Skip to content

Latest commit

 

History

History
98 lines (61 loc) · 2.75 KB

wrmsr.md

File metadata and controls

98 lines (61 loc) · 2.75 KB
Raw
description
Description of the 'wrmsr' command in HyperDbg.

wrmsr (write model-specific register)

Command

wrmsr

Syntax

wrmsr [Msr (hex)] [Value (hex)] [core CoreNumber (hex)]

Description

Write on the model-specific register using 'wrmsr' instruction.

Parameters

[Msr (hex)]

The index of MSR (ECX Register for 'wrmsr' instruction).

[Value (hex)]

The value to write on MSR (EDX:EAX for 'wrmsr' instruction).

[core CoreNumber (hex)] (optional)

The core that we want to write the MSR on it.

{% hint style="success" %} If you don't specify the 'core' by default, it will be applied to all the cores. {% endhint %}

Examples

The following command shows how we can change the MSR register c0000082 to fffff807`73553180 using wrmsr command.

HyperDbg> wrmsr c0000082 fffff807`73553180

The following command shows how we can change the MSR register c0000082 to the result of evaluating nt!ExAllocatePoolWithTag+10 using wrmsr command.

HyperDbg> wrmsr c0000082 nt!ExAllocatePoolWithTag+10

The following command shows how we can change the MSR register c0000082 to fffff807`73553180 using wrmsr command for core 2.

HyperDbg> wrmsr c0000082 fffff807`73553180 core 2

IOCTL

This function works by calling DeviceIoControl with IOCTL = IOCTL_DEBUGGER_READ_OR_WRITE_MSR, you have to send it in the following structure.

typedef struct _DEBUGGER_READ_AND_WRITE_ON_MSR {

  UINT64 Msr; // It's actually a 32-Bit value but let's not mess with a register
  UINT32 CoreNumber; // specifies the core to execute wrmsr or read the msr
                     // (DEBUGGER_READ_AND_WRITE_ON_MSR_APPLY_ALL_CORES mean all the cores)
  DEBUGGER_MSR_ACTION_TYPE
  ActionType; // Detects whether user needs wrmsr or rdmsr
  UINT64 Value;

} DEBUGGER_READ_AND_WRITE_ON_MSR, *PDEBUGGER_READ_AND_WRITE_ON_MSR;

Where Msr is ecx value for 'rdmsr' or 'wrmsr' instruction, CoreNumber is the target core that you want to read or write on it and ActionType shows whether it's an 'rdmsr' or 'wrmsr'.

typedef enum _DEBUGGER_MSR_ACTION_TYPE { DEBUGGER_MSR_READ, DEBUGGER_MSR_WRITE } DEBUGGER_MSR_ACTION_TYPE;

{% hint style="info" %} If you want to execute 'wrmsr' or 'rdmsr', you should set CoreNumber to DEBUGGER_READ_AND_WRITE_ON_MSR_APPLY_ALL_CORES. {% endhint %}

#define DEBUGGER_READ_AND_WRITE_ON_MSR_APPLY_ALL_CORES 0xffffffff

Remarks

This command will continue the debuggee for some time (in Debugger Mode). This means that you lose the current context (registers & memory) after executing this command.

Requirements

None

Related

rdmsr (read model-specific register)