Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Alex_L_2
Beginner
63 Views

Wrong LBR addresses

Hi.

I have a driver which collects LBR tuples of indirect branches for a specific process.

I also registered a PMI handler using the HalSetSystemInformation so that every time there is an indirect branch (that's recorded in the LBR MSRs), my handler will be called and collect the whole LBR stack. I make sure that I'm collecting the LBRs from the correct process using PsGetCurrentProcessId(),

My problem is that I get tuples (from a specific process that I'm debugging) that don't make sense. Their addresses match the .text section of the process, but they are completely wrong and unaligned with the assembly (I compared with IDA). It seems that they are very few each time.

I'm debugging a 32-bit process on a 64-bit machine.

I don't understand why this is happening. I read on some specifications such as http://www.nts.nl/site/html/modules/pdf/CPU/Intel%20Xeon%205100.pdf that it can happen: "LBR, BTS, BTM May Report a Wrong Address when an Exception/ Interrupt Occurs in 64-bit Mode". This specific error doesn't explain the wrong LBRs anyway, since I'm debugging a 32-bit process. For my processor (i7-6700HQ) I couldn't find a similar error in the specifications.

Does anyone have any idea why it should happen?

I would really appreciate any help.

Thanks!

0 Kudos
0 Replies
Reply