Security research | Reverse engineering | Static analysis | Deobfuscation | Windows kernel. Main author of VTIL, working on @verilave.
Aug 17, 2021 • 4 tweets • 1 min read
Broadwell seems to have a fun undocumented MSR 😛
0x3F0, doesn't work on Skylake so not architectural, write-protected, seems to be 1 only on the CPU #0. Only mention seems to be in XEN, doesn't seem to be accurate.
Aug 17, 2021 • 4 tweets • 2 min read
Turns out you can also find out undocumented MSRs behind NDA with Haruspex, looks like either rdmsr/wrmsr dispatches μOps dynamically or the decoder waits for the ecx value to be set, pretty interesting.🤭
You also get to see how certain MSRs such as the LSTAR and KERNEL_GS_BASE are optimized compared to normal CRBUS MSRs, likely due to the fact that they're kept in the register file instead.