Clearing the Processor Debug Registers

The x86 family of processors includes a set of special registers that are designed to assist in the debugging of programs. These registers allow a user to cause the processor to stop when a particular memory location is accessed, as an instruction fetch, as a data read, or as a data write. This debugging facility allows a user (debugger) to set up to four different virtual addresses that will trap execution when referenced in a particular way. The use of these debug registers to set traps on specific locations is sometimes known as setting a hardware breakpoint, as the processor's dedicated debugging support (in-hardware) is being utilized.

Due to their obvious utility to anyone attempting to analyze or reverse engineer the Lockdown module, the module actively attempts to disable this debugging aid by explicitly zeroing the contents of the key debug registers in the context of the thread executing the Lockdown module's version check call, CheckRevision. All the requisite debug registers are cleared immediately after the call to the CheckRevision routine in the Lockdown module is made.

This protection mechanism constitutes an anti-debugging scheme.