- 04 November 2024 (1 messages)
- 05 November 2024 (5 messages)
-
Not sure if I understand the question. What do you mean by smap and smep? If you're talking about CPU features to prevent access/exec user code from supervisor, then how could it be related to EPT hooks? 🤔 -
From what I see in the source code (might be wrong), I could assume that they are some smap preventions for a granularity of one page. If that's the case, why not just using the page table attributes instead of smap or smep? 🤔
- 06 November 2024 (1 messages)
- 07 November 2024 (1 messages)
- 08 November 2024 (3 messages)
-
Joined. -
How VMX_EXIT_REASON_EXECUTE_INVLPG is handled? -
It's not an unconditional VM-exit. HyperDbg doesn't handle it.
- 09 November 2024 (15 messages)
-
The second address could not be greater than the first address.
-
You could also use 'l <size>' if it's not convenient to find the second address.
-
Theoretically, there is no limitation for it, but of course if you put a monitor on ~100MB of RAM, HyperDbg will have a hard time interpreting VM-exits in your computer. 😅
-
Just keep in mind that the '!monitor' command in the Debugger mode (not in VMI mode) needs to have all of the page entries to be valid and available in the RAM. If it's not available (i.e., it's paged out or never paged in), then HyperDbg will show you an error and instruct you to use the '.pagein' command to force Windows to bring your address range into the memory.
-
I see people usually use this HyperDbg feature to monitor the execution in a section of a PE. If you want to do this, make sure that Windows has enough RAM so it won't page-out unused PE pages to the disk. HyperDbg won't check for this kind of situation, which might produce false positive results.
-
The $context is a pseudo-register, not a constant. It displays the address currently being modified or executed, rather than the address attempting to read, write, or call it. In those cases, you’ll need to check the stack to identify which address was pushed there.
-
Yes, as I mentioned earlier, pages should be available in the memory for the !monitor command since this command works on physical addresses. Follow the instructions (the documentation link) to fix it.
-
[matrix] <pr0xy101 (@pr0xy101:matrix.org)> hello, can i debug easy anti-cheat using hyperdbg? - 10 November 2024 (3 messages)
-
Are you sure you're computing it correctly? It seems that you're trying to hook somewhere in the kernel, but the results of the expressions are in the user-mode?
-
- 11 November 2024 (1 messages)
- 12 November 2024 (9 messages)
-
This is expected. The '.pagein' command injects a #PF (page-fault) into the system to force Windows to bring the page into the RAM.
-
If the page is already in the RAM or it's available, Windows doesn't expect to receive a page-fault and what happens here? Windows assumes that something went wrong as the #PF is generated by CPU by error. Which might lead to double/triple-fault and break the system (restart).
-
You should be cautious when using the '.pagein' command. If you use it on a wide-range of RAM, usually such errors will happen because somewhere in the middle of the range might be already available into RAM and it will cause system crash as #PF is not expected.
-
Guys, just because HyperDbg’s '!monitor' command can technically monitor unlimited address ranges doesn’t mean you can monitor any memory range you want. So let’s not go wild, alright? 😅
https://docs.hyperdbg.org/commands/extension-commands/monitor -
It refers to you @instw0 😅
-
-
There is a limit to the number of '!epthook's you can place on a single 4 KB page. If you reach this limit, HyperDbg will display an error message tells you to adjust the constant and recompile HyperDbg. However, there’s no restriction on the number of !epthook`s across different pages. Essentially, there’s no practical limit, but be cautious not to overload the system with too many breakpoints!
- 13 November 2024 (151 messages)
-
guys, I want to test r3 epthook. The code is shown in the following image, This test runs on non-root mode -
Now I have encountered a problem, the function inside the function does not return (BroadcastEnableBreakpointExitingOnExceptionBitmapAllCores)
-
After debugging, I found that it is caused by the following function
-
When I tried to skip the BroadcastEnabled BreakpointExitingOnExceptionBitmapAllCores function and observe the program's response, the second error occurred.
The PoolManageRequestPool function returns 0. -
What should I do now? 😢
-
Can you explain about the environment? Like are you setting an EPT hook from a kernel driver and you're using the 'Hyperhv' project as an imported module? Or is it coming from the hyperdbg-cli.exe (libhyperdbg.dll)?
-
I am using hyperdbg-cli.exe, but I have made some minor modifications to hyperhv
-
-
Something is wrong here. The following combination of code will crash HyperDbg, you're modifying the wrong place.
-
Are you running HyperDbg in VMI-mode? or the Debugger-mode?
-
.connect local
-
load vmm
-
It's VMI-mode. Now, are you trying to put an EPT hook the user-mode of another process?
-
Yes, that's what I want to do now
-
What is the handler of the breakpoint? Is WinDbg handling the breakpoint? Like are you running it in a virtual machine (VMware) or in the baremetal?
-
I didn't do any additional processing, I just wanted to observe the phenomenon of EPT working
-
Then, why don't you use the command line (scripts) for that?
https://docs.hyperdbg.org/commands/extension-commands/epthook!epthook (hidden hook with EPT - stealth breakpoints) | HyperDbg DocumentationDescription of the '!epthook' command in HyperDbg.
-
Take a look at this video:
https://www.youtube.com/watch?v=tjsFRBFGis4&ab_channel=OpenSecurityTraining2Dbg3301: HyperDbg 05 01 Intro and Classic Hidden HooksView the full free MOOC at https://ost2.fyi/Dbg3301. This course is an introductory guide to HyperDbg debugger, guiding you through the initial steps of using HyperDbg, covering essential concepts, principles, debugging functionalities, along with practical examples and numerous reverse engineering methods that are unique to HyperDbg. Whether you have an interest in reverse engineering or seek to elevate your reverse engineering skills with hypervisor-assisted approaches, this course provides a solid foundation for starting your journey.
-
This command has no effect.😢
-
What was the command? Maybe you wrote an incorrect script.
-
!epthook 7ff7a0bc13f0 pid 1ec4 asm code {ret} this is my code.
-
This code, won't do anything!
-
The 'ret' is executed in the VMX-root mode as additional assembly code, it's not running in the target executable file!
-
Are you trying to bypass a 'CALL' instruction?
-
Yes, I tried to make a function return directly
-
okay, let me find the correct example. I'll send it here in a bit.
-
i love you , bro 😂
-
You need a script like this:
!epthook 7ff7a0bc13f0 pid 1ec4 script {
@rip = poi(@rsp); // pop the return address from stack
@rsp = @rsp + 8; // adjust the stack
printf("Function call ignored!\n");
} -
Put it on the target function that is called (not the 'CALL' instruction that tries to call the target function).
-
thank you so much
-
This error has occurred now😢
-
vmware 17.5.1
-
Is the process id still valid?
-
I used 1 CPU core
-
pid 1ec4
-
I mean this one.
-
yes, pid still valid
-
Could you check it with:
eb 7ff7a0bc13f0 pid 1ec4 -
Does it show anything?
-
-
Oh sorry
-
db instead of eb
-
db 7ff7a0bc13f0 pid 1ec4
-
My mistake.
-
This one is the correct command.
-
It seems that the process's memory cannot be read
-
-
The target is not valid?
-
yes, but ... emm...... let me see
-
I don't know what happened, it used to work😂
-
The address is invalid (probably because of KASLR?).
-
I don't know.
I will try restarting VMware first, and then I will try to solve the problem with invalid address -
thanks
-
Let me know, what happened if you find a way around it.
-
ok
-
This code can only work on the first attempt
The second time it stopped working -
Let me check it on my system.
-
maybe i should pull HyperDbg from GhuHub again?
-
Which version of HyperDbg do you use?
-
0.10.2
-
Nope, no need to pull. Give me a bit to test it.
-
👍
-
I test it with a custom application:
-
-
Is there any anti-debugging method in your target application that leads to this behavior?
-
-
this is my demo
-
what is &test?
-
-
Could you please copy-paste these two functions here?
-
I'm gonna test it.
-
functions?
-
test() and main()
-
int test()
{
cout << "\tinput text, and messagebox" << endl;
string str;
cin >> str;
return MessageBoxA(0, str.c_str(), 0, 0);
} -
int main()
{
{
BYTE* pCode = (BYTE*)&test;
cout << "pid:0x" << std::hex << GetCurrentProcessId() << ", proc:0x" << (PVOID)pCode << endl;
help();
} -
Thanks, lemme check it
-
I don't think it has anything to do with functions
-
Can you reproduce this phenomenon?
-
-
-
I think the problem is not because of HyperDbg as it works for me.
-
Yes, I think so too
-
It's probably because at some points the pCode is no longer valid.
-
Perhaps I accidentally modified the hyperhv code
-
You can remove your modifications and recompile HyperDbg.
-
ok, i do it now
-
Other than that, shouldn't it be like this?
-
I mean I removed the the '&'.
-
Because you're creating a reference to the address of the 'test'. It's not the address of the 'test'. Am I right?
-
Could you check it as well?
-
ok
-
i test remove &, but I don't think this has anything to do with it
-
-
-
🤣
-
Fixed?
-
-
Why these two variables are the same? Is there any optimization? 😳
-
I don't know how to say this
-
There is no problem with using&for functions
-
Maybe we'll have to test it later, con't connect to github.
-
😂
-
-
-
The only difference between your code and my code is that I commented the 'help' function. Could you add a '_getch()' before the help function and try it again?
-
of course
-
Alternatively, I can rewrite a clean demo
-
emmm.....
-
let me try again
-
I don't know what happened
-
I just restarted the system in VMware
-
-
i do nothing
-
Did you add _getch() to your code?
-
-
🤔🤔
-
I switched to Win11 and tried again
-
I test this code one hundred time, it's still valid on my system. It's really weird.
-
Maybe you should try my exe
-
Wait a moment, I'll try Win11
-
Currently, it can work on Win11
-
Okay, but on the Windows 10 where it didn't work. Is it a very old (before meltdown) processor?
-
no, it is 14900k
-
Intel(R) Core(TM) i9-14900K 3.20 GHz
-
So, it worked on your Windows 11 machine and didn't work on Windows 10 machine? Am I right?
-
yes , you are right
-
10.0.19045.2486
-
This is the version number of Win10
-
That's super weird. I have a Win 10 here, I'm gonna test on it too.
-
But, probably, it would take a while. So, meanwhile you could enjoy using HyperDbg on your Win11, meanwhile I try to understand what goes wrong with this command in the Windows 10.
-
You have already helped me a lot, thank you for your software, it's great
-
Wait, I think I find the error.
-
great
-
After some time (around 30 minutes), it started to show the invalid error to me. I checked it with x64dbg as well). I accessed it from x64dbg and the address becomes available in HyperDbg.
-
So, it seems to be because of Windows paging.
-
That means the page has been replaced?
-
Once the RAM is full, Windows tries to page-out that page and that's why you get this error. (I assume that you didn't give your virtual machine enough RAM?).
-
Yes
-
o... you are right
-
I only allocated 2g to Win10
-
Allocated 4G to Win11
-
Perhaps this is the reason for the problem
-
That's the reason.
-
Now I will try to allocate more memory
-
Yes, that's right. After I allocated 4G of memory, the problem disappeared
-
👍
-
👍
-
I have to put a note in the documentation to tell this behavior to the users.
-
I can't help but say one more thing, brother. You're amazing
-
- 14 November 2024 (1 messages)
- 15 November 2024 (2 messages)
-
Joined. - 19 November 2024 (2 messages)
- 20 November 2024 (5 messages)
-
Two new commands are now documented (and merged to the 'dev' branch) for dumping I/O APIC and Local APIC (in both XAPIC and X2APIC mode). If you want to test it before the official v0.11 release, you can switch to the 'dev' branch.
https://docs.hyperdbg.org/commands/extension-commands/apic
https://docs.hyperdbg.org/commands/extension-commands/ioapic!apic (dump local APIC entries in XAPIC and X2APIC modes) | HyperDbg DocumentationDescription of '!apic' command in HyperDbg.
-
Also, two other new commands for enumerating PCI Express devices + Reading/writing into PCI/PCI-e Config Address Space (CAM) will soon be available.
-
We're sharing updates on #HyperDbg releases and debugging tips on #Bluesky and #Mastodon too!
You can also follow us there. 😊
- https://bsky.app/profile/hyperdbg.bsky.social
- https://infosec.exchange/@hyperdbg -
