The x86 Interrupt Descriptor Table
On Intel x86 platforms, the interrupt handlers INT 1 and INT3 of the Interrupt Descriptor Table (IDT) are used to support debugging (instruction-level single-stepping and breakpoints, respectively).
Phrack 59:4 — Handling Interrupt Descriptor Table for fun and profit
This article explains the internals of IDT.
Phrack 59:10 — Execution path analysis: finding kernel based rootkits
provides more details on manipulating the IDT.
Intel CPU debug registers
Phrack 65:8 — Mistifying the debugger, ultimate stealthiness
This article explains the DR debug registers on Intel x86 systems, their use and abuse.
Reverse engineering Skype
Reverse engineering Skype has required creation of a new kernel-level debugger: http://rr0d.droids-corp.org/ .
The slides explain its design and challenges involved.
Talks on reverse engineering Skype:
- "Vanilla Skype" @ RECON 2005: http://recon.cx/en/f/vskype-part1.pdf, http://recon.cx/en/f/vskype-part2.pdf
- "Silver Needle in the Skype" @ BlackHat Europe 2006: http://www.secdev.org/conf/skype_BHEU06.handout.pdf