxRootMode () |
| Check if LBR is enabled while in VMX root-mode. | |
| BOOLEAN | LbrCheckOnNativeOrVmxNonRootMode () |
| Check if LBR is enabled while in native mode or VMX non-root mode. | |
| BOOLEAN | LbrCheck () |
| Check if LBR is enabled or not. | |
| BOOLEAN | LbrStart (UINT64 FilterOptions) |
| Start collecting LBR branches. | |
| VOID | LbrStop () |
| Stop collecting LBR branches. | |
| VOID | LbrFlush () |
| Flush LBR MSRs by disabling LBR and clearing all LBR entries. | |
| VOID | LbrFilter (UINT64 FilterOptions) |
| Filter LBR branches based on the provided options. | |
| VOID | LbrSave () |
| Save LBR branches. | |
| VOID | LbrGetArchBranchType (UINT32 BrType, CHAR *BrTypeName) |
| Get the branch type name based on the LBR branch type value (only applicable for architectural LBR). | |
| VOID | LbrPrint () |
| Print collected LBR branches. | |
Variables | |
| CPU_LBR_MAP | CPU_LBR_MAPS [] |
| The global variable to hold the mapping of CPU model to its LBR capacity. | |
Last Branch Record (LBR) tracing implementation for HyperTrace module.
Modified from LIBIHT project (Thomasaon Zhao et al) with Windows style updates.
| VOID LbrAdjustArchBasedFilteringCompatibility | ( | IA32_LBR_CTL_REGISTER * | Ia32LbrCtl | ) |
Check and adjust compatibility of LBR filterings for ARCH based LBR.
| VOID LbrAdjustFilterOptions | ( | UINT64 | FilterOptions, |
| IA32_LBR_CTL_REGISTER * | Ia32LbrCtl ) |
Adjust filter options.
| FilterOptions | A bitmask of filter options |
| Ia32LbrCtl | Pointer to the IA32_LBR_CTL_REGISTER to adjust based on the filter options and CPU capabilities |
| VOID LbrAdjustFilterOptionsForCallStack | ( | UINT64 * | FilterOptions | ) |
Adjust filter options for call stack.
| FilterOptions | A bitmask of filter options |
| VOID LbrBuildArchBasedFilterOptions | ( | UINT64 | FilterOptions, |
| IA32_LBR_CTL_REGISTER * | Ia32LbrCtl ) |
Convert a filter options bitmask into IA32_LBR_CTL format for architectural LBR.
| FilterOptions | A bitmask of filter options (e.g., LBR_KERNEL, LBR_USER, LBR_JCC, etc.) |
| Ia32LbrCtl | Pointer to the IA32_LBR_CTL_REGISTER to populate with the converted filter bits |
| BOOLEAN LbrCheck | ( | ) |
Check if LBR is enabled or not.
| BOOLEAN LbrCheckAndReadArchitecturalLbrDetails | ( | ) |
Check if the current CPU supports architectural LBR.
| BOOLEAN LbrCheckAndReadLegacyLbrDetails | ( | ) |
Check if the current CPU supports LBR by examining the CPU family and model and looking up the corresponding LBR capacity.
| BOOLEAN LbrCheckArchBased | ( | IA32_LBR_CTL_REGISTER | Ia32LbrCtl | ) |
| BOOLEAN LbrCheckLegacyBased | ( | ULONGLONG | DbgCtlMsr | ) |
| BOOLEAN LbrCheckOnNativeOrVmxNonRootMode | ( | ) |
Check if LBR is enabled while in native mode or VMX non-root mode.
| BOOLEAN LbrCheckOnVmxRootMode | ( | ) |
Check if LBR is enabled while in VMX root-mode.
| VOID LbrClearHardwareState | ( | ) |
Zero out the LBR hardware state (TOS and all from/to MSR pairs).
For architectural LBR the TOS index is not maintained by software and the CPU shifts entries automatically, so MSR_LBR_TOS is skipped in that case.
| VOID LbrDisableArchBased | ( | IA32_LBR_CTL_REGISTER * | Ia32LbrCtl | ) |
| VOID LbrDisableLegacyBased | ( | ULONGLONG * | DbgCtlMsr | ) |
Disable LBR collection on legacy based LBR.
| DbgCtlMsr | Pointer to the IA32_DEBUGCTL MSR value whose LBR flag will be cleared |
| VOID LbrEnableArchBased | ( | IA32_LBR_CTL_REGISTER * | Ia32LbrCtl | ) |
Enable LBR collection on architectural (ARCH) based LBR.
| Ia32LbrCtl | Pointer to the IA32_LBR_CTL_REGISTER whose LBREn bit will be set |
| VOID LbrEnableLegacyBased | ( | ULONGLONG * | DbgCtlMsr | ) |
Enable LBR collection on legacy based LBR.
| DbgCtlMsr | Pointer to the IA32_DEBUGCTL MSR value to be modified |
| VOID LbrFilter | ( | UINT64 | FilterOptions | ) |
Filter LBR branches based on the provided options.
| FilterOptions | A bitmask of filter options to apply to the LBR branches |
| VOID LbrFlush | ( | ) |
Flush LBR MSRs by disabling LBR and clearing all LBR entries.
Get the branch type name based on the LBR branch type value (only applicable for architectural LBR).
THIS FUNCTION IS ALSO IMPLEMENTED IN THE USER MODE
| BrType | The raw branch type value from the LBR info MSR |
| BrTypeName | A character buffer to receive the branch type name string |
| VOID LbrGetValuesOnVmxNonRootMode | ( | ULONGLONG * | DbgCtlMsr, |
| IA32_LBR_CTL_REGISTER * | Ia32LbrCtl ) |
Read current LBR control register values while in VMX non-root mode (via VMCALL).
| DbgCtlMsr | Pointer to receive the IA32_DEBUGCTL MSR value (legacy LBR) |
| Ia32LbrCtl | Pointer to receive the IA32_LBR_CTL register value (arch LBR) |
| VOID LbrGetValuesOnVmxRootMode | ( | ULONGLONG * | DbgCtlMsr, |
| IA32_LBR_CTL_REGISTER * | Ia32LbrCtl ) |
Read current LBR control register values while in VMX root-mode.
| DbgCtlMsr | Pointer to receive the IA32_DEBUGCTL MSR value (legacy LBR) |
| Ia32LbrCtl | Pointer to receive the IA32_LBR_CTL register value (arch LBR) |
| VOID LbrPrint | ( | ) |
Print collected LBR branches.
| VOID LbrResetArchControlOnVmxNonRootMode | ( | ) |
Zero the ARCH LBR control register while in VMX non-root mode (via VMCALL).
Setting IA32_LBR_CTL to 0 simultaneously clears all filter bits and disables collection (LBREn = 0), which is the correct flush state.
| VOID LbrResetArchControlOnVmxRootMode | ( | ) |
Zero the ARCH LBR control register while in VMX root-mode.
Setting IA32_LBR_CTL to 0 simultaneously clears all filter bits and disables collection (LBREn = 0), which is the correct flush state.
| VOID LbrResetControlRegisters | ( | ) |
Reset the LBR control registers to zero, covering both ARCH and legacy LBR across all execution environments (native, VMX root-mode, VMX non-root mode).
For architectural LBR, IA32_LBR_CTL is zeroed entirely (clearing filter bits and disabling collection in one write). For legacy LBR, MSR_LEGACY_LBR_SELECT is zeroed to reset the branch filter to its default capture-all state. Note: Even though MSR_LEGACY_LBR_SELECT is a plain MSR (not a VMCS field), it must be written from VMX-root mode for the change to take effect.
| VOID LbrSave | ( | ) |
Save LBR branches.
| VOID LbrSetLbrSelectFilter | ( | UINT64 | FilterOptions | ) |
Set the LBR select filter MSR (MSR_LEGACY_LBR_SELECT) for legacy LBR, dispatching via VMCALL when in VMX non-root mode.
This function is only relevant for legacy LBR. Architectural LBR encodes filter options directly in IA32_LBR_CTL and does not use MSR_LEGACY_LBR_SELECT. Note: Even though MSR_LEGACY_LBR_SELECT is a plain MSR (not a VMCS field), it must be set from VMX-root mode for the LBR MSRs to work correctly.
| FilterOptions | The raw filter options bitmask to write into MSR_LEGACY_LBR_SELECT |
| VOID LbrSetValuesOnVmxNonRootMode | ( | ULONGLONG | DbgCtlMsr, |
| IA32_LBR_CTL_REGISTER | Ia32LbrCtl ) |
Write back modified LBR control register values while in VMX non-root mode (via VMCALL).
| DbgCtlMsr | The updated IA32_DEBUGCTL MSR value to apply (legacy LBR) |
| Ia32LbrCtl | The updated IA32_LBR_CTL register value to apply (arch LBR) |
| VOID LbrSetValuesOnVmxRootMode | ( | ULONGLONG | DbgCtlMsr, |
| IA32_LBR_CTL_REGISTER | Ia32LbrCtl ) |
Write back modified LBR control register values while in VMX root-mode.
| DbgCtlMsr | The updated IA32_DEBUGCTL MSR value to apply (legacy LBR) |
| Ia32LbrCtl | The updated IA32_LBR_CTL register value to apply (arch LBR) |
| BOOLEAN LbrStart | ( | UINT64 | FilterOptions | ) |
Start collecting LBR branches.
| FilterOptions | A bitmask of filter options to apply to the LBR branches (e.g., filtering by branch type, privilege level, etc.) |
| VOID LbrStartOnNativeMode | ( | IA32_LBR_CTL_REGISTER | Ia32LbrCtl | ) |
Start LBR collection when running natively (outside any hypervisor environment).
| Ia32LbrCtl | The pre-built IA32_LBR_CTL_REGISTER value carrying the filter bits (arch LBR) |
| VOID LbrStop | ( | ) |
Stop collecting LBR branches.
| VOID LbrStopOnNativeMode | ( | ) |
Stop LBR collection when running natively (outside any hypervisor environment).
| CPU_LBR_MAP CPU_LBR_MAPS[] |
The global variable to hold the mapping of CPU model to its LBR capacity.