|
VTx (or SVM in case of AMD) is very useful in debugging/reversing/patching. The only thing you need - small helper-hypervisor. Using it, you can execute almost any code under kind of virtual machine and watch it's execution, set breakpoints, read/write any cpu registers, and even debug switching modes (user<->kernel). This hypervisor works as a "filter": most of processor events are passing through into real OS, except critical/sensitive ones. Catching some events is needed to hide hypervisor from OS, minimize it's influence on execution flow and fake some sensitive data. Using hardware supported MTF (so called monitor trap flag) you can execute cpu commands one-by-one, logging/modifying cpu registers or memory as you need on each command.
Suggest reading intel/amd docs about VTx/SVM to understand the power of using it in debugging/reversing.
|