Category: Software Debug and Trace – Intel

JTAG debug of Windows Hyper-V / Secure Kernel with WinDbg and EXDI: Part 9

Alan Sguigna

July 28, 2024
3:33 pm

Using Intel Processor Trace and Architectural Event Trace to explore the very lowest level of the Windows boot.

JTAG debug of Windows Hyper-V / Secure Kernel with WinDbg and EXDI: Part 8

Alan Sguigna

July 21, 2024
1:04 pm

This article uses the SourcePoint JTAG debugger to explore the very earliest part of the Windows boot flow, where the Secure Kernel is initialized in VTL 0 by the Windows and Hypervisor loaders.

JTAG debug of Windows Hyper-V / Secure Kernel with WinDbg and EXDI: Part 7

Alan Sguigna

July 14, 2024
8:41 pm

Architectural Event Trace (AET) can only be used with JTAG. This blog describes the use of AET to explore Windows Hyper-V and the Secure Kernel.

JTAG debug of Windows Hyper-V / Secure Kernel with WinDbg and EXDI: Part 6

Alan Sguigna

June 16, 2024
11:56 am

Learning more about Hyper-V by following Connor McGarr's footsteps in his blog, Windows Internals: Dissecting Secure Image Objects - Part 1.

JTAG debug of Windows Hyper-V / Secure Kernel with WinDbg and EXDI: Part 5

Alan Sguigna

March 25, 2024
3:11 pm

In the last couple of articles in this series, I’ve focused on basic run-control debugging used in conjunction with Intel Processor Trace (Intel PT). In this installment, we’ll start looking at the use of Architectural Event Trace (AET) to explore the Windows hypervisor, and how MSR accesses in particular are handled.

JTAG debug of Windows Hyper-V / Secure Kernel with WinDbg and EXDI: Part 4

Alan Sguigna

March 17, 2024
4:14 pm

In this article, we’ll look at some of the fields within the VMCS, and change them to combat some of the mitigations against instruction trace within Windows.

JTAG debug of Windows Hyper-V / Secure Kernel with WinDbg and EXDI: Part 3

Alan Sguigna

March 3, 2024
1:34 pm

Debugging the Secure Kernel with JTAG, EXDI, LBR and Intel PT.

JTAG debug of Windows Hyper-V / Secure Kernel with WinDbg and EXDI: Part 2

Alan Sguigna

February 20, 2024
10:16 am

In Part 1 of this article series, I demonstrated the use of EXDI with DCI to explore the Windows hypervisor. In this article, we’ll take a first look at the Windows Secure Kernel.

JTAG debug of Windows Hyper-V / Secure Kernel with WinDbg and EXDI: Part 1

Alan Sguigna

January 15, 2024
6:30 pm

I’m having a tremendous amount of fun learning about Windows internals with the new support of WinDbg via our SourcePoint JTAG debugger. This is a multi-part series on exploring some of the undebuggable code within the Windows hypervisor and secure kernel.

WinDbg with correlated timestamps for Event and Instruction Trace

Alan Sguigna

December 17, 2023
3:44 pm

An advanced tutorial on the timestamp correlation of Windows kernel event and instruction trace, using Intel Processor Trace and Architectural Event Trace.

Category: Software Debug and Trace – Intel

JTAG debug of Windows Hyper-V / Secure Kernel with WinDbg and EXDI: Part 9

JTAG debug of Windows Hyper-V / Secure Kernel with WinDbg and EXDI: Part 8

JTAG debug of Windows Hyper-V / Secure Kernel with WinDbg and EXDI: Part 7

JTAG debug of Windows Hyper-V / Secure Kernel with WinDbg and EXDI: Part 6

JTAG debug of Windows Hyper-V / Secure Kernel with WinDbg and EXDI: Part 5

JTAG debug of Windows Hyper-V / Secure Kernel with WinDbg and EXDI: Part 4

JTAG debug of Windows Hyper-V / Secure Kernel with WinDbg and EXDI: Part 3

JTAG debug of Windows Hyper-V / Secure Kernel with WinDbg and EXDI: Part 2

JTAG debug of Windows Hyper-V / Secure Kernel with WinDbg and EXDI: Part 1

WinDbg with correlated timestamps for Event and Instruction Trace

Archives

Categories