only cpuid? or rdtsc to?

It's applid to the VM-exit handler, so it's for all instructions and in your case, both of them.

Hi guys .. sometimes I got this error / exception

It's a page fault exception so maybe I'm trying to put a hook on a paged out address?but I'm pretty sure that's not the case because i put it exactly on a kernel address located in the non paged pool

[discord] <rol0807_03449> Hi. It's not possible to do such - using $pid ?
`!epthook ntdll!NtCreateUserProcess pid $pid`

[discord] <rol0807_03449> After .process, $pid should be set?

[discord] <rol0807_03449> [reply]: I to have this issue sometime. Dont know why. Usually restart hyperdbg-client.exe and it stops.

Hi,
This error means that there is an error happened in VMX-root mode.

In order to debug that, you should comment this line:

https://github.com/HyperDbg/HyperDbg/blob/136ba94c293558410cce8994f24460d3760d50b8/hyperdbg/hyperhv/code/vmm/vmx/IdtEmulation.c#L171

and then recompile HyperDbg.

Once you run your new recompiled version of HyperDbg, if you can reproduce the error again, windbg will give you a crash analysis (!analyze -v).

And then we could further investigate the error.

Bro when I see IDT 👀 exception I know that it will be a headache 😂

It's a valid script but does not make sense in VMI mode (and most of the time in the debugger mode). You're putting a hidden breakpoint on HyperDbg's calls on this function which might break the ability of hyperdbg to run a process. Maybe you're trying to do sth else? Can you explain what you're trying to do with this?

No, these kinds of errors are usually easy to debug.

You could also send steps we could reproduce the error, this way we could also reproduce and fix it.

I will do that ... I will prepare a good tea 🍵 and make it crash again and I will send you the steps xd

here is the result of the crash related to access to paged out memory space

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000000000000, memory referenced
Arg2: 00000000000000ff, IRQL
Arg3: 0000000000000078, value 0 = read operation, 1 = write operation
Arg4: 0000000000000000, address which referenced memory

Debugging Details:
------------------

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

KEY_VALUES_STRING: 1

Key : Analysis.CPU.mSec
Value: 12640

Key : Analysis.Elapsed.mSec
Value: 453336

Key : Analysis.IO.Other.Mb
Value: 1

Key : Analysis.IO.Read.Mb
Value: 8

Key : Analysis.IO.Write.Mb
Value: 13

Key : Analysis.Init.CPU.mSec
Value: 4937

Key : Analysis.Init.Elapsed.mSec
Value: 2406923

Key : Analysis.Memory.CommitPeak.Mb
Value: 98

Key : Analysis.Version.DbgEng
Value: 10.0.27725.1000

Key : Analysis.Version.Description
Value: 10.2408.27.01 amd64fre

Key : Analysis.Version.Ext
Value: 1.2408.27.1

Key : Bugcheck.Code.KiBugCheckData
Value: 0xd1

Key : Bugcheck.Code.LegacyAPI
Value: 0xd1

Key : Bugcheck.Code.TargetModel
Value: 0xd1

Key : Failure.Bucket
Value: DISABLED_INTERRUPT_FAULT_CODE_AV_NULL_IP_nt!KiPageFault

Key : Failure.Hash
Value: {e278d0dd-1b4e-69e0-8914-52640838b8ec}

Key : Hypervisor.Enlightenments.Value
Value: 12576

Key : Hypervisor.Enlightenments.ValueHex
Value: 3120

Key : Hypervisor.Flags.AnyHypervisorPresent
Value: 1

Key : Hypervisor.Flags.ApicEnlightened
Value: 0

Key : Hypervisor.Flags.ApicVirtualizationAvailable
Value: 0

Key : Hypervisor.Flags.AsyncMemoryHint
Value: 0

Key : Hypervisor.Flags.CoreSchedulerRequested
Value: 0

Key : Hypervisor.Flags.CpuManager
Value: 0

Key : Hypervisor.Flags.DeprecateAutoEoi
Value: 1

Key : Hypervisor.Flags.DynamicCpuDisabled
Value: 0

Key : Hypervisor.Flags.Epf
Value: 0

Key : Hypervisor.Flags.ExtendedProcessorMasks
Value: 0

Key : Hypervisor.Flags.HardwareMbecAvailable
Value: 1

Key : Hypervisor.Flags.MaxBankNumber
Value: 0

Key : Hypervisor.Flags.MemoryZeroingControl
Value: 0

Key : Hypervisor.Flags.NoExtendedRangeFlush
Value: 1

Key : Hypervisor.Flags.NoNonArchCoreSharing
Value: 0

Key : Hypervisor.Flags.Phase0InitDone
Value: 1

Key : Hypervisor.Flags.PowerSchedulerQos
Value: 0

Key : Hypervisor.Flags.RootScheduler
Value: 0

Key : Hypervisor.Flags.SynicAvailable
Value: 1

Key : Hypervisor.Flags.UseQpcBias
Value: 0

Key : Hypervisor.Flags.Value
Value: 667704

Key : Hypervisor.Flags.ValueHex
Value: a3038

Key : Hypervisor.Flags.VpAssistPage
Value: 1

Key : Hypervisor.Flags.VsmAvailable
Value: 0

Key : Hypervisor.RootFlags.AccessStats
Value: 0

Key : Hypervisor.RootFlags.CrashdumpEnlightened
Value: 0

Key : Hypervisor.RootFlags.CreateVirtualProcessor
Value: 0

Key : Hypervisor.RootFlags.DisableHyperthreading
Value: 0

Key : Hypervisor.RootFlags.HostTimelineSync
Value: 0

Key : Hypervisor.RootFlags.HypervisorDebuggingEnabled
Value: 0

Key : Hypervisor.RootFlags.IsHyperV
Value: 0

Key : Hypervisor.RootFlags.LivedumpEnlightened
Value: 0

Key : Hypervisor.RootFlags.MapDeviceInterrupt
Value: 0

Key : Hypervisor.RootFlags.MceEnlightened
Value: 0

Key : Hypervisor.RootFlags.Nested
Value: 0

Key : Hypervisor.RootFlags.StartLogicalProcessor
Value: 0

Key : Hypervisor.RootFlags.Value
Value: 0

Key : Hypervisor.RootFlags.ValueHex
Value: 0

Key : SecureKernel.HalpHvciEnabled
Value: 0

Key : Stack.Pointer
Value: Invalid

Key : WER.OS.Branch
Value: vb_release

Key : WER.OS.Version
Value: 10.0.19041.1

BUGCHECK_CODE: d1

BUGCHECK_P1: 0

BUGCHECK_P2: ff

BUGCHECK_P3: 78

BUGCHECK_P4: 0

FAULTING_THREAD: ffffd888c7afa080

READ_ADDRESS: unable to get nt!PspSessionIdBitmap
0000000000000000

PROCESS_NAME: VMwareResolutionSet.exe

ADDITIONAL_DEBUG_TEXT: The fault occurred while interrupts were disabled on the processor.

TRAP_FRAME: ffffd888c23a1d60 -- (.trap 0xffffd888c23a1d60)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=ef374989c59c0000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=0000000000000000 rsp=ffffd888c23a1ef0 rbp=fffff287566525c9
r8=ffffd888e1601fe0 r9=0000000000000000 r10=ffffd888c2400160
r11=ffffd888c23a1df0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up di ng nz na po nc
00000000`00000000 ?? ???
Resetting default scope

IP_IN_FREE_BLOCK: 0

FAILED_INSTRUCTION_ADDRESS:
+0
BAD_STACK_POINTER: ffffd888c23a1468

STACK_TEXT:
ffffd888`c23a1468 fffff800`75319522 : ffffd888`c23a15d0 fffff800`7517f9e0 00000000`00000000 00000000`00000000 : nt!DbgBreakPointWithStatus
ffffd888`c23a1470 fffff800`75318b06 : 00000000`00000003 ffffd888`c23a15d0 fffff800`75216940 00000000`000000d1 : nt!KiBugCheckDebugBreak+0x12
ffffd888`c23a14d0 fffff800`751fe9f7 : ffffffff`ffffffff 00000000`00000001 00000000`00000001 ffffd888`e0e01fe0 : nt!KeBugCheck2+0x946
ffffd888`c23a1be0 fffff800`752131a9 : 00000000`0000000a 00000000`00000000 00000000`000000ff 00000000`00000078 : nt!KeBugCheckEx+0x107
ffffd888`c23a1c20 fffff800`7520eb78 : ffffd888`e06ff000 ffffd888`c23a1dc9 ffffd888`e0eff000 ffffd888`c23a1dd0 : nt!KiBugCheckDispatch+0x69
ffffd888`c23a1d60 00000000`00000000 : 00000001`00000002 ffffd888`c2303238 00000000`00000000 00000000`00000000 : nt!KiPageFault+0x478

SYMBOL_NAME: nt!KiPageFault+478

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

STACK_COMMAND: .process /r /p 0xffffd888ca960340; .thread 0xffffd888c7afa080 ; kb

BUCKET_ID_FUNC_OFFSET: 478

FAILURE_BUCKET_ID: DISABLED_INTERRUPT_FAULT_CODE_AV_NULL_IP_nt!KiPageFault

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {e278d0dd-1b4e-69e0-8914-52640838b8ec}

Followup: MachineOwner
---------

to reproduce the bug i was putting a monitor breakpoint on the token field of each newly created process

does the new hyperdbg version support debugging over ethernet?

remote debugger...

[discord] <10g1c.> [reply]: no i belive its still over serial

heyy.. anyone tried to run debugger on linux ? i mean Debugger-PC(Linux) -> VMWare(Windows) ?

The error is not from hyperhv.dll or hyperkd.sys. It's from NTOSKRNL.

So, it seems that HyperDbg changes the system state in a way that causes problem for NTOSKRNL.

Did you change anything in the !monitor script? Like accessing anything in the memory?

No, not yet. I recently went through it but it seems that we need to re-write the drivers for Intel E1000 NICs, so it's kinda challenging.

I think as long as you could forward the serial connection over two VMs, it should be fine. Though I never test it this way.

Ok, that's was my idea :) will try soon

No i didn't change the monitor script internals I'm like just consuming the API , I'm putting my own monitor monitor points by calling: ConfigureEptHookMonitor(KeGetCurrentProcessorNumberEx(NULL), &HookingAddress, HANDLE_TO_UINT32(PsGetCurrentProcessId()));

So, you didn't use the !monitor command and call the API functions directly?

The same behavior also applies to HyperDbg when you use the '!monitor' command? Or only the API is problematic?

i didn't try to use !monitor the command itself but what i have done is that i tried to understand how !monitor works internally and i found out it relies on this API so i took this API and fill the Hooking description structure : HookingAddress.StartAddress = MyTokenAddress;
HookingAddress.EndAddress = MyTokenAddress;
HookingAddress.SetHookForRead = TRUE;
HookingAddress.SetHookForWrite = TRUE;
HookingAddress.SetHookForExec = FALSE;
HookingAddress.MemoryType = DEBUGGER_MEMORY_HOOK_VIRTUAL_ADDRESS;
HookingAddress.Tag = 0;

and then call the ConfigureEptHookMonitor(KeGetCurrentProcessorNumberEx(NULL), &HookingAddress, HANDLE_TO_UINT32(PsGetCurrentProcessId()));

and this occur for every created process

and for information im running the code in a high performace server with almost 32 cores and 64Gb of memory so i dont see why the system to use pagging a lot

Can you try to use the !monitor command on this address and see if it works of not?

I just tested the !monitor on the whole _EPROCESS (including token) and it works. I couldn't reproduce the error.

Oh i knows it works .. i tested the !monitor command in the whole EPROCESS too , everything looks normal

But maybe when a lot of of monitor points are set (on different EPROCESS structures) something happened

Like how many !monitor(s)?

For the command !monitor(s) not that much .. but in theory I was consuming the same API consumed by !monitor in the same way so I expect that probably the same predicted behavior... (if I'm right if I tried to monitor like more than 50 EPROCESS/TOKEN processes In this way the bug is generated)

Ah also before starting calling the API I had to request a 0x1000 pre allocated buffers to cover the maximum processes I can

I don't know if it will influence something

That is weird. Can you share your PoC? I mean the code in which automatically puts monitor on 50 EPROCESS tokens.

Ok

void
ProcessCreationNotificationRoutineEx(PEPROCESS Process, HANDLE ProcessId, PPS_CREATE_NOTIFY_INFO CreateInfo)

{
UNICODE_STRING CmdPath;


UINT64 MyTokenAddress = (UINT64)Process + 0x4b8;


BOOLEAN Result = TRUE;
EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR HookingAddress = {0};
UINT32 TempProcessId = HANDLE_TO_UINT32(PsGetCurrentProcessId());

HookingAddress.StartAddress = MyTokenAddress;
HookingAddress.EndAddress = MyTokenAddress;
HookingAddress.SetHookForRead = TRUE;
HookingAddress.SetHookForWrite = TRUE;
HookingAddress.SetHookForExec = FALSE;
HookingAddress.MemoryType = DEBUGGER_MEMORY_HOOK_VIRTUAL_ADDRESS;
HookingAddress.Tag = 0;


//
// check if the process has been created or it is in the phase of exiting
//

if (CreateInfo)
{

Result = ConfigureEptHookMonitor(KeGetCurrentProcessorNumberEx(NULL), &HookingAddress, TempProcessId);

if (Result == TRUE)
{
LogInfo("A monitor point was added with success to monitor read/write to the token %llx associated to the process id %llx", MyTokenAddress, ProcessId);
}
else
{
LogInfo("An error occured while setting a read/write monitor point to the token address %llx associated to the process id %llx", MyTokenAddress, ProcessId);
}



}


else
{

Result = FALSE;

while (Result == FALSE) //loop until the unkook works
{
Result = ConfigureEptHookUnHookSingleAddress(MyTokenAddress, VirtualAddressToPhysicalAddress(MyTokenAddress), TempProcessId);

if (Result == TRUE)
{
LogInfo("A monitor point of the token address %llx assoicated to the process %llx was removed with the success ", MyTokenAddress, ProcessId);

break;
}


}

}

}

so i register this notification routine with PsSetCreateProcessNotifyRoutineEx so if 50 processes will be created later it means we will set up 50 monitor points

Great. Thanks. I'll test it hopefully this week.

U welcome bro^^

Hi all, an advice please...
Is HyperDbg compatible with Intel I5-14600 ? If not what other recent (last 2 years) Intel CPUs are on the compatibility list?

Yes, it should be compatible with this processor.

[discord] <rol0807_03449> how to load symbols for usermode without debugee run away? setting !epthook on kernel32 not possible because symbol not loaded. ok for nt! and ntdll! but nothing else?

[discord] <rol0807_03449> even for bp in process context the function address returns error

[discord] <rol0807_03449> if for kernel32

[discord] <rol0807_03449> maybe this is problem from wow64...

You need to load the symbols for the process once it's loaded. After that, you could close the process and open it again (and the symbols are still available from the previous run).

If you're debugging in the debugger mode, there is a bunch of solutions for bypassing the 'demand paging' if the page is not available in the memory.

https://docs.hyperdbg.org/tips-and-tricks/considerations/accessing-invalid-address

Ah, for kernel32 for some reasons (that I didn't understand), kernelbase and kernel32 does not return anything (from Microsoft DIA SDK). That's kinda weird, but it's fine with other DLLs and SYS files.

I went through this code today. At first, it causes BSOD with the same reason (page-fault) in my system. But then I commented the #PF interception in VMX-root mode and I couldn't reproduce the same error (in ~2 hours).

You can go through this branch, if you want to test it, but I'm not sure if it will fix your problem since you also commented the #PF at some points. But, might be worth a try.

https://github.com/HyperDbg/HyperDbg/tree/fix-24h2-issues

I used a 14 gen Meteor Lake processor along with Win 11 24h2.

[discord] <rayanfam> @.wxg I went through fixing the memory access of MMIO regions (physical mem read) and now it's merged to the 'dev' branch. In case, if you want to use it, you could switch to the 'dev'.

[discord] <rayanfam> The patch will be available from the next version (v0.13). Sorry, it took a bit, I did wrote the patch but for some reasons that I don't remember, I didn't merge it. Now, it's merged and it's tested on both the debugger and VMI mode in a physical machine as well as a nested virtualization machine.

@instw0 did you find time to test the new patch (anti-debugging) method for the technique you mentioned earlier? was that effective and bypassed that anti-debugging method?

I'm thinking about checking the possibility to add a feature to automatically monitor/assign physical addresses to user land virtual pages no need to inject PF to bring in a page to the physical ram , what do you think guys

That will be a good exercise for me too😅😂

With regards to paged out addresses and hypervisors I used to use the following trick.
In order to improve load times, windows uses a global tracking for image loaded bases, including ASLR. It is used for COW and image code reuse among processes. You don’t want this code to be relocated in every process, because you would need to recalculate relocations every time and spend more memory for that. If you try to explicitly load a DLL to an occupied address for example, you’ll get a new module instance in the kernel.
Anyway, the trick is to write a simple application that would load all the DLLs of interest and then run a thread that would probe every page of those loaded DLLs periodically. Once a second should be enough to keep those pages paged in and with fixed PFNs, because you won’t give a chance for a memory deduplication and compression to steal it from you. From there you can safely assume that even if your process has them paged out (pages are paged in when probed), those are the same pages as in your “warming up” process.

That's a super cool trick, but it's like a so much Windows-based trick that only applies to Windows. I mean we do have a lot of code that actually works only for Windows but generally, we try to avoid OS-specific tricks as much as we can. Non of the HyperDbg events are OS-dependent. Though some features are Windows-dependent for sure.

Do you support Linux targets?

There is an api called LockMemory, you could use that instead

That requires privileges

I didn’t have those

Privilege to lock your own memory? Didn’t know that

SeLockMemoryPrivilege

It's not really your in this case, PFN is OS's

Not yet, but we're currently doing a massive code refactoring to remove or create several platform-specific functions. The goal is to support Linux hopefully in 1 or 2 years.

So you're kind of stealing a PFN from the memory manager

Anyways, just sharing my tips. Use at your discression.

I actually saw that Petr in the vmi-rs project offers this functionality:

https://github.com/vmi-rs/vmi?tab=readme-ov-file#utilities

I didn't see the code but I assume he uses EPT hooks on page-table addresses, not sure how it's exactly implemented (or maybe Xen offers the same functionality).

This is the main description of this feature:
https://docs.rs/vmi/latest/vmi/utils/ptm/enum.PageTableMonitorEvent.html#variant.PageIn

If it's possible to monitor page-tables, I think we could also offer the same functionality.

Yes

That's exactly what

I have read

In a research paper

They track changes in the pages tables associated to each process

And from theses events they can know if the page is paged out or it has an equivalent in the physical ram

Did they monitor page tables using EPT?

Can you send the research paper here?

Yes

Sure

Thanks

U welcome

I'm sorry for the long answer, I didn't have a chance to check earlier.
Everything is working perfectly!

Oh, that's great.

And of course thanks to the contributor who implements that functionality in HyperDbg (if he is in this group). 👌

[discord] <dexus1337> Hello! I got a question regarding the "!monitor" command. Is there a way to get the data that is being read/written without performing a manual read to the address $context gives? I want to debug mmio access between a kernel driver and pcie device, where reading a mmio address after the kernel performed a write will not necessarily give me the value the kernel has written, since it may be to a address the pcie device uses as a control register.

[discord] <dexus1337> Also, when the trigger flag is rw, how do i know if its a read or a write in my event script?

Hi,

That's a really good point. I’ve never thought about it, but yeah, I think we need this as a feature to read values that will be written into MMIO addresses.

Generally, for memory reads/writes in the RAM, we have pre- and post-events, which means you can read the data before and after it is modified, as described here:
https://docs.hyperdbg.org/tips-and-tricks/misc/event-calling-stage

However, for MMIO device addresses, this mechanism doesn't work. From what I know, there is no VMCS field that tells us the value that is about to be written to the target address once a VM-exit (EPT violation) happens. In that case, I don't know how we could get the value for the MMIO addresses.

One solution that comes to mind is interpreting the instruction operands (e.g., registers) to determine the values that are supposed to be written to the MMIO memory, but that would be a slow approach. I’m not sure if there are any other solutions for reading what is trying to be written once an EPT violation occurs.

The solution to this, would be using two different events, one of them with 'r' and one of them with 'w' with different scripts.

Pinging @honorary_bot or anyone else who can think of any solution for this problem.

🤔

There is literally no good solution. You'd need a simple disasm for that. Sorry.

I've been complaining about this for years

AMD has last instruction bytes in its vmcb, Intel does not

Which is a bummer, because those bytes and disasm IS available in the ucode

👍

PulseDbg design requires trapping APIC access in order to track INIT requests to different cores. It is fine when the guest uses x2apic and you only have to trap ICR MSR, and the value is always in rcx. Sadly, xapic is often used and from there you need to trap the access with virtual apic page or EPT, read the guest code, disasm it and then resume with MTF

Ah, in this case, the only solution is writing a disasm parser.

It is an MMIO case btw

MMIO has side effects, even for reading

i.e. you could read a MMIO register multiple times and get a different result, altering it finite state machine

So the only way to track it is to track what is about to be written there

OR realistically it might be easier to log a breakpoint on a driver function that read or writes mmio

Often it is a separate function

[discord] <dexus1337> Thank you all for your replies! My knowledge regarding hypervisors is limited, but arent there shadow pages that could be used for this? So if the driver tries to write to an mmio address (which is backed by a shadow Page), the hv breaks, reads what the driver wrote to the Shadow page and mimics the write to the actual physical page. Overhead could be an issue but the general approach may work, no?

Depends on the MMIO actually. That might work for a PCI device MMIO, can't see why not. In other cases like trapping APIC access it might not work. Imagine a scenario - you've trapped a write to xAPIC, the trap happens BEFORE any data was written, so you need to single step to get the data on your "shadow" page (which is just a different EPT). But now you would need to emulate that write to a real MMIO. In case of local APIC it would influence your hypervisor execution instead of a guest one that would otherwise give you another vm exit. So.. it depends..

[discord] <dexus1337> [reply]: Perfect, debugging pcie decives was what i was trying to do anyways. I might give it a shot then

[discord] <dexus1337> Another question. Inside the event script for monitor, i cannot use dd to read the memory accessed. i get the following error message:
HyperDbg> (10:33:58.161 - core : 0 - vmx-root? yes) [+] Information (DebuggerPerformRunScript:1651) | err, ScriptEngineExecute, function = FUNC_DD

this is my script:
!monitor r 81ff0000 81ffffff pa imm no stage post script {
printf("reading: %llx -> %x\n", $context, dd($context) );
}

It works fine without the dd part, printing out the valid physical addresses accessed.

Am i doing something wrong here?

[discord] <rayanfam> [reply]: Hi. Do you have the same problem with 'poi' or 'dq' or 'db'?

[discord] <rayanfam> [reply]: Ah, I see! You're using the physical address. I'm not sure if I use the '$context' as a physical address or a virtual address. Is the $context a physical address?

[discord] <rayanfam> [reply]: If it's a physical address, the 'dd' and all of its variants (dq, db, poi) are only compatible with the virtual address, not physical address.

[discord] <dexus1337> [reply]: Ahh i see the issue. I thought dd reads physical mem, similar to the HyperDbg Function. But within the script it means something different. Since "physical_to_virtual" script function is labeled with "This function is not working. PLEASE DO NOT USE IT FOR NOW. It will be fixed in future versions." there is no way (currently) to read physical memory in events, right?

[discord] <rayanfam> [reply]: Converting physical to virtual address have technical problems, like we don't have a solution for it. But, adding support for reading physical memory should be easy since we have plenty of functions for reading physical memory in the VMX-root mode. It just needs to be exported. I'll add these functions in the coming version (v0.13).

[discord] <dexus1337> [reply]: Perfect, thanks a lot! In general, i really like the HyperDbg Project. Very clean code aswell! Good job!

One weird behavior of the API PhysicalAddressToVirtualAddressByProcessId (according to my analysis I may be wrong )

Normally the API accept two arguments : (UINT64 PhysicalAddress , UINT32 ProcessId)

However when I compare what the result of the API (ProcesdPid = 0x4 in this case) is pointing too and the command dq of windbg ... they are different

What's can be wrong

My mistake guys .. it turns out that mmGetVirtualForPhysical works correctly "only in theory" for a physical address whose primary virtual address is in system space ... and since I was trying to play with pages tables of a user land process ...things didn't get well

Not sure if I understand correctly, but yeah, this function might not work correctly in many cases.

The context is that I was trying to code a driver (with the help of hyperdbg API(s)) that will monitor page tables of running processes, so I need first to mimic the work of !vpot command of windbg .. so I started with PML4E it was easy to get its physical address (thanks to EPROCESS structure) and then when I want to go further and continue 5he translation I had to dereference PML4E but I only have its physical address so I was thinking to get the virtual address (from the kernel vision since my code run in the kernel land) at this point i called mmGetVirtualForPhysical but i got the wrong virtual address in output and after some investigation i figure out that this API works correctly only for a physical address whose primary virtual address is in a system space (like token , or EPRocess but not peb since peb lives in the user land )

Sorry for the long message '

If you're in a driver, just try MmMapIoSpace. Though not 100% if the OS allows that for page tables

HyperDbg has a equivalent command for that, but same as WinDbg it might not work in all situations with the same reason:
https://docs.hyperdbg.org/commands/extension-commands/pa2va

But generally, I think you could use the '!mode' command (using its API) to achieve your goal (if I didn't mistakenly understand your description).

https://docs.hyperdbg.org/commands/extension-commands/mode

I was thinking about that too but it seems that windows prevent usage of MmMapIoSpace for page tables (something called hyperspace if im not wrong)?!

Hyperspace is a working set area but yeah, I would not allow to do that if I were Windows hehe

I will check that too... I'm just trying bro to use the internal API of hyperdbg in ordrr to understand deeply the project how it was built so i can contribute in futur thats why i try to avoid direct uage of command at this point

That will be a nice trick haha

Nice trick is to go and manipulate page tables directly. But that's a bad advice and you should not listen to me

For remapping physical pages to your predefined virtual address I mean

Yes i got your point , since MmMapIospace give you the possibility to get a virtual vision from the kernel perspective of an already existing physical address

If I'm not wrong

It literally just builds a page table entry for a given physical address and maps it somewhere in kernel space. So it's totally reproducible, just because it is the way CPU works

Yeah in the end the cpu have to deal with a virtual address..not a physical one

Go away we are developing a debugger Here

These are automated scamming bots

Btw you mentioned you bought an MTL machine. Which one?

*meteor lake

I do have a Core Ultra 7 155h but I mainly work on my raptor lake laptop at the moment.

I mean is it a NUC? Which model/oem?

No it's not. It's a System76 laptop.

I see, cool

Clevo is the odm.

I got atomman x7 and its firmware sucks

Is there anything wrong with meteor lake laptops right now?

No, they are fine and a good case for HV testing

MTL has three! different types of cores

LNL is much better though, but it's almost impssible to buy a NUC with it at the moment

*lunar lake

Sorry, I am too used to intel abbreviations

Honestly, I really don't understand the new naming scheme of Intel anymore. It's so complicated, you see different code names with different generations, different family name of architecture and now the model of processor no longer shows its generation. It's so complicated.

😵‍💫😵‍💫

I've also asked ChatGPT.
ChatGPT does not know either. 🤦‍♂

The concept of generations was somewhat clear with performance cores. Since CPUs are hybrid now, they have a mix of different core types and generations, so you can't really name a specific gen for a CPU

You mean p-core and e-core?

And generation itself does not reflect features as well, it's more about uarch

Even in the past atom cores had more features than bit cores

Yeah

MTL even has three types of core, p core and two different e core types

It is also possible for one package to have different VMCS revision, so watch out :)

Has anyone deal with the new anti-debug & anti-vm techniques in VMP 3.9.3? It can detect even when HyperDbg’s !hide is active.

The '!hide' command is changed (in the 'dev' branch). You might wanted to test it from 'dev' branch.

trying now chief

[discord] <rayanfam> @dexus1337 I added the functions for reading and writing to physical memory. To use these new functions (and keywords), you need to switch to the 'dev' branch and recompile.

Please check:
https://docs.hyperdbg.org/commands/scripting-language/assumptions-and-evaluations#keywords
https://docs.hyperdbg.org/commands/scripting-language/functions/memory/eb_pa-ed_pa-eq_pa
https://docs.hyperdbg.org/commands/scripting-language/functions/memory/memcpy_pa

[discord] <rayanfam> You can use: poi_pa, hi_pa, low_pa, dw_pa, and dq_pa keywords as well as eq_pa also a separate function (memcpy_pa) is added.

[discord] <rayanfam> Please don't use db_pa, dd_pa and eb_pa, ed_pa for now as it has a small problem which will be fixed, other than that, all of the above functions are tested and in a working state.

[discord] <dexus1337> [reply]: Thanks a lot!

HyperDbg v0.13 is out! 🎉

This version comes with a new command '!pcicam' for dumping and interpreting PCIe CAM, new anti-anti-hypervisor methods, improved MMIO scripting, plus lots of bug fixes & improvements.

Big thanks to @0Xiphorus & @AbbasMasoumiG.

https://github.com/HyperDbg/HyperDbg/releases/tag/v0.13

More details are available here:
https://docs.hyperdbg.org/commands/extension-commands/pcicam

Thanks to @Reverser69 who is in this group for finalizing the command parser.

The "tag" field in the structure EPT_HOOKS_ADDRESS_DETAILS_FOR_MEMORY_MONITOR

Is it used for some internal purposes 🤔?

I'm thinking about using to to define classes of addresses that I'm trying to monitor

For example if tag ==0 it means the address that I'm trying to monitor is a user land addresse if tag ==1 it's a kernel address

What do you think guys

Yes, I think we added a tag for the monitor in v0.9 or v0.10. This is the best implementation of the !monitor hook so far, and we haven't received any reports (GitHub issues) indicating that it fails. The tag used in this structure is the same as the Event Tag.

In previous versions, we didn't use a tag because we directly saved the physical address of the memory we wanted to monitor and checked the EPT violation with that. After some time, we received a GitHub issue reporting that HyperDbg's !monitor command failed to detect certain memory writes at specific locations (which we couldn't reproduce), and the issue remained unsolved for a year.

Later, one of the users provided us with access to a VMware snapshot where we could reproduce the error. Based on our investigations, we discovered that Windows sometimes does not allocate two (or more) contiguous virtual memory regions continuously in physical memory. For example, 0xfffff801deadb000 might be allocated at the physical address 0xc1b000, but 0xfffff801deadc000 could be allocated at 0xa15000, causing HyperDbg to miss triggering or not triggering an event.

With the new tag-based approach, these scenarios are handled correctly. As far as I know, we haven't received any complaints or bug reports about the latest implementation in almost a year. So, this is more or less the best implementation of !monitor so far.

Okay got your point bro excellent work 👏 👌

In my context I will try to define a set of tags

That are maineful

For example, I'm designing a solution based on hyperdbg that will monitor pages tables of processes

👍

After some coding I discovered that this kind of physical address need a special tag otherwise the code will be a miss and I had

To process all possibilities (if it's a ept violation caused by a page table event or a ept violation caused by an address of a user land process etc

So the tag will save a lot of work for me

yes, exactly. If you don't provide a unique tag for each !monitor hook, it won't trigger anything.