Accessing the SMRAM State Save Map

When the processor initially enters SMM, it writes its state to the state save area of the SMRAM. The state save area on an Intel® 64 processor at [SMBASE + 8000H + 7FFFH] and extends to [SMBASE + 8000H + 7C00H]. See the Intel® 64 and IA-32 Architectures Software Developer Manuals for details.

In the following example, the saved instruction pointer RIP value from the State Save Map will be accessed:

  1. Enter the SMM by setting an SMM Entry Break as described in Retaining Breakpoints Set Before SSM Entry.
  2. Get the SMBASE which is stored in the MSR 0x9e. In the Console window, enter:

    ia32cpu "read msr 0x9e /dbvar @SMBASE" 

    The SMBASE address is now stored in the @SMBASE debugger variable.

  3. The RIP register is saved in 64-bit mode at the Address SMBASE + 0x8000 + 0x7FD8. To print it in the Console window, enter:

    show mem /len=1/size=longlong (@SMBASE + 0x8000 + 0x7FD8) 

    To store it in a debugger variable, enter:

    set val /size=LONGLONG @SMRAM_RIP = *((int *)(@SMBASE + 0x8000 +

For more complete information about compiler optimizations, see our Optimization Notice.