While debugging, when a debugger hits, the value of RIP register is the current address where debugger was attached. But, Is there a way to know previous value of RIP/EIP register, so that it would be clear what opcode executed before that current opcode?
Asked
Active
Viewed 620 times
2
-
3Unless you have some kind of tracing / logging, e.g. possibly via a CPU feature like Last Branch Record (LBR), then no. I'm not sure if LBR info is there for a debugger to read if it wasn't already attached earlier to enable it before running to a breakpoint or fault. – Peter Cordes Aug 28 '21 at 02:53
-
3In general, no, but what we typically do is single step from some known point forward, then we can see the instruction stream that reaches somewhere thereafter. Otherwise divide & conquer to find the known point from which to step forward. Of course, some simulators will support back stepping. – Erik Eidt Aug 28 '21 at 03:16
-
Thanks I thought so. I was thinking there may be an alternated register or something that could hold previous RIP/EIP value, but I guess such feature was never included. – PeaceBeUponYou Aug 28 '21 at 04:20
-
@PeterCordes Do you mean like Intel's Branch Trace technique (BTS)? Or is the debugger related only? – PeaceBeUponYou Aug 28 '21 at 04:21
-
3x64dbg has a [tracing feature](https://help.x64dbg.com/en/latest/gui/views/Trace.html). – Margaret Bloom Aug 28 '21 at 10:20