When the processor initially enters SMM, it writes its state to the state save area of the SMRAM. The state save area on an Intel® 64 processor at [SMBASE + 8000H + 7FFFH] and extends to [SMBASE + 8000H + 7C00H]. See the Intel® 64 and IA-32 Architectures Software Developer Manuals for details.
In the following example, the saved instruction pointer RIP value from the State Save Map will be accessed:
- Enter the SMM by setting an SMM Entry Break as described in Retaining Breakpoints Set Before SSM Entry.
- Get the SMBASE which is stored in the MSR 0x9e. In the Console window, enter:
ia32cpu "read msr 0x9e /dbvar @SMBASE"
The SMBASE address is now stored in the @SMBASE debugger variable.
- The RIP register is saved in 64-bit mode at the Address SMBASE + 0x8000 + 0x7FD8. To print it in the Console window, enter:
show mem /len=1/size=longlong (@SMBASE + 0x8000 + 0x7FD8)
To store it in a debugger variable, enter:
set val /size=LONGLONG @SMRAM_RIP = *((int *)(@SMBASE + 0x8000 + 0x7FD8));