Share this page!

Can Bölük Profile picture
Twitter logo
17 Aug, 4 tweets, 2 min read
Turns out you can also find out undocumented MSRs behind NDA with Haruspex, looks like either rdmsr/wrmsr dispatches μOps dynamically or the decoder waits for the ecx value to be set, pretty interesting.🤭
You also get to see how certain MSRs such as the LSTAR and KERNEL_GS_BASE are optimized compared to normal CRBUS MSRs, likely due to the fact that they're kept in the register file instead.

Quick read through the following article even confirms it: software.intel.com/content/www/us…
Bit more research reveals that, it's not the decoder but the uOps of the rdmsr that schedule the rest of the ops since MSRs for the SMM state seem to look like other #GPs --however it seems like they forgot a speculative barrier there so DIV cycles gives those away 🥰
x86 do be fun.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Can Bölük

Can Bölük Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @_can1357

Can Bölük Profile picture
17 Aug
Broadwell seems to have a fun undocumented MSR 😛
0x3F0, doesn't work on Skylake so not architectural, write-protected, seems to be 1 only on the CPU #0. Only mention seems to be in XEN, doesn't seem to be accurate.
Thing is, as trivial and innocent as it is, stuff like this opens up detection vectors for virtualization based sandboxes. Running on a Broadwell? Switch to first core, read 3F0 in a loop for a few seconds, if it ever returns 0 or faults, you're in a VM, congrats. ¯\_(ツ)_/¯
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @_can1357 has new unrolls!

Check out other threads from @_can1357!

Read all threads by @_can1357

:(