Page 1 - May 2023 @hyperdbg Telegram message archive.

@kishou_yusa #431 12:22 PM, 04 May 2023

Joined.

@RtlFailFast #432 12:24 PM, 04 May 2023

Joined.

@combab0 #433 12:35 PM, 04 May 2023

Joined.

@aqua_crop #434 12:36 PM, 04 May 2023

Joined.

@Xabby #435 12:37 PM, 04 May 2023

Joined.

@447737910 #436 12:37 PM, 04 May 2023

Joined.

@81842363 #437 12:40 PM, 04 May 2023

Joined.

@Dmitriy_Area51 #438 12:40 PM, 04 May 2023

Joined.

@YMahmoudnia #439 12:42 PM, 04 May 2023

Joined.

@5930499315 #440 12:45 PM, 04 May 2023

Joined.

@arshnme #441 12:46 PM, 04 May 2023

Joined.

@SudoerUser #442 12:46 PM, 04 May 2023

Joined.

@s1ckb017 #443 12:46 PM, 04 May 2023

Joined.

@notavailable #444 12:47 PM, 04 May 2023

Joined.

@cenaei #445 12:47 PM, 04 May 2023

Joined.

@AlirezaHabibzadeh #446 12:47 PM, 04 May 2023

Joined.

@islemolecule #447 12:47 PM, 04 May 2023

Joined.

@SaimonX2 #448 12:48 PM, 04 May 2023

Joined.

@1331047238 #449 12:49 PM, 04 May 2023

Joined.

@Mojam0x00 #450 12:50 PM, 04 May 2023

Joined.

@859281145 #451 12:50 PM, 04 May 2023

Joined.

@Ox0b00b135 #452 12:51 PM, 04 May 2023

Joined.

@CustomClass #453 12:51 PM, 04 May 2023

Joined.

@xdrresfp #454 12:52 PM, 04 May 2023

Joined.

@binophism #455 12:54 PM, 04 May 2023

Joined.

@948676328 #456 12:54 PM, 04 May 2023

Joined.

@330658927 #457 12:56 PM, 04 May 2023

Joined.

@tuna99tq #458 12:56 PM, 04 May 2023

Joined.

@Offensive_cipher #459 12:57 PM, 04 May 2023

Joined.

@Directja #460 12:59 PM, 04 May 2023

Joined.

@OxMasoud #461 01:00 PM, 04 May 2023

Joined.

@HughEverett #462 01:01 PM, 04 May 2023

Joined.

@Amirhoseein_af #464 01:12 PM, 04 May 2023

Joined.

@ali99e #466 01:16 PM, 04 May 2023

Joined.

@Guesterme #467 01:19 PM, 04 May 2023

Joined.

@Fade_To_Black #468 01:20 PM, 04 May 2023

Joined.

@1066756071 #469 01:20 PM, 04 May 2023

Joined.

@TMT_You_Know #470 01:21 PM, 04 May 2023

Joined.

@Kanren3 #471 01:22 PM, 04 May 2023

Joined.

@1899998690 #472 01:23 PM, 04 May 2023

Joined.

@erg0t #473 01:25 PM, 04 May 2023

Joined.

@SeedPuller #474 01:27 PM, 04 May 2023

Joined.

@aasdsasdasda #475 01:29 PM, 04 May 2023

Joined.

@333534611 #476 01:29 PM, 04 May 2023

Joined.

@MTMT0MTMT #477 01:44 PM, 04 May 2023

Joined.

@seyyidy #478 01:45 PM, 04 May 2023

Joined.

@jd_101 #479 01:50 PM, 04 May 2023

Joined.

@symeonp #480 01:52 PM, 04 May 2023

Joined.

@h4mre #481 01:53 PM, 04 May 2023

Joined.

@5329621405 #482 01:53 PM, 04 May 2023

Joined.

@akazemi67 #483 02:01 PM, 04 May 2023

Joined.

@5138215154 #484 02:01 PM, 04 May 2023

Joined.

@nt_sys #485 02:08 PM, 04 May 2023

Joined.

@Sh4DoVV #486 02:14 PM, 04 May 2023

Joined.

@MrPe3a #487 02:18 PM, 04 May 2023

Joined.

@1372347275 #488 02:21 PM, 04 May 2023

Joined.

@neutrinoguy #489 02:21 PM, 04 May 2023

Joined.

@ayatkh2006 #490 02:26 PM, 04 May 2023

Joined.

@Mrdvm #491 02:31 PM, 04 May 2023

Joined.

@caprinux #492 02:34 PM, 04 May 2023

Joined.

@MalwareAnalyst #493 02:43 PM, 04 May 2023

Joined.

@vermouth7 #494 02:50 PM, 04 May 2023

Joined.

@xe1337 #495 02:52 PM, 04 May 2023

Joined.

@1799390332 #496 02:53 PM, 04 May 2023

Joined.

@mohammadefhamisisi #497 03:06 PM, 04 May 2023

Joined.

@ine2p #498 03:09 PM, 04 May 2023

Joined.

@5792033497 #499 03:15 PM, 04 May 2023

Joined.

@Ascention_To_Highest #500 03:20 PM, 04 May 2023

Joined.

@x_bobo_x #501 03:23 PM, 04 May 2023

Joined.

@lopqto #502 03:26 PM, 04 May 2023

Joined.

@Fujika1337 #503 03:37 PM, 04 May 2023

Joined.

@Amin_E3 #504 03:37 PM, 04 May 2023

Joined.

@86161878 #505 03:38 PM, 04 May 2023

Joined.

@apkunpacker #506 03:40 PM, 04 May 2023

Joined.

@1875005376 #507 04:01 PM, 04 May 2023

Joined.

@Sidd_Tim #508 04:02 PM, 04 May 2023

Joined.

@Ronnefeldt #509 04:05 PM, 04 May 2023

Joined.

@yamixx #510 04:07 PM, 04 May 2023

Joined.

@XCyber #511 04:22 PM, 04 May 2023

Joined.

@notmuffin #512 05:07 PM, 04 May 2023

Joined.

@G679537 #513 05:15 PM, 04 May 2023

Joined.

@84351597 #514 05:20 PM, 04 May 2023

Joined.

@803867538 #515 06:05 PM, 04 May 2023

Joined.

@5276738391 #516 06:19 PM, 04 May 2023

Joined.

@Masih0111 #517 06:48 PM, 04 May 2023

Joined.

@mehrdadblue11 #518 07:15 PM, 04 May 2023

Joined.

@ArefehILK #519 07:27 PM, 04 May 2023

Joined.

@x13368 #520 07:29 PM, 04 May 2023

crazy today

@ir19793 #521 07:54 PM, 04 May 2023

Joined.

@epatitucci #522 07:57 PM, 04 May 2023

Joined.

@adamhlt #523 08:13 PM, 04 May 2023

Joined.

@invlpg #524 08:17 PM, 04 May 2023

Joined.

@Trible3d #525 09:08 PM, 04 May 2023

Joined.

@ghaaf #526 09:10 PM, 04 May 2023

Joined.

@S4zop #527 10:20 PM, 04 May 2023

Joined.

@chadgpt #528 11:33 PM, 04 May 2023

Joined.

@chadgpt #529 11:33 PM, 04 May 2023

How is this tool compared to ghidra, IDA and x64dbg?

@x13368 #530 11:38 PM, 04 May 2023

The x64dbg community is active

@chadgpt ↶ Reply to #530 #531 11:39 PM, 04 May 2023

Not talking about the community. I’m talking about the competency of the tool

@erg0t ↶ Reply to #531 #532 11:41 PM, 04 May 2023

For what specific use?

@chadgpt ↶ Reply to #532 #533 11:43 PM, 04 May 2023

Malware analysis and binary decompilation

@erg0t ↶ Reply to #533 #534 11:48 PM, 04 May 2023

That is to broad. For example if it is usermode malware you are working with I don’t think there is a clear advantage in using HyperDbg. But in the other hand it can shine when working with kernel stuff. In that sense it compares to using IDA + vmware’ gdb stub (or some other VM with debugging)

@5539033269 #535 11:58 PM, 04 May 2023

suddenly so many people, what happened

@caprinux #536 12:35 AM, 05 May 2023

the telegram link was shared on twitter

@chadgpt ↶ Reply to #536 #537 01:03 AM, 05 May 2023

Ya of course

@ExiaHan #538 02:07 AM, 05 May 2023

Joined.

@5975217833 #539 02:14 AM, 05 May 2023

Joined.

@buffer6 #540 04:08 AM, 05 May 2023

Joined.

@abacustem #541 04:19 AM, 05 May 2023

Joined.

@Hexm4n #542 04:26 AM, 05 May 2023

Joined.

@Cocainerce #543 06:54 AM, 05 May 2023

Joined.

@Decoder0x01 #544 07:00 AM, 05 May 2023

Joined.

@Kasra_a2Fz #545 07:52 AM, 05 May 2023

Joined.

@hanidastvar #546 08:02 AM, 05 May 2023

Joined.

@pl4yn1c3 #547 08:04 AM, 05 May 2023

Joined.

@MiladHazrati75 #548 08:10 AM, 05 May 2023

Joined.

@1728194394 #549 08:35 AM, 05 May 2023

Joined.

@zapdosx #550 09:10 AM, 05 May 2023

Joined.

@1906828983 #551 09:23 AM, 05 May 2023

Joined.

@PaMo1378 #552 09:41 AM, 05 May 2023

Joined.

@823545647 #553 09:49 AM, 05 May 2023

Joined.

@1906828983 #554 10:01 AM, 05 May 2023

About ept: For example, I used !epthook nt!ExAllocatePool for ExAllocatePool, which means hook in all process spaces, but I see that the code uses the current process id

photo_2023-05-05_10-01-43.jpg

@HughEverett ↶ Reply to #554 #555 10:14 AM, 05 May 2023

The kernel addresses are shared, when we set an EPT hook on the target function based on the current process (memory layout), it's like we set breakpoint on all of the processes.

@horsicq #556 10:29 AM, 05 May 2023

Joined.

@823545647 #557 10:32 AM, 05 May 2023

If it is the kernel address then it doesn't matter if the process id is set or not, right? If it's a hook on the user process like !epthook test!exe.main then by default only the main function of the current process context is hooked, do I understand it correctly?

@1898939319 #558 10:36 AM, 05 May 2023

Joined.

@EduSyst #559 10:38 AM, 05 May 2023

Joined.

@B4rC0d #560 11:59 AM, 05 May 2023

Joined.

@vboxlover #561 12:30 PM, 05 May 2023

Joined.

@HughEverett ↶ Reply to #557 #562 12:35 PM, 05 May 2023

If you want to hook a module test!exe.main you should specify the process id. Like

!epthook test!MyFunctions pid 1c0

Otherwise, HyperDbg won't know where to look for the specific address and if the address is not valid in the context (CR3) of current process, then it shows and invalid address error.

@1482373410 #563 12:36 PM, 05 May 2023

Joined.

@HughEverett #564 12:37 PM, 05 May 2023

The kernel addresses should be shared among all processes, that's why we use the memory layout of current process to set hook on them. (there are exceptions for some kernel addresses that are only mapped into specific processes)

@HughEverett ↶ Reply to #564 #565 12:39 PM, 05 May 2023

For example, regular OS page-tables are not shared between different processes (addresses are still in the kernel) but in these cases, again you should specify the PID to switch to target process layout.

@1906828983 #566 12:46 PM, 05 May 2023

okay seems similar to the windbg bp /p command

@apkunpacker #567 12:56 PM, 05 May 2023

nice to see @horsicq here. congrats for being admin 🥳

@mrfearless #569 01:36 PM, 05 May 2023

Joined.

@YMahmoudnia #570 01:37 PM, 05 May 2023

Welcome @mrfearless 🌺

@symeonp #571 01:44 PM, 05 May 2023

Hey @HughEverett quick question my side (never used hyperdbg) but my question is: I'm using HyperV for kernel debugging and I only need to break on a userland process, would this epthook work for me as well? It's a Windows Service though

@Reverser69 #572 02:32 PM, 05 May 2023

Joined.

@6015940752 #573 02:48 PM, 05 May 2023

Joined.

@HughEverett ↶ Reply to #571 #574 03:43 PM, 05 May 2023

Hyper-V is the worst hv that we've ever dealt with it. I'm not sure if HyperDbg currently works on Hyper V's nested virtualization or not. Last time that I test it on Hyper V, it was okay on 1 core VM. About EPT hooks, yes it's possible but I don't know where to put EPT hooks, generally there should be two ways of reaching to the user mode. One is by using SYSRET and another one is IRET, there are also other possible scenarios but I'm not sure if it gets everything or not. So, you have to put ept hook on these instructions.

@symeonp #575 03:46 PM, 05 May 2023

Really? Interesting, someone was telling me that it's really way much better than... VMWare :)

@HughEverett #576 03:46 PM, 05 May 2023

But there are also other (better) options, one is using Mode Based Execution Controls and another one is disabling user mode execution in regular page tables. Both of them are implemented in hyperdbg but I never exposed it as a command.
The source code is here:
https://github.com/HyperDbg/HyperDbg/blob/master/hyperdbg/hprdbghv/code/hooks/ept-hook/ModeBasedExecHook.c

It gets the execution when it reaches to user mode.

You can modify it a little bit to achieve your goals.

HyperDbg/hyperdbg/hprdbghv/code/hooks/ept-hook/ModeBasedExecHook.c at master · HyperDbg/HyperDbg

State-of-the-art native debugging tool. Contribute to HyperDbg/HyperDbg development by creating an account on GitHub.

@HughEverett ↶ Reply to #575 #577 03:49 PM, 05 May 2023

I'm not talking about its quality, just a bunch of shit they've added as TLFS. 😞

Read this tweet:
https://twitter.com/Intel80x86/status/1523033338407235585?t=c0WLKd3v1OFtP2PBR_HKQA&s=19

@symeonp #578 03:53 PM, 05 May 2023

Nice thanks, will have a look!

@erg0t ↶ Reply to #577 #579 04:10 PM, 05 May 2023

TLFS is pretty bad yeah. That said most hypervisors will be using hyperv’s VMM on Windows. The thing is that by default hyperv partitions are created with support for bunch of hyperv specific stuff: synthIC, synthetic MSRs, hypercalls etc. instead what you probably want is to create an exo-partition. But I’m not sure if Microsoft has any documentation about it.

@erg0t #580 04:11 PM, 05 May 2023

Tl;dr: it is possible to create more “vanilla” VMs with hyperv as “exo-partitions”

@erg0t #581 04:13 PM, 05 May 2023

Probably the best way to investigate out how to do it is from VirtualBox source code. IIRC they are already using hyperv’s VMM in Windows

@HughEverett ↶ Reply to #580 #582 04:47 PM, 05 May 2023

What do you mean by exo-partition? 🤔
Is it something related to hyper-v API? 🤨

@HughEverett ↶ Reply to #579 #583 04:48 PM, 05 May 2023

The problem is with invalidating EPT on hypercalls. We gonna use the nested virtualization feature of hyper-v.

@erg0t ↶ Reply to #582 #584 05:05 PM, 05 May 2023

Yes when you create a partition you can control the characteristics of it: https://learn.microsoft.com/en-us/virtualization/api/hypervisor-platform/hypervisor-platform

Windows Hypervisor Platform API Definitions

Describes Windows Hypervisor Platform API definitions and provides a high-level overview of the third-party architecture.

@erg0t #585 05:12 PM, 05 May 2023

This one in particular controls the things you mentioned: https://learn.microsoft.com/en-us/virtualization/api/hypervisor-platform/funcs/whvsetpartitionproperty

WHvSetPartitionProperty

Understaning how to work with WHvSetPartitionProperty and its parameters, syntax, and return value

@5497676929 #586 06:24 PM, 05 May 2023

Joined.

@Ali_Zarei03 #587 10:01 PM, 05 May 2023

Joined.

@Apprection #588 03:56 AM, 06 May 2023

Joined.

@ARiO_KURD #589 04:10 AM, 06 May 2023

Joined.

@hamed_hak60 #590 01:31 PM, 06 May 2023

Joined.

@1295582581 #591 01:34 PM, 06 May 2023

Joined.

@YMahmoudnia #592 01:38 PM, 06 May 2023

lin from bbs.pediy ?

@1295582581 #593 01:38 PM, 06 May 2023

yes

@YMahmoudnia #594 01:38 PM, 06 May 2023

welcome 😊

@1295582581 #595 01:39 PM, 06 May 2023

😊

@vsismylanguage #596 02:20 PM, 06 May 2023

Joined.

@gblw2020 #597 02:29 PM, 06 May 2023

Joined.

@killaragorn #600 03:34 PM, 06 May 2023

Joined.

@HughEverett #607 05:46 PM, 06 May 2023

Here's the new function tracing feature that just added to hdbg.

In case you guys wanna test it (and provide feedback), switch to this commit and build hdbg:

https://github.com/HyperDbg/HyperDbg/commit/746320b35941ff01af64aaa74b55636e9ec0130b

photo_2023-05-06_17-46-58.jpg

@HughEverett #608 05:46 PM, 06 May 2023

photo_2023-05-06_17-46-59.jpg

@HughEverett #609 05:46 PM, 06 May 2023

photo_2023-05-06_17-46-59.jpg

@HughEverett #611 05:47 PM, 06 May 2023

track.txt

@HughEverett #612 05:48 PM, 06 May 2023

It basically lets you trace function calls (and rets from user-to-kernel) and (kernel-to-user).

@887752976 #613 04:49 AM, 07 May 2023

Joined.

@mehrdad_drpc #639 07:27 AM, 07 May 2023

Joined.

@Mrs_Sesa #640 10:51 PM, 07 May 2023

Joined.

@1906828983 ↶ Reply to #609 #641 09:04 AM, 08 May 2023

any idea to add https://github.com/actions/upload-artifact so that we can play with the new features quickly

GitHub - actions/upload-artifact

Contribute to actions/upload-artifact development by creating an account on GitHub.

@aquilrex #642 09:05 AM, 08 May 2023

Joined.

@1906828983 #643 09:10 AM, 08 May 2023

I noticed that the new version development environment has been upgraded to so this will encounter some compilation issues in vs2019.

photo_2023-05-08_09-10-15.jpg

@1906828983 ↶ Reply to #643 #644 09:25 AM, 08 May 2023

reclone to resolve the issue

@Cephex #645 09:30 AM, 08 May 2023

Joined.

@Mohamadrezanj76 #646 09:35 AM, 08 May 2023

Joined.

@1906828983 ↶ Reply to #609 #647 09:52 AM, 08 May 2023

how do I stop !track command? i can't use ctrl+c to stop it. 😂

@HughEverett ↶ Reply to #643 #648 09:56 AM, 08 May 2023

Sure, I'll enable the artifacts. Previously it was enabled but I thought that it might be useless so we removed it.

@HughEverett ↶ Reply to #647 #649 09:56 AM, 08 May 2023

CTRL+C should work, there should be an error if it didn't stop. How can I reproduce the error?

@HughEverett ↶ Reply to #647 #650 09:58 AM, 08 May 2023

I test it by using a user-mode application that triggers a simple network system-call.

@1906828983 #651 10:00 AM, 08 May 2023

I'm using it in kernel debugging. User mode doesn't seem to be supported by default, it seems we need to enable a macro ourselves before compiling

@1906828983 #652 10:02 AM, 08 May 2023

https://github.com/HyperDbg/HyperDbg/issues/228 and i can't quit to reconnect hdbg

Unable to reconnect to hyperdbg · Issue #228 · HyperDbg/HyperDbg

Describe the bug To Reproduce run hdbg in host run hdbg in guest press ctrl+c and press exit in host to exit hdbg run hdbg in host to reconnect guest Expected behavior we can reconnect to the guest...

@HughEverett ↶ Reply to #651 #653 10:04 AM, 08 May 2023

no, don't enable it by changing the macro. It shouldn't work on VMI Mode. Test it in Debugger Mode. Are you using VMware Workstation?

@1906828983 #654 10:05 AM, 08 May 2023

yes, I'm using VMware

@1906828983 #655 10:08 AM, 08 May 2023

I did not succeed in using hdbg in user mode. I will try again later

@HughEverett #656 10:08 AM, 08 May 2023

So, whenever a user-mode application runs a 0xcc (int 3), the kernel debugger should be notified and from that point you can start tracing (!track). Or for example, put a breakpoint somewhere (either on a user address or kernel address).

@HughEverett ↶ Reply to #655 #657 10:10 AM, 08 May 2023

yep, consider testing everything in the kernel debugger in the Debugger Mode. The user debugger is neither tested nor in a working state.

@HughEverett #658 10:10 AM, 08 May 2023

and of course, !track command won't work in VMI mode.

@1906828983 #659 11:08 AM, 08 May 2023

so how do I use !track on top of the user mode application

@1906828983 #660 11:09 AM, 08 May 2023

photo_2023-05-08_11-09-55.jpg

@1906828983 ↶ Reply to #651 #661 11:11 AM, 08 May 2023

photo_2023-05-08_11-11-46.jpg

@1906828983 #662 11:19 AM, 08 May 2023

yes !track command can't work in VMI mode.

photo_2023-05-08_11-19-32.jpg

@1906828983 #663 11:39 AM, 08 May 2023

can't access the process space, what am I missing

cmd_eDVv9YsDWC.gif

@HughEverett ↶ Reply to #659 #664 11:48 AM, 08 May 2023

You don't need to use the user-debugger for that, whenever you have access to the kernel debugger (in debugger mode), you can easily debug all the user-mode applications by simply switch to them. Or simply putting breakpoint on them. Then everything is just like a normal debugger, you can step through the instructions, blah blah

@1906828983 ↶ Reply to #664 #665 11:50 AM, 08 May 2023

how to switch it

@1906828983 ↶ Reply to #663 #666 11:51 AM, 08 May 2023

i tried to enter the process space to test !track but no luck

@HughEverett ↶ Reply to #663 #667 11:52 AM, 08 May 2023

There might be two reasons for that. First, the process might never get executed! HyperDbg is different from Windbg in switching into the processes. WinDbg is compiled with Windows, so they can easily hook the process context switching, but we can't. Instead, we use two methods to intercept processes. One by intercepting accesses to gs:[188] and other one is by using the clock interrupts. Please visit:

https://docs.hyperdbg.org/tips-and-tricks/considerations/difference-between-process-and-thread-switching-commands

Difference between process and thread switching commands

When to use '.process', '.process2', '.thread', and '.thread2' commands

@1906828983 #668 11:54 AM, 08 May 2023

😂

photo_2023-05-08_11-54-27.jpg

@HughEverett ↶ Reply to #666 #669 11:54 AM, 08 May 2023

Okay, the reason for that is because of recent changes in Windows context switching mechanism in Windows (https://twitter.com/Intel80x86/status/1655461171280105472?s=20). I have to update the code, to make it work again, but there is a simple way to switch to the target process. Use the following script:

!interrupt d1 pid 0x27A4 script {

if (@rip & 0xff000000`00000000) {

printf("clk interrupt received at : %llx\n", @rip);
}
else{
pause();
}
}

@HughEverett #670 11:56 AM, 08 May 2023

0xd1 is the interrupt vector for nt!HalpTimerClockInterrupt. and please also change the process id: pid 0x27A4

@1906828983 #671 11:56 AM, 08 May 2023

photo_2023-05-08_11-56-40.jpg

@HughEverett ↶ Reply to #671 #672 11:57 AM, 08 May 2023

can you give me the results for this command :
!interrupt d1 script { printf("core: %x, process id: %x, interrupt: %llx\n", $core, $pid, $context); }

@1906828983 ↶ Reply to #671 #673 11:57 AM, 08 May 2023

Only change the pid, just try a quick test

@HughEverett ↶ Reply to #672 #674 11:58 AM, 08 May 2023

I wanna make sure that the clock interrupt reaches to all cores. Not just core 0.

@1906828983 #675 11:58 AM, 08 May 2023

photo_2023-05-08_11-58-22.jpg

@HughEverett ↶ Reply to #675 #676 11:58 AM, 08 May 2023

is there any cores other than core 1? like core 0? or core 2?

@1906828983 #677 12:01 PM, 08 May 2023

vmware :
number of processors: 2
number of cores per processor: 1

@HughEverett ↶ Reply to #677 #678 12:01 PM, 08 May 2023

Use 1 processor, with 1, or two or whatever cores.

@HughEverett #679 12:01 PM, 08 May 2023

Just one processor.

@HughEverett ↶ Reply to #677 #680 12:05 PM, 08 May 2023

photo_2023-05-08_12-05-13.jpg

@HughEverett ↶ Reply to #675 #681 12:06 PM, 08 May 2023

photo_2023-05-08_12-06-03.jpg

@HughEverett #682 12:06 PM, 08 May 2023

Works for me, both .process command and !interrupt command. Just make sure to interact with the process, so the Windows puts it in the context switching queue.

@HughEverett #683 12:08 PM, 08 May 2023

and also .process2 is working.

photo_2023-05-08_12-08-28.jpg

@1906828983 #684 12:08 PM, 08 May 2023

okay, I need to leave my computer for a while and test it later.

@HughEverett ↶ Reply to #683 #685 12:09 PM, 08 May 2023

But the problem with .process2 is that it intercepts the execution in the kernel-mode (not user-mode) but the .process and the !interrupt commands should be fine.

@HughEverett ↶ Reply to #684 #686 12:09 PM, 08 May 2023

Sure 👍

@HughEverett ↶ Reply to #684 #687 12:18 PM, 08 May 2023

Btw, I made an update to the 'dev' branch to check for other cores (other than 0th core) in the .process command, please 'git pull' the dev branch before testing:
https://github.com/HyperDbg/HyperDbg/commit/d5fdc3a39d2efb0d6e0063bbf01111706cec0343

checking for cores other the 0th core in process switching · HyperDbg/HyperDbg@d5fdc3a

State-of-the-art native debugging tool. Contribute to HyperDbg/HyperDbg development by creating an account on GitHub.

@HughEverett ↶ Reply to #683 #688 12:21 PM, 08 May 2023

The key technique to work with this command is to interact with the process, so a clock interrupt is arrived and HyperDbg can intercept it. If the process finishes the execution faster than the clock interrupt interval, HyperDbg won't have a chance to intercept the process execution.

@HughEverett ↶ Reply to #669 #689 12:22 PM, 08 May 2023

Personally, I prefer to use this script rather than the '.process' command. Because it guarantees that you'll intercept the execution in the user-mode (while the .process might intercept the execution in the kernel mode).

@l14ck3r0x01 #690 01:36 PM, 08 May 2023

Joined.

@Nitr0_G #691 03:06 PM, 08 May 2023

Joined.

@1906828983 #692 04:12 PM, 08 May 2023

still doesn't seem to work, I've used the latest dev branch and set the processor to 1 core set to 1

@1906828983 ↶ Reply to #692 #693 04:14 PM, 08 May 2023

photo_2023-05-08_16-14-09.jpg

@1906828983 #694 04:21 PM, 08 May 2023

cmd_mLSAWTaHzN.gif.mp4

@1906828983 #695 04:26 PM, 08 May 2023

cmd_w9sTqNNHbj.gif.mp4

@HughEverett #696 04:26 PM, 08 May 2023

Why VMCALL happens here? There is something wrong, probably an error in code that you see VMCALL after running this command.

@HughEverett #697 04:28 PM, 08 May 2023

I have to investigate why you see a VMCALL in this command.

@HughEverett ↶ Reply to #695 #698 04:29 PM, 08 May 2023

The gif quality is low btw. Probably telegram compressed it.

@1906828983 #699 04:29 PM, 08 May 2023

I don't know why, I don't understand the principle behinds😂

@1906828983 #700 04:31 PM, 08 May 2023

Do you need any more logs from me, I can provide them to you now, I happen to be at the computer at the moment

@HughEverett ↶ Reply to #699 #701 04:33 PM, 08 May 2023

The principle behind the .process command is to intercept the clock interrupt. Whenever the processor (configured by OS) wants to switch to a new process, it throws a clock interrupt. HyperDbg will be noticied in this case and intercept the execution. That's how .process works.

@HughEverett ↶ Reply to #700 #702 04:36 PM, 08 May 2023

Can you investigate from where the VMCALL is invoked? It might be a little bit hard but in any case please tell me the commands that cause this VMCALLs. What process did you open? cmd.exe? Can you upload the gif videos with a better quality? Maybe in .zip format.

@1906828983 #703 04:39 PM, 08 May 2023

test.mp4

@HughEverett ↶ Reply to #703 #704 04:45 PM, 08 May 2023

Thanks. I'll try to reproduce the error and will notify you. Did you open CMD.exe?

@1906828983 #705 04:45 PM, 08 May 2023

yes, start cmd.exe by the administrator in the virtual machine and hyperdbg-cli.exe by cmd.exe

@E_nia #706 08:38 PM, 08 May 2023

Joined.

@1906828983 #707 09:27 AM, 09 May 2023

Infinite hardware breakpoints: https://bbs.kanxue.com/thread-277124.htm

[原创] 无限硬件中断的代码实现-软件逆向-看雪-安全社区|安全招聘|kanxue.com

@Ubuntu64x #708 09:53 AM, 09 May 2023

Joined.

@Mr_WangFan #709 10:38 AM, 09 May 2023

Joined.

@fly55555 #710 10:39 AM, 09 May 2023

Joined.

@PlaneJun #711 10:57 AM, 09 May 2023

Joined.

@erg0t ↶ Reply to #707 #712 11:40 AM, 09 May 2023

Ollybone-like trick?

@1906828983 #713 12:38 PM, 09 May 2023

What

@1066756071 ↶ Reply to #713 #714 12:59 PM, 09 May 2023

Do you speak Chinese?

@erg0t ↶ Reply to #713 #715 01:05 PM, 09 May 2023

A very old ollydbg plugin that was used to implement hardware breakpoints” by removing pages execute permissions. It actually leveraged a TLB desync trick (similar to PaX’s pagexec) to do it, because at that time processors didn’t have NX bit so you had to toggle the P bit.

@erg0t #716 01:06 PM, 09 May 2023

Now you can just use the NX bit, so it is much easier. Would be interesting to see some Vt-based solution that leverages sub-pages instead of working with full pages, I could see some speed improvements there…

@1906828983 ↶ Reply to #714 #717 01:08 PM, 09 May 2023

Yeah

@raccoonmagic #718 02:47 PM, 09 May 2023

Joined.

@HughEverett ↶ Reply to #715 #719 03:32 PM, 09 May 2023

The same feature for read/write is also available in Hdbg.

https://docs.hyperdbg.org/commands/extension-commands/monitor

https://docs.hyperdbg.org/design/features/vmm-module/design-of-monitor

!monitor (monitor read/write/execute to a range of memory)

Description of the '!monitor' command in HyperDbg.

@HughEverett #720 03:34 PM, 09 May 2023

But I still couldn't still convince myself why we need the same functionality for executable pages. Isn't breakpoints (hidden ept breakpoints) just enough?

@erg0t ↶ Reply to #720 #723 03:44 PM, 09 May 2023

How do hidden ept breakpoints work?

@erg0t #724 03:49 PM, 09 May 2023

Setting NX in ept? You will need to keep track of the guest doing potential changes to GVA->GPA to avoid issues mostly with paged memory (where the guest OS could change the GPA that is using)

@HughEverett ↶ Reply to #724 #725 03:57 PM, 09 May 2023

Somehow

@HughEverett ↶ Reply to #723 #726 03:57 PM, 09 May 2023

https://docs.hyperdbg.org/design/features/vmm-module/design-of-epthook

Design of !epthook

Design of !epthook command

@erg0t ↶ Reply to #726 #727 04:08 PM, 09 May 2023

Ah cool, kinda de opposite (handle potential read/writes)

@erg0t #728 04:09 PM, 09 May 2023

Yes I think that solution is better than NX because you can expect less read/writes than exec accesses

@Ali_Moradi_2017 #729 05:02 PM, 09 May 2023

Joined.

@Kaiser335 #730 07:28 PM, 09 May 2023

Joined.

@mydvdf #731 10:57 PM, 09 May 2023

Joined.

@M0_R3 #734 01:36 PM, 11 May 2023

Joined.

@1218261953 #735 04:12 AM, 12 May 2023

Joined.

@ByGary #736 11:37 AM, 12 May 2023

Joined.

@NEERAJBINDAST #737 01:29 PM, 12 May 2023

Joined.

@SS25DFIR #738 05:01 PM, 12 May 2023

Joined.

@sajjadgolpa #739 06:32 PM, 13 May 2023

Joined.

@am_ket #740 01:46 PM, 15 May 2023

Joined.

@t13ash #741 11:44 AM, 17 May 2023

Joined.

@709238683 #742 03:44 PM, 18 May 2023

Joined.

@amewtk #743 05:32 AM, 19 May 2023

Joined.

@5614340608 #744 06:55 AM, 20 May 2023

Joined.

@Compstud #745 02:07 PM, 20 May 2023

Joined.

@Crackingmaster_84 #746 11:22 AM, 22 May 2023

Joined.

@ab4z4r #747 05:20 PM, 23 May 2023

Joined.

@HughEverett #748 11:38 AM, 24 May 2023

HyperDbg is updated to v0.2.1, some bugs relating to EPT hooks (!monitor and !epthook) are fixed. Please consider updating it: https://github.com/HyperDbg/HyperDbg/releases/tag/v0.2.1

Release v0.2.1 · HyperDbg/HyperDbg

HyperDbg v0.2.1 is released! If you’re enjoying HyperDbg, don’t forget to give a star 🌟 on GitHub! Please visit Build & Install to configure the environment for running HyperDbg. Check out the ...

@shellstorm #749 05:00 AM, 25 May 2023

Joined.

@x13368 #750 06:20 AM, 25 May 2023

Nice

@1464907787 #753 10:42 AM, 25 May 2023

Joined.

@talii_th #754 07:11 PM, 25 May 2023

Joined.

@Merfin93 #755 12:04 AM, 26 May 2023

Joined.

@arashmodarrespour #756 05:04 PM, 26 May 2023

Joined.

@dh0017 #757 08:08 PM, 26 May 2023

Joined.

@TokyoXIII #758 06:44 PM, 27 May 2023

Joined.

@mrexodia #759 03:29 PM, 28 May 2023

Joined.

@mrexodia #760 03:29 PM, 28 May 2023

o/

@mrexodia #761 03:30 PM, 28 May 2023

Still waiting for that next Intel generation before I can try HyperDbg 🥲

@Sh4DoVV ↶ Reply to #761 #762 03:32 PM, 28 May 2023

Hi and welcome

@HughEverett ↶ Reply to #761 #763 04:07 PM, 28 May 2023

Hello! 😊☺️
Welcomeeeeeeeeeeeee 👌👌👍
Thanks for joining here.

@x13368 #764 04:12 PM, 28 May 2023

Nice, WWWWWWelcome Duncan. 🎉🎉👍

@SoroushMe ↶ Reply to #761 #765 04:18 PM, 28 May 2023

Welcome, we're glad to have you here!

@AleeAmini ↶ Reply to #760 #766 05:00 PM, 28 May 2023

Welcome 👍

@217491537 ↶ Reply to #761 #767 05:00 PM, 28 May 2023

Welcome Duncan! 🌹🙏

@Aiobfatholahi #768 05:43 PM, 28 May 2023

Joined.

@XCyber ↶ Reply to #760 #769 05:43 PM, 28 May 2023

x32/64dbg surprise everyone 😄

@VahidMohsseni ↶ Reply to #761 #770 08:40 AM, 29 May 2023

WelcoOoOme🙌

@Al_rex0 #771 03:42 PM, 29 May 2023

Joined.

@495881835 #772 05:39 PM, 29 May 2023

Joined.

@h05gh #774 11:02 AM, 31 May 2023

Joined.

2024

2023

2022

2021

2020