context = self.get_thread_context(thread_handle) context.EFlags |= EFLAGS_TRAP self.set_thread_context(context, thread_handle=thread_handle)
The MSR_DEBUGCTLA MSR enables and disables the various last branch recording mechanisms described in the previous section. This register can be written to using the WRMSR instruction, when operating at privilege level 0 or when in real-address mode. A protected-mode operating system procedure is required to provide user access to this register. Figure 15-4 shows the flags in the MSR_DEBUGCTLA MSR. The functions of these flags are as follows: ... BTF (single-step on branches) flag (bit 1) When set, the processor treats the TF flag in the EFLAGS register as a "singlestep on branches" flag rather than a "single-step on instructions" flag. This mechanism allows single-stepping the processor on taken branches, interrupts, and exceptions. See Section 15.5.4., "Single-Stepping on Branches, Exceptions, and Interrupts" for more information about the BTF flag.
SysDbgReadMsr = 16 SysDbgWriteMsr = 17 ULONG = c_ulong ULONGLONG = c_ulonglong class SYSDBG_MSR(Structure): _fields_ = [ ("Address", ULONG), ("Data", ULONGLONG), ] def write_msr(): msr = SYSDBG_MSR() msr.Address = 0x1D9 msr.Data = 2 status = windll.ntdll.NtSystemDebugControl(SysDbgWriteMsr, byref(msr), sizeof(SYSDBG_MSR), 0, 0, 0);
# re-raise the single step flag on every block. def handler_single_step (dbg): ... dbg.single_step(True) write_msr() return DBG_CONTINUE # ensure every new thread starts in single step mode. def handler_new_thread (dbg): dbg.single_step(True) write_msr() return DBG_CONTINUE
typedef struct _SysDbgMsr{ ULONG Address; ULONGLONG *Data; }SysDbgMsr, *PSysDbgMsr; void SetMsr(){ PSysDbgMsr msr; SysDbgMsr readmsr; msr = (PSysDbgMsr)LocalAlloc(LPTR, sizeof(*msr)); msr->Address = 0x01D9; ULONGLONG value = 2; msr->Data = &value; NtSystemDebugControl = (PNtSystemDebugControl)getfunc("ntdll", "NtSystemDebugControl"); if (!NtSystemDebugControl) error("failed retrieving the systemdebugcontrol pointer"); NTSTATUS status = NtSystemDebugControl(SysDbgWriteMsr, (PVOID)msr, sizeof(*msr), 0, 0, 0); printf("Return status: 0x%08x\n", status); }
There are 31,321 total registered users.
[+] expand