Giter Club home page Giter Club logo

windowsintelpt's Introduction

Windows Intel PT Support

This driver implements the Intel Processor Trace functionality in Intel Skylake architecture for Microsoft Windows.

Overview

Intel Processor Trace is a high performance hardware supported branch tracing mechanism in Intel Skylake architecure.

Primary benefits include:

  • Avoids cache and TLB polution by writing directly to physical memory
  • Uses a compressed logging format that is suitable for long running traces
  • Able to trace all branches on a CPU core including userspace and kernel

Driver Features

  • Trace user processes using CR3 filtering
  • Trace kernel mode drivers using linear range filtering
  • Trace up to four arbitrary ranges of physical memory
  • Log to single physical address range
  • Log to table of physical pages and map to virtual address range
  • Multi-core tracing support
  • Full support for HyperV Root Partitions

Build Instructions

  • Open the included Visual Studio Project file in Visual Studio 2013 or 2015.
  • Ensure build options are set to x64 Release and build

Driver Loading Instructions

  • Ensure your CPU is Skylake architecture and you are running on native hardware (not a hypervisor)
  • Boot your Windows 8.1 or Windows 10 OS using boot options that allow loading test signed drivers
  • Install the WindowsPtDriver using sc create intelpt BinPath=%cd%\WindowsPtDriver\x64\Release\WindowsPtDriver.sys

Current Limitations

All threads in a usermode process will log to a single buffer, making it difficult to determine accurate execution per-thread. This something we are working to fix.

The IOCTLs for this driver must not be called from within the traced process. The driver maps the physical memory ranges holding the trace data into the process that initialized the trace, this is unstable if mapped into the trace target. Use the included command line tool for executing traces against target processes.

Development Notes

The driver currently executes a DbgBreak() on load if a kernel debugger is attached.

TODO List

  • Output sideband memory map information for post processing
  • Per-thread logging
  • Implement the support for Kernel KVA Shadowing

Last revision: 04/15/2018

windowsintelpt's People

Contributors

aall86 avatar richinseattle avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.