Do you want to use cpuid as int 3 or any other event? Well Intel VT allows us that, as cpuid always generates VM-Exit. In this case what we do is:

1. Read Guest Cr3 to check correct process
2. inject int 3 event into Guest
3. SoftICE will popup if i3here on is set
4. Enjoy

bin/src -> http://deroko.phearless.org/cpuid_break.rar

Hi deroko, I remember also reading an article about VT and cpuid on rootkit.com some time ago:

http://www.rootkit.com/newsread.php?newsid=758

The ones interested may wanna read this article as well.

Ciao

Another low-level gem from deroko, keep 'em coming.

ghgh

thanks

Hi Daniel,

Yup, I remember that article, but truth is that VT can be used for reversing purposes (rdtsc, dr emulation, idt hooks without hooking idt - did anyone say Patch Guard?, cpuid fakeing for protectors which relay on cpuid as anti-dump etc.) Not sure why everybody try to use this tech for rootkits, as it's real potential is RCE

Hi deroko,

well this seems a good moment to tell that I have an unfinished article about License Virtualization. That's why I was so interested in cpuid. And yes, it's a great potential for RCE. =)

can't wait to read it

Sounds like a very interesting topic.

Regards,

deroko: thanks. JMI, yeah it is, I'm also tempted to write the article pretty soon, because the quantity of code already written for that article borders surreal. But, to offer a demonstration, more code is needed and I guess the demonstration is just too nice to not do it. I'm sorry if I diverted the thread from the cpuid instruction.