- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi.
I have a driver which collects LBR tuples of indirect branches for a specific process.
I also registered a PMI handler using the HalSetSystemInformation so that every time there is an indirect branch (that's recorded in the LBR MSRs), my handler will be called and collect the whole LBR stack. I make sure that I'm collecting the LBRs from the correct process using PsGetCurrentProcessId(),
My problem is that I get tuples (from a specific process that I'm debugging) that don't make sense. Their addresses match the .text section of the process, but they are completely wrong and unaligned with the assembly (I compared with IDA). It seems that they are very few each time.
I'm debugging a 32-bit process on a 64-bit machine.
I don't understand why this is happening. I read on some specifications such as http://www.nts.nl/site/html/modules/pdf/CPU/Intel%20Xeon%205100.pdf that it can happen: "LBR, BTS, BTM May Report a Wrong Address when an Exception/ Interrupt Occurs in 64-bit Mode". This specific error doesn't explain the wrong LBRs anyway, since I'm debugging a 32-bit process. For my processor (i7-6700HQ) I couldn't find a similar error in the specifications.
Does anyone have any idea why it should happen?
I would really appreciate any help.
Thanks!
Link Copied
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page