SUMMARY.md

Table of contents

• HyperDbg

Getting Started

• Quick Start
• FAQ
• Build & Install
• Attach to HyperDbg
  • Attach to a remote machine
  • Attach to local machine
  • Start a new process
  • Attach to a running process

Using HyperDbg

• Prerequisites
  • Operation Modes
  • How to create a condition?
  • How to create an action?
  • Signatures
• User-mode Debugging
  • Principles
  • Examples
    • basics
    • events
      • Getting Results of a System-call
• Kernel-mode Debugging
  • Principles
  • Examples
    • beginning
      • Connecting To HyperDbg
      • Configuring Symbol Server/Path
    • basics
      • Setting Breakpoints & Stepping Instructions
      • Displaying & Editing & Searching Memory
      • Showing & Modifying Registers and Flags
      • Switching to a Specific Process or Thread
      • Mapping Data & Create Structures, and Enums From Symbols
    • events
      • Managing Events
      • Hooking Any Function
      • Intercepting All SYSCALLs
      • Monitoring Accesses To Structures
      • Triggering Special Instructions
      • Identifying System Behavior
    • Scripting Language Examples
• Software Development Kit (SDK)
  • Events
    • Conditions
    • Actions
  • IOCTL
    • Event Registration

Commands

• Debugging Commands
  • ? (evaluate and execute expressions and scripts in debuggee)
  • ~ (display and change the current operating core)
  • a (assemble virtual address)
  • load (load the kernel modules)
  • unload (unload the kernel modules)
  • status (show the debuggee status)
  • events (show and modify active/disabled events)
  • p (step-over)
  • t (step-in)
  • i (instrumentation step-in)
  • gu (step-out or go up)
  • r (read or modify registers)
  • bp (set breakpoint)
  • bl (list breakpoints)
  • be (enable breakpoints)
  • bd (disable breakpoints)
  • bc (clear and remove breakpoints)
  • g (continue debuggee or processing kernel packets)
  • x (examine symbols and find functions and variables address)
  • db, dc, dd, dq (read virtual memory)
  • eb, ed, eq (edit virtual memory)
  • sb, sd, sq (search virtual memory)
  • u, u64, u2, u32 (disassemble virtual address)
  • k, kd, kq (display stack backtrace)
  • dt (display and map virtual memory to structures)
  • struct (make structures, enums, data types from symbols)
  • sleep (wait for specific time in the .script command)
  • pause (break to the debugger and pause processing kernel packets)
  • print (evaluate and print expression in debuggee)
  • lm (view loaded modules)
  • cpu (check cpu supported technologies)
  • rdmsr (read model-specific register)
  • wrmsr (write model-specific register)
  • flush (remove pending kernel buffers and messages)
  • prealloc (reserve pre-allocated pools)
  • preactivate (pre-activate special functionalities)
  • output (create output source for event forwarding)
  • test (test functionalities)
  • settings (configures different options and preferences)
  • exit (exit from the debugger)
• Meta Commands
  • .help (show the help of commands)
  • .debug (prepare and connect to debugger)
  • .connect (connect to a session)
  • .disconnect (disconnect from a session)
  • .listen (listen on a port and wait for the debugger to connect)
  • .status (show the debugger status)
  • .start (start a new process)
  • .restart (restart the process)
  • .attach (attach to a process)
  • .detach (detach from the process)
  • .switch (show the list and switch between active debugging processes)
  • .kill (terminate the process)
  • .process, .process2 (show the current process and switch to another process)
  • .thread, .thread2 (show the current thread and switch to another thread)
  • .pagein (bring the page into the RAM)
  • .dump (save the virtual memory into a file)
  • .formats (show number formats)
  • .script (run batch script commands)
  • .sympath (set the symbol server)
  • .sym (load pdb symbols)
  • .pe (parse PE file)
  • .logopen (open log file)
  • .logclose (close log file)
  • .cls (clear the screen)
• Extension Commands
  • !a (assemble physical address)
  • !pte (display page-level address and entries)
  • !db, !dc, !dd, !dq (read physical memory)
  • !eb, !ed, !eq (edit physical memory)
  • !sb, !sd, !sq (search physical memory)
  • !u, !u64, !u2, !u32 (disassemble physical address)
  • !dt (display and map physical memory to structures)
  • !track (track and map function calls and returns to the symbols)
  • !epthook (hidden hook with EPT - stealth breakpoints)
  • !epthook2 (hidden hook with EPT - detours)
  • !monitor (monitor read/write/execute to a range of memory)
  • !syscall, !syscall2 (hook system-calls)
  • !sysret, !sysret2 (hook SYSRET instruction execution)
  • !mode (detect kernel-to-user and user-to-kernel transitions)
  • !cpuid (hook CPUID instruction execution)
  • !msrread (hook RDMSR instruction execution)
  • !msrwrite (hook WRMSR instruction execution)
  • !tsc (hook RDTSC/RDTSCP instruction execution)
  • !pmc (hook RDPMC instruction execution)
  • !vmcall (hook hypercalls)
  • !exception (hook first 32 entries of IDT)
  • !interrupt (hook external device interrupts)
  • !dr (hook access to debug registers)
  • !ioin (hook IN instruction execution)
  • !ioout (hook OUT instruction execution)
  • !hide (enable transparent-mode)
  • !unhide (disable transparent-mode)
  • !measure (measuring and providing details for transparent-mode)
  • !va2pa (convert a virtual address to physical address)
  • !pa2va (convert physical address to virtual address)
  • !dump (save the physical memory into a file)
  • !pcitree (show PCI/PCIe device tree)
  • !pcicam (dump the PCI/PCIe configuration space)
  • !idt (show Interrupt Descriptor Table entries)
  • !apic (dump local APIC entries in XAPIC and X2APIC modes)
  • !ioapic (dump I/O APIC)
• Scripting Language
  • Assumptions & Evaluations
  • Variables & Assignments
  • Casting & Type-awareness
  • Conditionals & Loops
  • Constants & Functions
  • Debugger Script (DS)
  • Examples
    • view system state (registers, memory, variables)
    • change system state (registers, memory, variables)
    • trace function calls
    • pause the debugger conditionally
    • conditional breakpoints and events
    • patch the normal sequence of execution
    • access to a shared variable from different cores
    • count occurrences of events
  • Functions
    • debugger
      • pause
    • events
      • event_enable
      • event_disable
      • event_clear
      • event_sc
      • event_inject
      • event_inject_error_code
      • flush
    • exports
      • print
      • printf
    • interlocked
      • interlocked_compare_exchange
      • interlocked_decrement
      • interlocked_exchange
      • interlocked_exchange_add
      • interlocked_increment
    • memory
      • check_address
      • eb, ed, eq
      • eb_pa, ed_pa, eq_pa
      • memcpy
      • memcpy_pa
      • memcmp
      • virtual_to_physical
      • physical_to_virtual
    • diassembler
      • disassemble_len
      • disassemble_len32
    • spinlocks
      • spinlock_lock
      • spinlock_lock_custom_wait
      • spinlock_unlock
    • strings
      • strlen
      • wcslen
      • strcmp
      • strncmp
      • wcscmp
      • wcsncmp
• Commands Map

Tips & Tricks

• Considerations
  • Basic concepts in Intel VT-x
  • VMX root-mode vs VMX non-root mode
  • The "unsafe" behavior
  • Script engine in VMX non-root mode
  • Difference between process and thread switching commands
  • Accessing Invalid Address
  • Transparent Mode
• Nested-Virtualization Environments
  • Supported Virtual Machines
  • Run HyperDbg on VMware
  • Run HyperDbg on Hyper-V
  • Supporting VMware/Hyper-V
  • VMware backdoor I/O ports
• Misc
  • Event forwarding
  • Event short-circuiting
  • Event calling stage
  • Instant events
  • Message overflow
  • Customize build
    • Increase Communication Buffer Size
    • Number of EPT Hooks in One Page
    • Change Script Engine Limitations
  • Enable and disable events in Debugger Mode
  • Switch to New Process Layout

Contribution

• Style Guide
  • Coding style
  • Command style
  • Doxygen style
• Logo & Artworks

Design

• Features
  • VMM (Module)
    • Control over NMIs
    • VMX root-mode compatible message tracing
    • Design of !epthook
    • Design of !epthook2
    • Design of !monitor
    • Design of !syscall & !sysret
    • Design of !exception & !interrupt
• Debugger Internals
  • Events
  • Conditions
  • Actions
  • Kernel Debugger
    • Design Perspective
    • Connection

Links

• Twitter
• Telegram
• Discord
• Matrix
• Mastodon
• YouTube
• hwdbg (Chip Debugger)
• Doxygen
• Contribution