Info on Test Registers

Index > Main > Info on Test Registers

Author

Thread

vid
Verbosity in development

Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia

vid 05 Oct 2008, 18:31

Hi guys, do you know some good source of info on Test Registers (TR6, TR7)?

Particulary, I am interested in direct access to Branch Target Buffer, which should be supposedly possible via Test Registers.

05 Oct 2008, 18:31

DJ Mauretto

Joined: 14 Mar 2007
Posts: 464
Location: Rome,Italy

DJ Mauretto 05 Oct 2008, 19:44

Ciao

Try this http://www.jalix.org/ressources/miscellaneous/~vrac/faqsys/docs/pentium.txt
Test registers tr0 tr7 (386/486) don't exist anymore,in this document
there are model specific registers of pentium among them are 12 test registers
I do not think that standard.

_________________
Nil Volentibus Arduum Razz

05 Oct 2008, 19:44

DJ Mauretto

Joined: 14 Mar 2007
Posts: 464
Location: Rome,Italy

DJ Mauretto 06 Oct 2008, 09:36

Read 10.6.2 section of intel386 manual for original test registers TR6 TR7 Wink

http://www.x86.org/intel.doc/386manuals.htm

_________________
Nil Volentibus Arduum Razz

06 Oct 2008, 09:36

vid
Verbosity in development

Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia

vid 06 Oct 2008, 10:24

I asked Agner Fog about this, and he told me direct access to BTB is only possible on old pentiums.

06 Oct 2008, 10:24

tom tobias

Joined: 09 Sep 2003
Posts: 1320
Location: usa

tom tobias 06 Oct 2008, 11:40

vid wrote:

...I am interested in direct access to Branch Target Buffer...

My understanding is that access to the BTB is sought in those situations in which one seeks to identify the out of order sequence of instructions, i.e. dynamic execution. I am unable to comprehend how the quest for that information relates to UEFI. Does some malware seek to disrupt the normal sequence of issuance of instructions?

Confused

06 Oct 2008, 11:40

vid
Verbosity in development

Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia

vid 06 Oct 2008, 16:52

Quote:

Does some malware seek to disrupt the normal sequence of issuance of instructions?

No... I don't want to talk about this too much now, it's just an idea I will try to follow. Some time later i will publish all the stuff ready for pleasant reading.

06 Oct 2008, 16:52

IceStudent

Joined: 19 Dec 2003
Posts: 60
Location: Ukraine

IceStudent 16 Oct 2008, 18:25

vid wrote:

Particulary, I am interested in direct access to Branch Target Buffer, which should be supposedly possible via Test Registers.

Why not to use the MSR registers for it? You can to do it even in ring-3, via the NtSystemDebugControl(SysDbgReadMsr).

16 Oct 2008, 18:25

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 19103
Location: In your JS exploiting you and your system

revolution 16 Oct 2008, 23:31

IceStudent wrote:

Why not to use the MSR registers for it?

The reason is that any processor with test registers does not also have MSRs. I don't recall the exact change over point but the 80386 has test registers and the Pentium (and up) have MSRs. Somewhere in between the two the TRs were replaced with MSRs and they never existed together in the same CPU.

16 Oct 2008, 23:31

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum