- 01 June 2026 (6 messages)
-
Joined. -
Joined.
-
-
-
I'm not sure if I'm following the discussion. Is it about running HyperDbg on KVM? -
Am I missing something here from the discussion? 🤔 - 03 June 2026 (9 messages)
-
-
[discord] <fexsped> what would you say is the most secure hypervisor? -
what do u refer to by 'secure' -
[discord] <nihaoshijie0178> Two things, actually: her heart, and my wallet. Both are completely unbreachable — one because no known exploit works on it, the other because there's simply nothing left to steal😭 -
-
Joined. -
Joined.
-
Joined.
-
Joined. - 04 June 2026 (28 messages)
-
Joined. -
does anyone know a good dma firmware
-
DMA firmware? Which device? -
75t
-
What is 75t? It doesn't make sense -
what you're asking doesnt make sense
-
wtf are you talking about "device"
-
Firmware runs on a device, right? Which device are we talking about? -
a laptop
-
it doesnt matter what its running on bro
-
it can run on a raspberry pi
-
Firmware is always specific to the device you're running it on -
😂
-
if you dont know what you're talking about, then dont comment
-
Likewise -
except i do know what im talking about
-
Good for you, good luck -
Joined.
-
Generational ragebait -
-
[discord] <nihaoshijie0178> [reply]: Bro, this requires a ton of patches. I wouldn't recommend going down this road -
Joined.
-
-
🤣
-
-
"Write me a undetected hypervisor. Make no mistakes" -
Please -
you dont need ud hv if you have a universal dma firmware that works on every electronic device known to man 💪
- 05 June 2026 (30 messages)
-
you do realise he is intel dev right?
-
ehh fair enough
-
is this supposed to make sense
-
can guarantee my soul that youve never touched a hv in your life
-
LOL
-
Try harder next time -
yeah bro you really got me there..?
-
Joined. -
link your repo
-
i dont have anything open source?
-
what
-
-
-
Cmon guys, let him be. Let’s try not to generate too much noise in the channel. Thanks! -
-
No worries! -
begging for what exactly?
-
LOL?
-
all i asked is if anyone knows a good dma firmware, on what planet is that begging?
-
kinna dude just stop -
I tried asking what you meant by dma firmware, because I don't have an idea what you mean by that. You didn't express any interest in explaining. It's fine. Just wait for the answer you need if you ever get one. There's no point in arguing. -
True -
I think what he mean by 75t is this: pcileech-fpga/EnigmaX1 at master · ufrisk/pcileech-fpga · GitHub.pcileech-fpga/EnigmaX1 at master · ufrisk/pcileech-fpga
FPGA modules used together with the PCILeech Direct Memory Access (DMA) Attack Software - ufrisk/pcileech-fpga
-
Thank you! It makes so much more sense now. -
The term firmware is too generic for me, having worked with a large variety of devices -
my guess but not quite he is red dma given they also use 75T devices: 🔥 DMA Firmware Building FULL GUIDE - From Zero to Hero! 🔥 (Beginners) - YouTube.
But I think I should end the topic because it doesn't have anything relate with hyperdbg.🔥 DMA Firmware Building FULL GUIDE - From Zero to Hero! 🔥 (Beginners)Why it works: 🔥 DMA Firmware Building: Clear keyword focus. FULL GUIDE: Signals completeness. From Zero to Hero! 🔥: Appeals to beginners, highlights progression, adds energy/emoji. (Beginners): Reinforces the target audience. Alternative: DMA Firmware COMPLETE Tutorial (Step-by-Step for Newbies!) 💻🔧 Unlock the power of DMA! This is your COMPLETE beginner's guide to building custom firmware for DMA applications from the ground up. 👇 👉 Struggling to start with DMA firmware? You're in the right place! This step-by-step walkthrough is designed for absolute beginners with no prior experience needed. We start super simple and guide you every single step. 💡 In this video, you'll learn: The essential concepts of DMA firmware explained clearly. Exactly what tools & software you need (and where to get them). Full step-by-step instructions for building your own DMA firmware. Crucial tips & tricks to avoid common beginner mistakes. How to test and verify your firmware works correctly. All source code/files linked below! 🔗 Stop feeling overwhelmed! Follow along and build your first DMA firmware with confidence!
-
Yeah, I just wish we wouldn't need to guess what other people mean. People can communicate after all. -
[discord] <nihaoshijie0178> I reckon that guy is Chinese. The Captain 75T DMA board is hugely popular in China, dominating over 95% of the local market share.
From his perspective, the 75T is an extremely common model, which is why he thought you were being disruptive. -
no, im talking about 75t dma cards
-
yes
- 06 June 2026 (4 messages)
-
We rlly are in a recession if people are looking for jobs in a telegram channel 😭
-
-
. -
[discord] <jtaw.5649> [reply]: HyperDbg is always looking for contributors - 07 June 2026 (13 messages)
-
[discord] <fexsped> where can I find a list of MSRs and their hex value? -
Intel SDM volume 4 -
-
[discord] <fexsped> [reply]: thank you -
[discord] <fexsped> is there a C-style enum with all of these? -
Not in the documentation. And the docs are not machine readan;y unfortunately. Maybe some 3rd party did that, but you would still need to double check since MSRs are updated often. -
What does that mean? -
I think he means values are changed from time to time -
A new CPU uarch is released almost every year, adding or deprecating various features. Some features are also extended, and in that case resereved bits of a related MSR might change to something meaningful. -
They are reserved and are forward compatible. I don't think having old versions of MSR definitions would hurt unless you need the new definitions -
Sure, I just assume a person would need the latest one -
[discord] <fexsped> [reply]: I need it for reverse engineering -
I extracted a list of MSRs from https://github.com/ia32-doc/ia32-doc
https://github.com/BehroozAbbassi/hyperv-research-scripts/blob/master/scripts/IA32-VMX-Helper/IA32_VMX_Helper.py#L164
However, such projects may not be updated as frequently as the official Intel Manuals, It's a good idea to automate the extraction of this data from the documentation PDFs.GitHub - ia32-doc/ia32-doc: IA32-doc is a project which aims to put as many definitions from the Intel Manual into machine-processable format as possibleIA32-doc is a project which aims to put as many definitions from the Intel Manual into machine-processable format as possible - ia32-doc/ia32-doc
- 08 June 2026 (2 messages)
-
Joined. -
[discord] <spliii> Any instructions on how to build the version that has kernel debugging enabled ? - 09 June 2026 (1 messages)
-
[discord] <unrustled.jimmies> Do you mean have windbg work while hyperdbg is running? I believe hyperdbg has its own idt so windbg never sees the exceptions. You might need to recompile it with use os IDT or comment out the custom idt handlers you want to forward to the os (so windbg sees them) if you want to keep the separate idt. - 10 June 2026 (35 messages)
-
We are pleased to announce @HyperDbg v0.19.
This release introduces a new module, HyperTrace, which brings hypervisor-level integration w/ tracing technologies such as Last Branch Record (LBR) & Processor Trace (PT).
LBR is now available, with more coming.
https://github.com/HyperDbg/HyperDbg/releases/tag/v0.19
This release wouldn't have been possible without the help and outstanding work of @maxraulea, @masoudrahimi01, @jtaw5649, @harimishal1, @Idov31.
Along with extensive refactoring & numerous bug fixes, two new LBR commands have been added:
The '!lbr' command:
https://docs.hyperdbg.org/commands/extension-commands/lbr
The '!lbrdump' command:
https://docs.hyperdbg.org/commands/extension-commands/lbrdump
Also, the script engine now includes 5 new functions to support LBR:
https://docs.hyperdbg.org/commands/scripting-language/functions/tracing/lbr
Other than that, the '.pe' command has been extensively changed and enhanced:
https://docs.hyperdbg.org/commands/meta-commands/.pe -
👏
-
Joined. -
[discord] <fexsped> why is the intel manual for IA-64? isnt IA-64 completely dead? -
Why IA-64? Which manual are you looking at? -
IA-64 is Itanium and yep, it's dead -
You should be looking at IA-32? -
[discord] <fexsped> h lol -
[discord] <fexsped> oh -
[discord] <fexsped> wait but IA-32 isnt also Itanium but on 32bits? -
No, there was no Itanium 32 bits -
This naming mess is because of historic reasons of course -
[discord] <fexsped> this naming makes no sense -
[discord] <fexsped> so x86_64 == amd64 == ia-32? -
[discord] <fexsped> ia-32e is 64bits ia32? -
No, IA-32 is just 32 bit Intel part (well, technically everything but 64 bit) -
IA-32E is Intels AMD64, same thing -
It was just AMD who made 64 bits first -
[discord] <fexsped> wrong link lol -
[discord] <fexsped> > Intel 64 architecture supports almost all the system programming facilities available in IA-32 architecture and
> extends them to a new operating mode (IA-32e mode) that supports a 64-bit programming environment. -
Yep -
[discord] <fexsped> so its not IA-64 but Intel 64 -
Right -
[discord] <fexsped> wtf 😭 -
Legacy :) -
[discord] <fexsped> it seems intel has more documentation compared to amd -
Well, generally Intel has more features -
But AMD's manuals have better diagrams -
Well, to my taste -
[discord] <fexsped> I like the system programmers volume -
Yeah, it's nice -
[discord] <fexsped> the others are just for quick referencing -
[discord] <fexsped> does amd have similar? -
I guess so, but it's been a while since I checked -
[discord] <fexsped> [reply]: I found an amd manual from 2020 - 11 June 2026 (1 messages)
-
Joined.
- 12 June 2026 (2 messages)
-
Joined.
-
[discord] <spliii> Any instructions on how to build Hyperdbg with debugger-mode enabled ? - 13 June 2026 (42 messages)
-
[discord] <spliii> im trying to use the debugger mode but there are no clear instructions on how to build it with this functionality included :S -
[discord] <spliii> its sort of ridiculous that you tell people to build with special instructions and then dont give any of those special instructions literally anywhere at all -
[discord] <rayanfam> [reply]: Special instructions for debugger mode? 🤔
It is already enabled, you can just compile it regularly, it doesn't need any modifications. -
[discord] <rayanfam> [reply]: https://docs.hyperdbg.org/using-hyperdbg/prerequisites/operation-modes#debugger-modeOperation Modes | HyperDbg DocumentationDifferent Modes of Operation in HyperDbg
-
-
-
[discord] <rayanfam> [reply]: You can use it by enabling it by building a custom version of HyperDbg, but I recommend you to wait for the upcoming releases as it is being rewritten here:
https://github.com/HyperDbg/HyperDbg/pull/604Add transparent platform identity and timing handling by jtaw5649 · Pull Request #604 · HyperDbg/HyperDbgDescription Continuation of #602 Add transparent-mode platform identity and timing handling so HyperDbg can reduce guest-visible hypervisor footprints while preserving the default transparent-mode ...
-
Joined. -
my hyperdbg vm keeps freezing after getting an unknown vmexit error (0x21). Is this normal behaviour? -
I mean, is it normal that the VM completely freezes? -
Are you using v0.19? or v0.18.1? -
it happens on both versions -
-
Do you run any command and then you get this? or just by loading HyperDbg? -
Also, what generation of Intel processors do you use? -
It happens after running a usermode program -
It's protected software so I can't really see what's happening -
Using the '.start' command? -
nope, just normally opening it -
i3 4170 -
it's haswell -
It's a bit old. Most of HyperDbg features need a 7th gen processor or later processors. -
-
oh so should I try replicating it by executing the instruction from above? -
I don't think so, isn't it in hexadecimal instead? -
holy shit i totally forgot -
my bad -
let me check -
👍 -
Also if you have a newer processor, try to check it there. Haswell is really old. -
no i don't have access to newer hardware right now -
do unhandled vmexits make the hypervisor automatically panic? -
And these processors (8th gen and older) use the Meltdown KPTI (cr3 shadowing) patch, which requires special treatment in HyperDbg for memory-related tasks. Given that even 8th gen is somewhat old, it has been a very long time since we tested HyperDbg on these systems. HyperDbg has the required functions to work properly with systems using KPTI, but since it has not been tested on these systems for so long, there is a good chance we forgot to properly handle some cases, which could lead to a BSoD. -
depends on the type of them, but generally yes. -
yeah this processor is almost as old as my younger brother -
honestly -
is there any chance you could try replicating this? -
I mean if you have the time -
😅 -
The oldest machine that I currently have is 10th gen machine. I don't have a KPTI machine. -
If I manage to replicate this I'll reach out. Sorry for the inconvenience. -
sure - 14 June 2026 (8 messages)
-
Thanks for your reply.
Which particular branch or commit do you recommend to build up for that? -
[discord] <rayanfam> [reply]: I mean you should wait for the new release with new features and enhanced HyperEvade, but if you want to use it now, once you use the '!hide' command, it shows you an error. Search for that error within the source code and you will see that there is a pragma that prevents it from loading. Change that pragram from true to false and recompile it and then you can use it. -
Hi I had already enabled the ActivateHyperEvadeProject preprocessor defines in "configuration.h" to enable the !hide command.
My query was more in way of changed implementation of HyperDbgEnableTransparentMode function.
This function now compulsorily requires to have processid or processname with !hide commnad in recent releases.
Please see the attached screenshot which shows version 0.19 on left side and version 0.14 on right side.
Ideally, we want to have the hyperdbg debugger running up in transparent mode(using !hide command), before we launch a target program with name or pid.
Once the target program has already launched,executed and detected presence of hyperdbg hypervisor; use of !hide command will not help.
Most of the application detecting hypervisors do it via system wide checks.
I am sorry if this is a stupid question. -
[discord] <jtaw.5649> Agreed. I will try to work this into my changes without changing existing functionality -
[discord] <jtaw.5649> Or I might have already done this -
I don't know why, but with the 12th-gen Intel CPU and Windows 11 system, my computer keeps crashing. But it's not a blue screen crash - it just freezes completely
-
*(The context length is currently well within safe limits, so we have plenty of room to continue our discussion.)*
Here is the English version of the summary, formatted clearly for a technical discussion group or forum:
[Discussion/Review] Unhandled Hard Hangs in VMX/EPT Hypervisor on Win11/Win10
1. Environment & Core Symptoms
* Stable Baseline: 11th Gen Intel Core i7-11700K + Win10. The hypervisor used to run perfectly stable in this environment.
* Problematic Target: 12th Gen Intel Core i5-12500 (P-cores only) + Win11 with a dual GPU setup (UHD 770 + GT 730).
* Symptoms: On the 12th Gen system, the vmcalltest command successfully returns with all 12 cores active. However, seconds later—or exactly when opening Task Manager—the system hard hangs. The screen freezes, the mouse and keyboard become totally unresponsive, and there is no BSOD or automatic reboot.
2. Recent Changes & The Regression
To address the Win11 hang, recent modifications were introduced to handle pending events for external interrupts and INTERRUPT_WINDOW_EXITING injection.
* The Regression: After applying these changes, the previously stable 11th Gen + Win10 machine now *also* instantly hard hangs simply by running the basic vmcalltest command.
3. Current Diagnosis & Primary Suspects
Given the regression on the previously stable machine, this is likely a fundamental state machine logic error rather than pure hardware incompatibility. Our top three suspects are:
* Suspect A: VM-Exit Flood / Infinite Loop (Most Likely for the Regression): The recent addition of the Interrupt-Window logic is highly suspicious. If INTERRUPT_WINDOW_EXITING is enabled but the control bit is not properly cleared in the VMCS during the VM-Exit handler, the CPU will immediately re-exit upon VMRESUME. This throws all cores into an infinite Ring -1 exit loop, which perfectly explains the silent hard hang without generating a crash dump.
* Suspect B: 1GB EPT Pages & High PCIe MMIO: The 12th Gen machine has a dual GPU setup. Opening Task Manager queries GPU performance, forcing access to high physical addresses (>512GB). The code currently attempts to map these regions using 1GB UC EPT pages. If the specific motherboard/hardware lacks full support for 1GB pages or UC types at that level, it triggers an EPT_MISCONFIGURATION. The current fallback logic forces the Guest into a SHUTDOWN state, causing an instant, silent death.
* Suspect C: HOST_CR3 vs. Win11 KVA Shadow: The VMCS_HOST_CR3 is currently statically populated using PsInitialSystemProcess + 0x28. Under modern Win11 KVA Shadow mechanisms, if a VM-Exit occurs in a user-mode context (like Taskmgr.exe), reverting to this static System CR3 might encounter paged-out or unmapped VMM stacks/code, resulting in a Triple Fault in Root mode.
4. Next Steps for Debugging
1. Rollback: We plan to revert all vmexit.c, vmx.c, and hv_types.h modifications back to the backup made prior to the external interrupt overhaul (version 20260614-030054) to ensure the Win10 baseline regains absolute stability.
2. Minimal Delta Testing: Once stable on Win10, deploy the clean code to the 12th Gen Win11 machine with strictly two macro changes: Disable 1GB EPT mappings (fallback to 2MB) and strictly retain the static System CR3, avoiding any new DPC-context __readcr3() calls.
Questions for the group:
Has anyone encountered exact, repeatable Ring -1 hard hangs when opening Task Manager on Alder Lake / Win11 setups? Assuming no physical Serial KD is attached, which of these three suspects sounds the most plausible for a silent freeze? Are there any other hidden Alder Lake VMCS Must-Be-1 / Must-Be-0 quirks we might be missing? -
One thing for sure is it is not about 1gb EPT pages not being supported. Those are available on cpus since Haswell. https://pulsedbg.com/vmx.html - 15 June 2026 (13 messages)
-
[discord] <jtaw.5649> [reply]: I'd suggest adding some kind of proof if you're going to add an ai diagnosis. Otherwise it's meaningless and probably false -
I really have no idea what's wrong
-
😂
-
GPT5.5 doesn't seem to be able to fix it either
-
guys, tsc starts and doesn't exit ....
-
Does it freeze your vm too? -
Of course
-
What model is your cpu -
I5-12450h and i7-7700k
-
in your screenshot, are you printing the value of VCpu->LastVmexitRip? -
-
-
Oh sorry I thought we had the same problem - 17 June 2026 (26 messages)
-
[discord] <fexsped> whats the difference between protected mode and compatibility mode? -
Protected mode is 32 bit native mode, compatibility mode is 32 bit mode while in native 64 bit mode (long mode) -
[discord] <fexsped> are there differences? -
[discord] <fexsped> could a usermode program be able to tell its running in comp as opposed to in protected? -
Can't think of any for usermode only. It matters for kernel mode, since the environment would still be x64, x64 interrupt and exception handlers. Compatibility sort of implies 32 bit compatibility for usermode while running x64 kernel. -
Not directly, depends on the environment. On Windows you could tell using WinAPI. -
IsWow64Process function (wow64apiset.h) - Win32 appsDetermines whether the specified process is running under WOW64 or an Intel64 of x64 processor.
-
Joined.
-
[discord] <fexsped> why does windows have this wow64 thing? is it just naming for passing it all of to the hardware? (switching code segment to a compatibility mode one) -
In order to support 32 bit applications on x64 Windows -
Windows-on-windows-64 -
Sorry, didn't get the question -
[discord] <fexsped> for example on linux there is no similar naming -
Oh, well :) -
[discord] <fexsped> the kernel just detects somehow an 32bit elf and runs it in compatibility mode -
Same thing here, but a fancy name for the MSFT technology -
[discord] <fexsped> but there is no hardcore code required to do this by the kernel -
[discord] <fexsped> you just hand it off to hardware -
[discord] <fexsped> theres no emulation -
[discord] <fexsped> or anything -
[discord] <fexsped> yeah so its ms names again -
[discord] <fexsped> always confusing these company tech names -
Right, you'll see different names for the same thing depending on the vendor -
Sorry, don't have access to discord atm -
I removed it. 👍 -
Joined. - 18 June 2026 (8 messages)
-
I found the root cause, do I just report it here? -
It's a bug in the vmexit handler -
Great. Yes please explain it here and since you found the bug, please create a PR on GitHub and fix it. 🙂 -
Thanks -
Anyone know simple vtx on ubuntu? -
What do you mean by simple? -
Joined.
-
Yes need simple - 19 June 2026 (21 messages)
-
Joined. -
-
-
-
-
-
-
[discord] <rayanfam> [reply]: Hey, HyperDbg has a project called HyperEvade designed to make the debugger more transparent (harder to detect). @jtaw.5649 is currently working on redesigning HyperEvade. It would be best to test HyperDbg with HyperEvade later once the new redesigned version is ready (again, this doesn't mean that Hyperion would not be able to detect it, but it will significantly raise the bar). -
how does it work? -
[discord] <jtaw.5649> What is Hyperion? -
[discord] <jtaw.5649> I am only working on hypervisor related stealth. Your KVM/VMware/other environment is your responsibility -
[discord] <jtaw.5649> [reply]: If the hyperion you are referring to is the roblox anti-tamper/anti-cheat, no, my changes will not support bypassing it. -
i want to bypass it
-
[discord] <jtaw.5649> [reply]: contributions are always welcome -
Hyperion (or a similar anti-cheat tool) detects whether it is running inside a virtual machine (VM) or hypervisor. It achieves this using two main low-level CPU techniques :
1- CPU Mode Switching & EIP Overflow
2- Exploiting Hypervisor Mishandling Trap Flags & #UD
But what about kernel manipulations, hardware based hypervisors and the monster HyperDbg ? -
i need an undetected hyperdbg
-
-
-
ive heard of the first detection, how exactly is the second one though?
-
-
- 20 June 2026 (54 messages)
-
[discord] <oi_its_me> I’ve always found it a bit tedious
To Start hyprdbg via windbg. Anyone care to share their workflow or if they have any scripts. I’m using VMware if that matters. -
-
-
-
-
[discord] <oi_its_me> [reply]: kernel level local debugging isn’t supported for obvious reasons -
[discord] <nihaoshijie0178> [reply]: I'm using a dual-physical-machine debugging setup.
Under normal circumstances, the Break breakpoint in WinDbg will be intercepted and handled by HyperDbg, which renders WinDbg unusable.
To work around this, you need to replace WinDbg's Break breakpoint with INT 2D, so that the breakpoint will not be captured by HyperDbg.
Hope my answer is of some help to you -
[discord] <nihaoshijie0178> [reply]: I'm quite interested in this bug.
If you could provide a video of the bug being triggered along with the full memory dump captured via DMA, I'd be more than happy to help you analyze it. -
-
[discord] <rayanfam> [reply]: Instead of using these tricks, you can just use 'test breakpoint off' or 'test trap off' :
https://docs.hyperdbg.org/commands/debugging-commands/testtest (test functionalities) | HyperDbg DocumentationDescription of the 'test' command in HyperDbg.
-
[discord] <rayanfam> [reply]: You can EfiGuard if you don't want to use WinDbg. Also, I usually create an snapshot of the VM and I have a batch file in the host that opens windbg with parameters to debug VM. That saves me a lot of time. -
Hey, could you provide more details? Which generation of Intel processors do you use? Also, which version of HyperDbg are you using? Are you using a beta version or a stable version? -
ivy bridge
latest hyperdbg
stable -
It's an ancient processor (from 2012) 😅. It's been a long time since we tested HyperDbg on Skylake and older processors, as they simply don't have the features that HyperDbg requires. -
Woah, woah, mate! Have some respect to senior CPUs :D -
thank you, but are these cpus supported by older hyperdbg versions?
-
-
A processor vulnerable to Meltdown and Spectre doesn't deserve the title of seniority! 😅 -
How do you call 486 then? :) -
You should test, maybe versions older than 0.10 support it (but I'm not sure). -
Yeah, you can keep it and donate it to a museum soon. 😛 -
486 isn't vulnerable to spectre? Do they even have branch prediction and speculative execution? -
Darn you got me -
But still, I have a sandy bridge mini pc at my desk. I’m debugging it successfully with a hypervisor, Windows XP target - so much fun. -
I guess I divide ancient and not ancient CPUs by VTx version (pre EPT and post EPT) -
-
-
-
don't worry about it, as long as we understand each other we're good -
Well, the main problem with old CPUs in HyperDbg comes from the fact that we use MBEC (Mode-based Execution Controls), which is only available from Kaby Lake. However, at the same time, these processors with the KPTI patch for Meltdown require significant care if we want to access memory safely. Initially, we did support that type of memory access, but after some time, and since Windows 11 stopped supporting most of them, we haven't tested it on them. As a result, after some time, HyperDbg was added with so many features that never tested on 8th-gen and older CPUs which as a result can cause a BSOD if not treated correctly. -
Probably the best tested CPU is 9th gen or newer but still it might work on Kaby lake and Skylake (not sure). -
Yeah, I get that. Those are architectural decisions. You have to sacrifice something.. -
I have the opposite problem - I support Nehalem+, so I don't integrate fancy features. Very basic, just to keep it working... -
-
-
I'm afraid not. If you trap and emulate, the performance hit will be huge anyway. -
Supporting HyperDbg on very old CPUs reminds me of this meme 😅 -
You what's cool about older gens? They were developed during transition from legacy BIOS to UEFI, so most of them had CSM (compatibility support module). So you could run both UEFI+GPT OSes and MBR 32 bit OSes. -
The other day I needed to troubleshoot an insider Windows 10 32 bit build and I couldn't find a machine with CSM -
So ended up ordering a kaby lake nuc from ebay -
And then I bricked it - but that's a different story -
I think the coolest thing about old Intel processors are those Goldmont and Goldmont Plus Atom CPUs that are red unlcked 😅 -
You can't impress me with an unlocked CPU, haha -
Yeah, but for us it's still so impressive. 😅 -
Yeah, Mark is a legend, agree -
Agree 👌 -
-
[discord] <oi_its_me> [reply]: Just to clarify. Instead of going into the debuggee and begin listening, you begin listening and then create a snapshot at that point.
And then you have a script that launches WinDbg.
For subsequent debugging iterations, you just restore the snapshot.
Am I following?
Also, I remember I ran into issues with EfiGuard and might be misremembering, but it requires secure boot to be off. I forgot the other issues? -
[discord] <rayanfam> Yes that is the case. -
[discord] <rayanfam> You can use this very simple batch file: ''' start "" "C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe" -k net:port=50000,key=XXX ''' -
[discord] <oi_its_me> Thanks @rayanfam ! Was already doing that! The recommended route is WinDbg and not EFI Guard, correct? -
Is development active for the Linux version of HyperDbg?
-
[discord] <rayanfam> [reply]: Both of them are the same. If you use WinDbg to bypass DSE, you have the advantage of detecting a crash IF HyperDbg crashed the system (which is a big IF 😅). -
[discord] <rayanfam> [reply]: Yes, @maxraulea is leading this project. - 21 June 2026 (9 messages)
-
[discord] <gotthebestusername.> hi since this uses hypver-v, are there any plans to support a trimmed down version for amd? -
[discord] <rayanfam> [reply]: Hyper-V? 🤔 -
HyperDbg v0.20 is out! 🎉
This release includes numerous bug fixes, continued progress on the Linux port, further advancements in Intel PT support, and a migration to Visual Studio 2026.
Check it out:
https://github.com/HyperDbg/HyperDbg/releases/tag/v0.20-betaRelease v0.20-beta · HyperDbg/HyperDbgHyperDbg v0.20-beta is released! If you’re enjoying HyperDbg, don’t forget to give a star 🌟 on GitHub! Please visit Build & Install to configure the environment for running HyperDbg. Check out ...
-
👏
-
[discord] <gotthebestusername.> [reply]: oh my bad -
[discord] <gotthebestusername.> i thought this was hooking hyper-v for some reason, confused it with another project -
[discord] <rayanfam> [reply]: Which project? Curious to know 🤔 -
[discord] <gotthebestusername.> [reply]: https://github.com/noahware/hyper-reVGitHub - noahware/hyper-reV: memory introspection and reverse engineering hypervisor powered by leveraging Hyper-Vmemory introspection and reverse engineering hypervisor powered by leveraging Hyper-V - noahware/hyper-reV
-
[discord] <rayanfam> [reply]: Thanks 👍 - 22 June 2026 (2 messages)
-
-
Joined. - 24 June 2026 (1 messages)
-
Hi everyone, I'm trying to disable DSE using EfiGuard, but it fails with error 0xC0000225. Has anyone encountered this problem before? Any ideas on how to fix it? - 25 June 2026 (9 messages)
-
[discord] <unrustled.jimmies> I think its caused by a signature change in a recent windows update. matti already fixed it but not sure if he still releases new builds for efiguard so you might have to build it yourself (if so, good luck). -
-
-
Joined.
-
Joined. -
Ok, thanks. I'll try it. -
Joined.
-
Joined. -
- 26 June 2026 (20 messages)
-
[discord] <fexsped> how can I enable VBS, HVCI and kCET without Secure boot / with untrusted drivers loaded in a Hyper-V VM? -
There is no way AFAIK. I'd love to know too though.. -
[discord] <fexsped> thats weird -
I agree, secure boot is not a prerequisite for CET -
So it's not a technical limitation -
[discord] <fexsped> there has to be a way cause I just read a blog post that gradually turns on every mitigation and runs an exploit against HEVD (toy unsigned driver used for learning kernel exploits) -
The other question is why do you want Secure Boot disabled? Custom EFI loader? -
[discord] <fexsped> I want to load HEVD and do data only attacks -
[discord] <fexsped> with all mitigations on -
I see. If you find the way, please message here as well -
[discord] <fexsped>
https://cdn.discordapp.com/attachments/962350355839066130/1519995764246450286/fhxv6vm.png?ex=6a3f95de&is=6a3e445e&hm=5196cd9f051057c56e21ba41fd7cdd6775b8ef9def89043bab6ee6afcace13b1& -
[discord] <fexsped> that key doesnt seem to work -
[discord] <fexsped> but why is it named that? and what does it do? -
While I don't know the answer, that would be a good exercise for reverse engineering of ntoskrnl.exe ;) -
[discord] <fexsped> yeah thats what im about to try to do -
Great! Keep it up! -
[discord] <fexsped> does anyone happen to know what are the advantages of `_UNICODE_STRING`? Why did microsoft choose to create this structure over a plain `wchar_t*`? -
It's not null terminated unlike a C string -
The buffer also doesn't have to be same size as string itself. It can be bigger (MaximumLength) -
_UNICODE_STRING is more like std::wstring in c rather than c strings - 27 June 2026 (1 messages)
-
Joined.
- 28 June 2026 (9 messages)
-
-
[discord] <fexsped> [reply]: hello -
[discord] <fexsped> while doing other things I have also found the way to enable HVCI and kCET while allowing kernel debugging and custom modules -
[discord] <fexsped> In hyper-V, under security, disable secure boot but **ENABLE TPM**
https://cdn.discordapp.com/attachments/962350355839066130/1520804110113177690/29m5nv2.png?ex=6a4286b3&is=6a413533&hm=55dc91d780ceed5f400aca6774a32169536bc56f846ca043584627f0b0a84263& -
[discord] <fexsped> my guess is that all you need is a TPM (which qemu, vmware and the like can also provide) -
Hi! Good find, thanks! -
[discord] <jtaw.5649> [reply]: tpm is also a very useful tool for reversing, it often gets overlooked in that regard -
[discord] <fexsped> [reply]: yeah it actually really caught my attention and I picked up the ost2 course -