HyperDbg Debugger
Loading...
Searching...
No Matches
LbrDefinitions.h File Reference

Last Branch Record (LBR) related data structures. More...

Go to the source code of this file.

Classes

union  MSR_LBR_INFO
struct  _LBR_BRANCH_ENTRY
 The structure to hold a single LBR entry (from and to addresses). More...
struct  _LBR_STACK_ENTRY
 The structure to hold the LBR stack for a single processor core, including the branch entries and the TOS index. More...

Macros

#define MSR_LEGACY_LBR_SELECT   0x000001C8
 MSR address of LBR_SELECT, which is used to configure the LBR filtering options.
#define MAXIMUM_LBR_CAPACITY   0x20
 Maximum LBR capacity that is supported by processors.
#define LBR_KERNEL_BIT   0 /* do not capture at ring0 */
#define LBR_USER_BIT   1 /* do not capture at ring > 0 */
#define LBR_JCC_BIT   2 /* do not capture conditional branches */
#define LBR_REL_CALL_BIT   3 /* do not capture relative calls */
#define LBR_IND_CALL_BIT   4 /* do not capture indirect calls */
#define LBR_RETURN_BIT   5 /* do not capture near returns */
#define LBR_IND_JMP_BIT   6 /* do not capture indirect jumps */
#define LBR_REL_JMP_BIT   7 /* do not capture relative jumps */
#define LBR_FAR_BIT   8 /* do not capture far branches */
#define LBR_CALL_STACK_BIT   9 /* enable call stack: not available on all CPUs */
#define LBR_KERNEL   (1 << LBR_KERNEL_BIT)
#define LBR_USER   (1 << LBR_USER_BIT)
#define LBR_JCC   (1 << LBR_JCC_BIT)
#define LBR_REL_CALL   (1 << LBR_REL_CALL_BIT)
#define LBR_IND_CALL   (1 << LBR_IND_CALL_BIT)
#define LBR_RETURN   (1 << LBR_RETURN_BIT)
#define LBR_IND_JMP   (1 << LBR_IND_JMP_BIT)
#define LBR_REL_JMP   (1 << LBR_REL_JMP_BIT)
#define LBR_FAR_OTHER_BRANCHES   (1 << LBR_FAR_BIT)
#define LBR_CALL_STACK   (1 << LBR_CALL_STACK_BIT)
#define LBR_CALL_STACK_BASE_FLAGS   (LBR_CALL_STACK | (LBR_JCC | LBR_IND_JMP | LBR_REL_JMP | LBR_FAR_OTHER_BRANCHES))
 For call-stack mode, only CALLs and RETs should be captured Capturing other branch types may lead to undefined behavior.
#define LBR_BR_TYPE_COND   0x0
 Branch Type Encodings (Only on Architectural LBR, not available in Legacy LBR).
#define LBR_BR_TYPE_JMP_INDIRECT   0x1
#define LBR_BR_TYPE_JMP_DIRECT   0x2
#define LBR_BR_TYPE_CALL_INDIRECT   0x3
#define LBR_BR_TYPE_CALL_DIRECT   0x4
#define LBR_BR_TYPE_RET   0x5
#define LBR_BR_TYPE_RESERVED_MIN   0x6 /* 011xb */
#define LBR_BR_TYPE_RESERVED_MAX   0x7 /* 011xb */
#define LBR_BR_TYPE_OTHER_MIN   0x8 /* 1xxxb */
#define LBR_BR_TYPE_OTHER_MAX   0xF /* 1xxxb */
#define LBR_BR_TYPE_NAME_MAX_LEN   16 /* longest string is "CALL Indirect\0" = 14 chars, rounded up */

Typedefs

typedef union MSR_LBR_INFOPMSR_LBR_INFO
typedef struct _LBR_BRANCH_ENTRY LBR_BRANCH_ENTRY
 The structure to hold a single LBR entry (from and to addresses).
typedef struct _LBR_BRANCH_ENTRY PLBR_BRANCH_ENTRY
typedef struct _LBR_STACK_ENTRY LBR_STACK_ENTRY
 The structure to hold the LBR stack for a single processor core, including the branch entries and the TOS index.
typedef struct _LBR_STACK_ENTRY PLBR_STACK_ENTRY

Detailed Description

Last Branch Record (LBR) related data structures.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.19
Date
2026-04-27

Macro Definition Documentation

◆ LBR_BR_TYPE_CALL_DIRECT

#define LBR_BR_TYPE_CALL_DIRECT   0x4

◆ LBR_BR_TYPE_CALL_INDIRECT

#define LBR_BR_TYPE_CALL_INDIRECT   0x3

◆ LBR_BR_TYPE_COND

#define LBR_BR_TYPE_COND   0x0

Branch Type Encodings (Only on Architectural LBR, not available in Legacy LBR).

◆ LBR_BR_TYPE_JMP_DIRECT

#define LBR_BR_TYPE_JMP_DIRECT   0x2

◆ LBR_BR_TYPE_JMP_INDIRECT

#define LBR_BR_TYPE_JMP_INDIRECT   0x1

◆ LBR_BR_TYPE_NAME_MAX_LEN

#define LBR_BR_TYPE_NAME_MAX_LEN   16 /* longest string is "CALL Indirect\0" = 14 chars, rounded up */

◆ LBR_BR_TYPE_OTHER_MAX

#define LBR_BR_TYPE_OTHER_MAX   0xF /* 1xxxb */

◆ LBR_BR_TYPE_OTHER_MIN

#define LBR_BR_TYPE_OTHER_MIN   0x8 /* 1xxxb */

◆ LBR_BR_TYPE_RESERVED_MAX

#define LBR_BR_TYPE_RESERVED_MAX   0x7 /* 011xb */

◆ LBR_BR_TYPE_RESERVED_MIN

#define LBR_BR_TYPE_RESERVED_MIN   0x6 /* 011xb */

◆ LBR_BR_TYPE_RET

#define LBR_BR_TYPE_RET   0x5

◆ LBR_CALL_STACK

#define LBR_CALL_STACK   (1 << LBR_CALL_STACK_BIT)

◆ LBR_CALL_STACK_BASE_FLAGS

#define LBR_CALL_STACK_BASE_FLAGS   (LBR_CALL_STACK | (LBR_JCC | LBR_IND_JMP | LBR_REL_JMP | LBR_FAR_OTHER_BRANCHES))

For call-stack mode, only CALLs and RETs should be captured Capturing other branch types may lead to undefined behavior.

◆ LBR_CALL_STACK_BIT

#define LBR_CALL_STACK_BIT   9 /* enable call stack: not available on all CPUs */

◆ LBR_FAR_BIT

#define LBR_FAR_BIT   8 /* do not capture far branches */

◆ LBR_FAR_OTHER_BRANCHES

#define LBR_FAR_OTHER_BRANCHES   (1 << LBR_FAR_BIT)

◆ LBR_IND_CALL

#define LBR_IND_CALL   (1 << LBR_IND_CALL_BIT)

◆ LBR_IND_CALL_BIT

#define LBR_IND_CALL_BIT   4 /* do not capture indirect calls */

◆ LBR_IND_JMP

#define LBR_IND_JMP   (1 << LBR_IND_JMP_BIT)

◆ LBR_IND_JMP_BIT

#define LBR_IND_JMP_BIT   6 /* do not capture indirect jumps */

◆ LBR_JCC

#define LBR_JCC   (1 << LBR_JCC_BIT)

◆ LBR_JCC_BIT

#define LBR_JCC_BIT   2 /* do not capture conditional branches */

◆ LBR_KERNEL

#define LBR_KERNEL   (1 << LBR_KERNEL_BIT)

◆ LBR_KERNEL_BIT

#define LBR_KERNEL_BIT   0 /* do not capture at ring0 */

◆ LBR_REL_CALL

#define LBR_REL_CALL   (1 << LBR_REL_CALL_BIT)

◆ LBR_REL_CALL_BIT

#define LBR_REL_CALL_BIT   3 /* do not capture relative calls */

◆ LBR_REL_JMP

#define LBR_REL_JMP   (1 << LBR_REL_JMP_BIT)

◆ LBR_REL_JMP_BIT

#define LBR_REL_JMP_BIT   7 /* do not capture relative jumps */

◆ LBR_RETURN

#define LBR_RETURN   (1 << LBR_RETURN_BIT)

◆ LBR_RETURN_BIT

#define LBR_RETURN_BIT   5 /* do not capture near returns */

◆ LBR_USER

#define LBR_USER   (1 << LBR_USER_BIT)

◆ LBR_USER_BIT

#define LBR_USER_BIT   1 /* do not capture at ring > 0 */

◆ MAXIMUM_LBR_CAPACITY

#define MAXIMUM_LBR_CAPACITY   0x20

Maximum LBR capacity that is supported by processors.

◆ MSR_LEGACY_LBR_SELECT

#define MSR_LEGACY_LBR_SELECT   0x000001C8

MSR address of LBR_SELECT, which is used to configure the LBR filtering options.

Typedef Documentation

◆ LBR_BRANCH_ENTRY

The structure to hold a single LBR entry (from and to addresses).

◆ LBR_STACK_ENTRY

The structure to hold the LBR stack for a single processor core, including the branch entries and the TOS index.

◆ PLBR_BRANCH_ENTRY

◆ PLBR_STACK_ENTRY

◆ PMSR_LBR_INFO

typedef union MSR_LBR_INFO * PMSR_LBR_INFO