Triggering Special Instructions

A description about hooking RDTSC, RDTSCP, I/O IN & OUT, RDPMC, etc.

There are special instructions in x86 and AMD64 processors that might be configured to cause vm-exits when executed; thus, we can intercept them.

For example, we might be interested in the execution of I/O instructions (IN & OUT). We can monitor memory-mapped I/O using the !monitor command, but for I/O mapped devices, we can use !ioin and !ioout commands.

Do not try to monitor all I/O ports or the I/O port for the serial device connected to the debugger if you are operating on Debugger Mode.

Using these commands, we can monitor I/O ports. For examples, let say we want to monitor the I/O port 0x3f8 for INinstruction.

HyperDbg> !ioin 0x3f8

If we want to monitor port 0x3f8 for OUT instruction, we use the following command.

HyperDbg> !ioout 0x3f8

Let's intercept another instruction.

We know that CPUID is an important instruction that tries to get processor features to see if a processor supports a special feature or not.

For example, we want to intercept all the CPUIDs that a process with process ID 490 tries to execute.

HyperDbg> !cpuid pid 490

You can also break on the execution of other instructions like:

  • RDTSC and RDTSCP using !tsc command

  • RDPMC using !pmc command

  • VMCALLs using !vmcall command