| description |
|---|
Starting a process from entrypoint |
Starting to debug a user-mode process from the start entrypoint of the module is one of the essential tasks that debuggers can do, and HyperDbg is no exception.
In HyperDbg, starting a process is possible in VMI Mode and Debugger Mode.
HyperDbg won't use any Windows API for intercepting and pausing threads, and everything is done at the hypervisor level.
{% hint style="danger" %} The user-mode debugger is still in the beta version and not stable. We decided to exclude it from this release and release it in future versions. If you want to test the user-mode debugger in VMI Mode, you should build HyperDbg with special instructions. Please follow the instruction here.
In contrast with the kernel debugger, the user debugger is still very basic and needs a lot of tests and improvements. We highly recommend not to run the user debugger in your bare metal system. Instead, run it on a supported virtual machine to won't end up with a Blue Screen of Death (BSOD) in your primary device. Please keep reporting the issues to improve the user debugger. {% endhint %}
First, you need to either connect to the local debugger or a remote debugger over a serial port.
After that, you should use the ".start" command to run the process from the path in the target machine.
HyperDbg> .start path c:\Windows\system32\notepad.exe
You can also specify the parameters of the target executable.
HyperDbg> .start path c:\Windows\system32\notepad.exe c:\myfolder\myfile.txt
HyperDbg will run the process and put a breakpoint on the entrypoint of the process. Once the process reaches the entrypoint (loading module is finished), the debugger is paused again and gives the control back to the user or kernel debugger.
If you're using a kernel debugger, everything (including the operating system) is halted, and you can debug the process normally.
If you're using the user debugger, the thread is paused and waits for the commands from the debugger.
For example, we used the 't' command to step through the instructions.
After running the 'g' command, the target process is continued normally.
If you want to pause the debuggee again, you can use the 'pause' command or press CTRL+C.
Note that pausing the target thread is only possible in user debugger, not kernel debugger. Also, you should keep interacting with the process to force the process to run its codes in user-mode so HyperDbg will intercept more threads.
At last, when we finished our debugging procedure, we can use the '.detach' command to detach from the target process. Detaching from the process only makes sense in the user debugger.
In this article, we've learned how to start a process and halt at the entrypoint. You might want to attach to an already running process. For this purpose, please read the article here.