| description | Description of the 'lbr_restore' function in HyperDbg Scripts |
|---|
lbr_restore
lbr_restore();
None
Re-enables the Last Branch Record (LBR) on the current core using the filter options that were previously configured via the '!lbr filter' command.
This function exists because certain debug events, such as trap flag exceptions (#DB) or hardware debug register breakpoints (DR0–DR3) can disable LBR on the core where they fire. You can use 'lbr_check' to detect this condition before calling this function. After restoring, execution must resume and the event must trigger again before the LBR buffer contains valid data.
Returns 1 if LBR was restored successfully, or 0 if the operation failed (e.g., LBR was not initialized using the '!lbr enable' command or was already disabled using '!lbr disable').
The following example restores LBR with the previously configured filter if it has been disabled by a #DB event.
!lbr enable
!epthook 7ff7393a2fd7 pid 3274 script {
if (lbr_check() == 0) {
lbr_restore();
printf("LBR is disabled (e.g., because of a #DB) and now it is re-enabled.\n");
} else {
lbr_save();
printf("LBR records are saved.\n");
}
}The support for this function is added from v0.19.
This function restores LBR using the filter configuration from the most recent '!lbr filter' command. If you need to restore with a specific filter bitmask instead, use 'lbr_restore_by_filter'.
This function requires LBR to have been previously initialized with '!lbr enable'. It will return 0 and perform no operation if LBR was never started or has already been stopped with '!lbr disable'.
Debug Break (#DB) exceptions raised by trap flags or hardware debug registers can disable LBR on the affected core. After calling this function, execution must resume and the target event must fire again to capture valid LBR data.