Identifying System Behavior

Intercepting Exceptions, Interrupts, and MSRs

In order to detect system behavior, we have 3 factors for this example. The first factor is intercepting the first 32 entries of IDT (Interrupt Descriptor Table). We use the !exception command for this purpose.

For instance, if we want to break on division-by-zero on process id 0x490.

HyperDbg> !exception 0x0 pid 490

If we want to monitor external-interrupts (IDT index from 0x21 to 0xff), we use the !interrupt command.

Imagine we want to break on entry 0x25 of IDT.

HyperDbg> !interrupt 0x25

The last factor is the system-wide monitoring of the execution of RDMSR and WRMSR. We use the !msrread and the !msrwrite commands.

For example, MSR 0xc0000082 (LSTAR) is one of the MSRs used by malware and rootkits.

If we want to break on RDMSR to MSR 0xc0000082.

HyperDbg> !msrread 0xc0000082

If we want to break on WRMSR to MSR 0xc0000082.

HyperDbg> !msrwrite 0xc0000082