GitBook: [#996] No subject

Author: SinaKarvandi

SUMMARY.md

@@ -17,29 +17,30 @@
   * [Operation Modes](using-hyperdbg/prerequisites/operation-modes.md)
   * [How to create a condition?](using-hyperdbg/prerequisites/how-to-create-a-condition.md)
   * [How to create an action?](using-hyperdbg/prerequisites/how-to-create-an-action.md)
-* [User-mode Debugging](using-hyperdbg/user-mode-debugging.md)
-* [Kernel-mode Debugging](using-hyperdbg/kernel-mode-debugging.md)
-* [Examples](using-hyperdbg/examples/README.md)
-  * [beginning](using-hyperdbg/examples/beginning/README.md)
-    * [Connecting To HyperDbg](using-hyperdbg/examples/beginning/connecting-to-hyperdbg.md)
-    * [Configuring Symbol Server/Path](using-hyperdbg/examples/beginning/configuring-symbol-server-path.md)
-  * [basics](using-hyperdbg/examples/basics/README.md)
-    * [Setting Breakpoints & Stepping Instructions](using-hyperdbg/examples/basics/setting-breakpoints-and-stepping-instructions.md)
-    * [Displaying & Editing & Searching Memory](using-hyperdbg/examples/basics/displaying-and-editing-and-searching-memory.md)
-    * [Showing & Modifying Registers and Flags](using-hyperdbg/examples/basics/showing-and-modifying-registers-and-flags.md)
-    * [Switching to a Specific Process or Thread](using-hyperdbg/examples/basics/switching-to-a-specific-process-or-thread.md)
-  * [events](using-hyperdbg/examples/events/README.md)
-    * [Managing Events](using-hyperdbg/examples/events/managing-events.md)
-    * [Hooking Any Function](using-hyperdbg/examples/events/hooking-any-function.md)
-    * [Intercepting All SYSCALLs](using-hyperdbg/examples/events/intercepting-all-syscalls.md)
-    * [Monitoring Accesses To Structures](using-hyperdbg/examples/events/monitoring-accesses-to-structures.md)
-    * [Triggering Special Instructions](using-hyperdbg/examples/events/triggering-special-instructions.md)
-    * [Identifying System Behavior](using-hyperdbg/examples/events/identifying-system-behavior.md)
-  * [scripts](using-hyperdbg/examples/scripts/README.md)
-    * [Running HyperDbg Script](using-hyperdbg/examples/misc/running-hyperdbg-script.md)
-  * [misc](using-hyperdbg/examples/misc/README.md)
-    * [Defeating Anti-Debug & Anti-Hypervisor Methods](using-hyperdbg/examples/misc/defeating-anti-debug-and-anti-hypervisor-methods.md)
-  * [Scripting Language Examples](https://docs.hyperdbg.org/commands/scripting-language/examples)
+* [User-mode Debugging](using-hyperdbg/user-mode-debugging/README.md)
+  * [Examples](using-hyperdbg/user-mode-debugging/examples.md)
+* [Kernel-mode Debugging](using-hyperdbg/kernel-mode-debugging/README.md)
+  * [Examples](using-hyperdbg/kernel-mode-debugging/examples/README.md)
+    * [beginning](using-hyperdbg/kernel-mode-debugging/examples/beginning/README.md)
+      * [Connecting To HyperDbg](using-hyperdbg/kernel-mode-debugging/examples/beginning/connecting-to-hyperdbg.md)
+      * [Configuring Symbol Server/Path](using-hyperdbg/kernel-mode-debugging/examples/beginning/configuring-symbol-server-path.md)
+    * [basics](using-hyperdbg/kernel-mode-debugging/examples/basics/README.md)
+      * [Setting Breakpoints & Stepping Instructions](using-hyperdbg/kernel-mode-debugging/examples/basics/setting-breakpoints-and-stepping-instructions.md)
+      * [Displaying & Editing & Searching Memory](using-hyperdbg/kernel-mode-debugging/examples/basics/displaying-and-editing-and-searching-memory.md)
+      * [Showing & Modifying Registers and Flags](using-hyperdbg/kernel-mode-debugging/examples/basics/showing-and-modifying-registers-and-flags.md)
+      * [Switching to a Specific Process or Thread](using-hyperdbg/kernel-mode-debugging/examples/basics/switching-to-a-specific-process-or-thread.md)
+    * [events](using-hyperdbg/kernel-mode-debugging/examples/events/README.md)
+      * [Managing Events](using-hyperdbg/kernel-mode-debugging/examples/events/managing-events.md)
+      * [Hooking Any Function](using-hyperdbg/kernel-mode-debugging/examples/events/hooking-any-function.md)
+      * [Intercepting All SYSCALLs](using-hyperdbg/kernel-mode-debugging/examples/events/intercepting-all-syscalls.md)
+      * [Monitoring Accesses To Structures](using-hyperdbg/kernel-mode-debugging/examples/events/monitoring-accesses-to-structures.md)
+      * [Triggering Special Instructions](using-hyperdbg/kernel-mode-debugging/examples/events/triggering-special-instructions.md)
+      * [Identifying System Behavior](using-hyperdbg/kernel-mode-debugging/examples/events/identifying-system-behavior.md)
+    * [scripts](using-hyperdbg/kernel-mode-debugging/examples/scripts/README.md)
+      * [Running HyperDbg Script](using-hyperdbg/kernel-mode-debugging/examples/scripts/running-hyperdbg-script.md)
+    * [misc](using-hyperdbg/kernel-mode-debugging/examples/misc/README.md)
+      * [Defeating Anti-Debug & Anti-Hypervisor Methods](using-hyperdbg/kernel-mode-debugging/examples/misc/defeating-anti-debug-and-anti-hypervisor-methods.md)
+    * [Scripting Language Examples](https://docs.hyperdbg.org/commands/scripting-language/examples)
 
 ## Commands
 

using-hyperdbg/kernel-mode-debugging.md renamed to using-hyperdbg/kernel-mode-debugging/README.md

@@ -41,15 +41,15 @@ After compiling and running the above code, we use the command shown in the pict
 3: kHyperDbg> .process list
 ```
 
-![View process list](../../../.gitbook/assets/1-process-list.png)
+![View process list](../../../../.gitbook/assets/1-process-list.png)
 
 We find our target program which its name is "**Test.exe**". Then, we see a list of running threads based on this process. For this purpose, we used the process object address (`nt!_EPROCESS`).
 
 ```
 3: kHyperDbg> .thread list process ffff948cc16c3080
 ```
 
-![View list of threads of a process](../../../.gitbook/assets/2-find-threads-of-test-process.png)
+![View list of threads of a process](../../../../.gitbook/assets/2-find-threads-of-test-process.png)
 
 Now, we can switch to the target thread and continue the debuggee. Whenever the system reaches the target thread, it will be halted again and run new commands.
 
@@ -59,30 +59,30 @@ Note that it's a 32-bit program, so we use the '[u2](https://docs.hyperdbg.org/c
 3: kHyperDbg> .thread tid b10
 ```
 
-![Switch to a new thread](../../../.gitbook/assets/3-switch-to-the-target-thread.png)
+![Switch to a new thread](../../../../.gitbook/assets/3-switch-to-the-target-thread.png)
 
 After analyzing the program, we find the jumps in the assembly code. You can also see the calls that are probably a link to the `printf` function.
 
 ```
 2: kHyperDbg> u2 00e249f6
 ```
 
-![Disassemble the target thread](../../../.gitbook/assets/4-disassembling-and-finding-jumps.png)
+![Disassemble the target thread](../../../../.gitbook/assets/4-disassembling-and-finding-jumps.png)
 
 Then, we step through the instructions to better understand how this program works.
 
-![Step through the instructions](../../../.gitbook/assets/5-stepping-and-investigate-the-test-program.png)
+![Step through the instructions](../../../../.gitbook/assets/5-stepping-and-investigate-the-test-program.png)
 
 After some investigation, we can conclude that the guilty jump is located at `0xe24a31`, so we'll modify the memory and patch it by using nop instructions(0x90).
 
 ```
 2: kHyperDbg> eb 00e24a31 90 90
 ```
 
-![Patch the program's execution flow](../../../.gitbook/assets/6-patch-the-target-jump.png)
+![Patch the program's execution flow](../../../../.gitbook/assets/6-patch-the-target-jump.png)
 
 If we continue the debuggee again, you can see that the patched program jumps out of the infinite loop and show the '**thread is closed!**' message.
 
-![The result of patched program](../../../.gitbook/assets/7-result-of-patching-target-program.png)
+![The result of patched program](../../../../.gitbook/assets/7-result-of-patching-target-program.png)
 
 It was a simple example of how to use thread and process switching commands in HyperDbg. You can think about different approaches that you can use to change the program's execution flow (like changing the RFLAGS, etc.) or analyze any other programs.