| description |
|---|
Attaching to an already running process |
Attaching to an already running process is crucial for debugging. HyperDbg implemented attaching in VMI Mode. If you want to use this mechanism in Debugger Mode, you can use the '.process' and the '.thread' commands.
{% hint style="danger" %} The user-mode debugger is still in the beta version and not stable. We decided to exclude it from this release and release it in future versions. If you want to test the user-mode debugger in VMI Mode, you should build HyperDbg with special instructions. Please follow the instruction here.
In contrast with the kernel debugger, the user debugger is still very basic and needs a lot of tests and improvements. We highly recommend not to run the user debugger in your bare metal system. Instead, run it on a supported virtual machine to won't end up with a Blue Screen of Death (BSOD) in your primary device. Please keep reporting the issues to improve the user debugger. {% endhint %}
Please make sure to read the user debugger's principles before using the '.attach' command.
After connecting to the debuggee in VMI Mode (local debugging), you can run the following command to start the "Thread Interception" phase.
HyperDbg> .attach pid 1ac0
The process Id should be in hex format. We chose "mspaint" for debugging.
After intercepting the user mode running threads, we can now step through the instructions.
Note that all the intercepted threads are halted when running a single-step command.
Next, if you run the 'g' command, HyperDbg will normally continue the target debuggee process.
If you want to pause the debuggee and intercept the user running threads again, you can either use the 'pause' command or press CTRL+C.
Note that you should keep interacting with the process to force the process to run its codes in user-mode so HyperDbg will intercept more threads.
Finally, we can detach from the target process by using the '.detach' command.
In this article, we've learned how to use the user debugger to attach to the target process. Please read the article here if you want to start a process and debug it from the entrypoint.