How to intercept software interrupts?

[CallumCVM]

I would like to intercept software interrupts, such as the one issued when a APC is queued on a thread (0x1F). Despite my best efforts, I did not find a way to do this yet.

Description

As above

Expected behavior

VM-Exit on software interrupt

Actual behavior

N/A

Steps to reproduce the problem

Queue an APC, it will not be intercepted

Specifications

• OS version: Windows 10 19042 (20H2)

• Architecture: x64

• Hardware: Physical/VMWare

[tandasat]

Good question. IIUC, APC is triggered through local interrupts by lowering the task priority register (TRR), which is not covered by exceptions bitmap or acknowledging external interrupt.

I do not have a clear answer but you may want to look into and play with the "TPR threshold", which allows you to receive VM-exit when the TRR (CR8) is set to below the specified value. My current thinking is that you can set the TPR threshold to zero, so that you have an opportunity to inspect pending local interrupts in the local APIC and/or OS specific structures to manage APCs, when OS lowers CR8 to zero for APC delivery.

[CallumCVM]

Good question. IIUC, APC is triggered through local interrupts by lowering the task priority register (TRR), which is not covered by exceptions bitmap or acknowledging external interrupt.

I do not have a clear answer but you may want to look into and play with the "TPR threshold", which allows you to receive VM-exit when the TRR (CR8) is set to below the specified value. My current thinking is that you can set the TPR threshold to zero, so that you have an opportunity to inspect pending local interrupts in the local APIC and/or OS specific structures to manage APCs, when OS lowers CR8 to zero for APC delivery.

Thank you for the information, I will investigate and report back.