OSDev.org

The Place to Start for Operating System Developers
It is currently Thu Mar 04, 2021 10:39 pm

All times are UTC - 6 hours




Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: How to watch registers and instructions at Windows10
PostPosted: Fri Feb 02, 2018 7:43 am 
Offline

Joined: Fri May 05, 2017 8:09 pm
Posts: 4
We would like to write code to watch and record the information of all the registers such as eax,ecx and instructions (we need record all the instructions the cpu is executing) so that we can use Machine Learning method to identify whether some instruction sequence are the Malicious instructions.

1. We used to alter translate.c from QEMU to record intermediate information including registers and instructions,that is to say ,we will record all the information while QEMU translate instructions from the virtual machine on QEMU to real computer.

2. But collecting information from the virtual machine QEMU is less inefficiency than the real machine,so we plan to write code so that we can collect all the information in Win10 on real computer.

3. The problem is that we write code to obtain the value of PC register,but the value is always the address of next line in our code,We don't know how to watch instructions(or code) of other parallel execution programs that CPU is executing?

would you mind to give some ideas,thanks!


Top
 Profile  
 
 Post subject: Re: How to watch registers and instructions at Windows10
PostPosted: Fri Feb 02, 2018 9:33 am 
Offline
Member
Member
User avatar

Joined: Sun Oct 22, 2006 7:01 am
Posts: 2637
Location: Devon, UK
Hi,

I've never written one, but it sounds like you need to write a hypervisor.

Cheers,
Adam


Top
 Profile  
 
 Post subject: Re: How to watch registers and instructions at Windows10
PostPosted: Fri Feb 02, 2018 1:57 pm 
Offline
Member
Member
User avatar

Joined: Thu Jun 04, 2009 11:12 pm
Posts: 277
Hi,
OpenVMS had Xdelta and you can use Xdleta to single step instruction by instruction. OpenVMS is something i am most familiar with due to reasons I cannot disclose. There should be something available for all platforms. May be a kernel debugger is all you need, You can possibly write scripts to do powerful things. This is just a suggestion, if need to do something pre boot then it is not an option.

--Thomas


Top
 Profile  
 
 Post subject: Re: How to watch registers and instructions at Windows10
PostPosted: Sun Feb 04, 2018 2:37 am 
Offline

Joined: Fri May 05, 2017 8:09 pm
Posts: 4
Thomas wrote:
Hi,
OpenVMS had Xdelta and you can use Xdleta to single step instruction by instruction. OpenVMS is something i am most familiar with due to reasons I cannot disclose. There should be something available for all platforms. May be a kernel debugger is all you need, You can possibly write scripts to do powerful things. This is just a suggestion, if need to do something pre boot then it is not an option.

--Thomas

OK,Thanks a lot! I'll take these ideas into consideration.


Top
 Profile  
 
 Post subject: Re: How to watch registers and instructions at Windows10
PostPosted: Sun Feb 04, 2018 2:41 am 
Offline

Joined: Fri May 05, 2017 8:09 pm
Posts: 4
AJ wrote:
Hi,

I've never written one, but it sounds like you need to write a hypervisor.

Cheers,
Adam

Thanks anyway,but maybe hypervisor is not suitable for us!


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC - 6 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group