- 03 June 2023 (1 messages)
- 04 June 2023 (1 messages)
- 05 June 2023 (1 messages)
- 06 June 2023 (18 messages)
-
Starting from the next version of the HyperDbg, a new feature is added to the debugger called "event short-circuiting". By using this feature, you can ignore the execution of any events in the debugger. -
For example: Based on a special condition, you can ignore a SYSCALL instruction. Or for example, you can ignore an RDMSR or IN, OUT instructions. Another juicy scenario that this mechanism is also applied to is for the "!monitor" command. It's like you can ignore (or mask or change) the read and write to a specific address of the memory.
-
For example, assume the following C code:
#include <iostream>
#include <Windows.h>
volatile int test = 0;
int main()
{
printf("Address of test variable: %llx | pid: %x\n", &test, GetCurrentProcessId());
for (;;)
{
test++;
printf("test value is : %d\n", test);
Sleep(2000);
}
} -
It's possible to ignore this write (test++) by using the following script:
!monitor w 7ff7a3198210 7ff7a3198210+4 pid 1178 script {
printf("writng into memory address: %llx is ignored\n", $context);
event_sc(1);
} -
-
Here's the demo. You can also test it on your system by compiling the 'Dev' branch of HyperDbg. Let me know if you have any feedbacks regarding this new short-circuiting feature.
-
Yes; It's a 12-part long tutorial (around 18 hours). Lots of use cases, along with several RE techniques that are based on HyperDbg are there.
-
Does HyperDbg work on a kvm with nested virtualization btw? -
I never test it on KVM but there shouldn't be any problem. (I'm not sure)
Currently, it works best on a physical machine and VMware Workstation and all other VMware products. Btw, the worst hypervisor that I've ever work on it is Hyper-v. We still have problem with Hyper-V. -
Yeah I don’t have an Intel machine except for my proxmox server which uses kvm
-
But guess I’ll try ^^
-
I spent hundreds of hours on hyper-v and it still not working. 🫠
-
Sure, it's available for everyone. Currently, the video editors of Open Security Training are working on it, it's not yet completed but sure you can request to test (beta) it.
https://twitter.com/XenoKovah/status/1664583342572949506?s=20Link📣Call for #OST2 beta testers: “Debuggers 3001: Introductory HyperDbg” (a virtualization-based debugger)📣 Sign up here https://t.co/oLA9wNSxXx I was pleasantly surprised yesterday when @Intel80x86 sent all the videos for this class! Which means it’s time to start beta testing!
-
I'll be taking the classes, hope I get to learn something cool
- 08 June 2023 (6 messages)
-
Here's another scenario which we can use the event-short circuiting by blocking network connection for port 443:
-
-
It generally blocks the connections to network from (syscall 0x7). Here's the actual script that is used in this video:
!syscall script {
if (@rax == 0x7) {
if (dw(@rsp + 30) == 0x12007) {
//
// Get the port address
//
port_num_high_bit = db(poi(@rsp + 38) + 1a);
port_num_low_bit = db(poi(@rsp + 38) + 1b);
port_num = 0;
port_num = port_num_high_bit << 8 | port_num_low_bit;
//
// Get the IP address
//
part0 = db(poi(@rsp + 38) + 1c);
part1 = db(poi(@rsp + 38) + 1d);
part2 = db(poi(@rsp + 38) + 1e);
part3 = db(poi(@rsp + 38) + 1f);
part0 = part0 << 0n24;
part1 = part1 << 0n16;
part2 = part2 << 0n8;
part3 = part3 << 0n0;
ip_addr = part0 | part1 | part2 | part3;
printf("Process Id: %x, name: %s connects to ====> Address: %d.%d.%d.%d:%d\n",
$pid,
$pname,
(ip_addr & 0xFF000000) >> 0n24,
(ip_addr & 0x00FF0000) >> 0n16,
(ip_addr & 0x0000FF00) >> 0n8,
ip_addr & 0x000000FF,
port_num);
if (port_num == 0n443) {
//
// Block the connection to port 443
//
printf("Connection to port 443 is blocked!\n");
event_sc(1);
}
}
}
} -
And finally it's also documented: https://docs.hyperdbg.org/tips-and-tricks/misc/event-short-circuitingEvent short-circuiting
The event short-circuiting and ignoring mechanism in HyperDbg
-
Joined. - 09 June 2023 (1 messages)
-
Joined. - 10 June 2023 (1 messages)
-
Joined. - 12 June 2023 (1 messages)
-
Joined. - 13 June 2023 (2 messages)
-
Joined. - 16 June 2023 (6 messages)
-
Joined. -
Joined. -
Hi, as long as I know, the editing of the 12th part is not yet finished and the video editor is still working on that. But, I'm not sure how Xeno wants to release it.
- 17 June 2023 (3 messages)
-
Beta testers have access to the course in ost2-beta dashboard. -
Did you see the videos? All of them (12 part) are available there?
-
Yes, each section has a video and it seems the videos are complete. Check your DM.
- 20 June 2023 (330 messages)
-
Joined. -
-
-
-
Hi,
Can you provide the !analyze -v result of the WinDbg for this crash? -
So, there is problem with Hypervisor. Please send the result of !analyze -v.
-
Yeah, just load the HyperDbg (e.g., by connecting to serial port), and when the WinDbg crashes, run '!analyze -v' and send the output of WinDbg.
-
And also, what's your processor model (generation)?
-
-
HyperDbg package has symbol (.pdb) files. Would you please set a symbol server and load the symbols, so I'll know the name of the guilty function.
-
And also, do you have the same problem in your physical machine?
-
The driver symbols are loaded on the (host) windbg. If it fails, you can reload the symbols. By reloading (.reload) command in WinDbg, the symbols for the failed driver will also be loaded.
-
Okay, it seems that something is preventing the execution of VMLAUNCH in your machine.
-
-
Don't worry, we could fix together.
-
Basically, one of these checks and loads are failed :
-
-
We have to trace this function and find where is the problem. Do you have a Visual Studio+WDK?
-
Build & Install
This document helps you to build and install HyperDbg
-
-
No, we don't need VS on target but I'm not sure if we could build HyperDbg with a VS2019. We use VS2022. As the newest version of Windows SDK broke the compatibility with the previous SDK and we were forced to make everything compatible with the newest SDK.
-
But, you could try it. If it's not built successfully on your VS2019, you need to update it to VS2022 + newest version of SDK
-
That's great 👍
-
-
Thank you for putting time helping us fixing these problems. 🙏
-
-
-
Just to double check with you. Are you sure that the VBS/HVCI is disabled in the target VM?
https://docs.hyperdbg.org/getting-started/build-and-install#disable-vbs-hvci-and-device-guardBuild & InstallThis document helps you to build and install HyperDbg
-
No, you should disable it in the guest.
-
HyperDbg won't load anything (like drivers, hypervisor) in the host. When you run hyperdbg in the host, it works as a simple user-mode application that connects to the serial port and control the debugee.
-
-
And also, are you sure that the nested-virtualization is properly enabled?
-
-
-
-
-
And also please set the number of processors (not number of cores) to 1. Generally, it shouldn't be a problem but as we gonna debug it, it's better to debug it in a single processor (with many cores).
-
-
Great.
-
Yes.
-
-
Okay, now clone the 'master' branch with --recursive flag and compile it. Compiling it is as easy as pressing the build button in VS.
-
git clone --recursive https://github.com/HyperDbg/HyperDbg.gitGitHub - HyperDbg/HyperDbg: State-of-the-art native debugging tool
State-of-the-art native debugging tool. Contribute to HyperDbg/HyperDbg development by creating an account on GitHub.
-
-
Did you build it successfully?
-
Build it in VS2022.
-
Yes
-
Debug
-
-
Okay, now please find this function and put a 'DbgBreakPoint();' on the top of function.
-
Yes.
-
-
-
After that, move the newly built files to the VM. Run HyperDbg and wait until the breakpoint is triggered in HyperDbg.
-
Where is the breakpoint? 🤔
-
I couldn't see it in this picture.
-
This.
-
-
No, this is not how it will be triggered. As I mentioned, please add 'DbgBreakPoint();' one the very first line of function.
-
-
Yes, it's correct. Now, rebuild it and move the binary files to the VM. Once you load HyperDbg, the breakpoint will be triggered and you can trace the code line by line in WinDbg.
-
No, you can load it in whatever form you want.
-
-
Actually, not important here. In whatever form that it triggers the breakpoint is okay
-
-
Is the breakpoint triggered?
-
-
Yes 😇☺️
-
Are you sure you run the newly compiled code?
-
-
Give me a minute to double check with source code.
-
-
Would you please double check it.
The breakpoint that we expected to be executed should be triggered before this breakpoint. Please rebuild HyperDbg and make sure you're currently rebuilding the correct solution 'debug' in this case. -
That's also correct, I usually prefer to debug it like this. In any case, all of them are correct.
-
-
-
Would you please step one instruction "p" in WinDbg.
-
Okay, Still, something is going wrong here. We shouldn't trigger this breakpoint before our target breakpoint. Maybe one core is raising other core, but in any case we have an alternative solution.
-
Yes that's okay. We could even solve it tomorrow. No worries.
-
Let me know when you return, if I was not available we could fix it tomorrow.
-
Thanks to you for putting time on this.
-
-
Hi again,
Let's continue our debugging step by step. We have to get the execution before VmxVirtualizeCurrentSystem is made. -
It's weird why our 'int 3' is not called.
-
Yes, but why the int 3 is not called in the newly compiled driver?
-
You mean the running dll is different from the compiled driver DLL? Maybe the previous driver is not removed?
-
By the way, we have another option here. We could also modify the code here, and add int3 assembly code
-
But you have to find a way to load the newly compiled driver. Maybe an snapshot to the previous VM state?
-
-
Yes, 'int3' without space is also better but no difference here. But, this only works if the newly compiled driver is loaded in the guest.
-
HyperDbg has a command for unloading and removing its driver "unload remove vmm", but it only works if the driver is loaded in the current instance which may not work in this case.
-
We have to manually unload these drivers. It's possible by using OSR driver loader but there should be some 'sc' command for that as well. Let me search.
-
Oh, yes.
-
Now, please step through the source code, change windbg mode from binary mode to source code and go through the VmxVirtualizeCurrentSystem function and see what stops it from running (what returns false).
-
Please also note that as you have two cores, probably two cores hit the breakpoint simultaneously. But that's not a problem just step through the source code.
-
That's okay, you can also understand what was wrong by only using disassembly. Just go to the VmxVirtualizeCurrentSystem function and step "p" though the instructions to see what was the guilty check.
This is source code of this function:
https://github.com/HyperDbg/HyperDbg/blob/a571781e8651998b982a9f53edf8f3d3501a6b2e/hyperdbg/hprdbghv/code/vmm/vmx/Vmx.c#L411HyperDbg/hyperdbg/hprdbghv/code/vmm/vmx/Vmx.c at a571781e8651998b982a9f53edf8f3d3501a6b2e · HyperDbg/HyperDbgState-of-the-art native debugging tool. Contribute to HyperDbg/HyperDbg development by creating an account on GitHub.
-
Which of these functions return FALSE?
-
-
Or maybe this:
-
-
Which one?
-
I think the other core hit the breakpoint. Maybe if it's complicated to debug two cores simultaneously, you can configure your VM to have only one core.
-
Can you send the above WinDbg tracing in a txt file format? It's a little bit hard to follow it from the text message.
-
Okay, I'll get it, the VMLAUNCH is failed.
-
-
As VMLAUNCH is failed, the entire virtualization routine will be failed.
-
Now, the question is why this VMLAUNCH is failed? After running it gives an error code. Which CPU-ish error code.
-
The next step is putting removing all the currently breakpoint that we insert into the HyperDbg and put a breakpoint right after running the VMLAUNCH intrinsic function to read the CPU error code
-
I hope we won't conclude error code 7. 😄
Because it's the worst CPU error code. -
Here:
-
-
We need to read the result of this:
LogError("Err, unable to execute VMLAUNCH, status : 0x%llx", ErrorCode); -
Use DbgPrint instead of LogError. And before running hyperdbg, run the following command in windbg:
eb nt!Kd_DEFAULT_Mask ff ff ff ff -
-
-
🤦♂
-
I hate this error. It generally means one or more field of hypervisor is configured incorrectly. But it won't say, what component is configured incorrectly. Which kinda weird. Because some hypervisor layout that work on older systems and newer systems shouldn't behave differently.
-
I didn't expect that to happen after it works in one computer. 😕
-
Disabled hypervisor in host machine? How it's even possible? 🤨
-
Do you mean you disabled hyper-v?
-
In the host machine?
-
No, it shouldn't be because of that.
-
-
No, it's an Intel-ish issue with the layout of hypervisor.
https://rayanfam.com/topics/hypervisor-from-scratch-part-5/#checking-vmcs-layoutHypervisor From Scratch – Part 5: Setting up VMCS & Running Guest CodeWe write about Windows Internals, Hypervisors, Linux, and Networks.
-
These problems are really hard to find/solve. Because generally once a hypervisor works on an older/newer machine, it should also work on mid-range generations of Intel processors too. Which is kinda weird.
-
I'll try to read the Intel manual again, to see if anything comes to my mind and will reach you again if I find anything. Meanwhile, you can try testing it on other machines.
-
Okay, let me know how it goes and sorry for that 🙏
-
Hi just out of curiosity, are you the Ricardo Narvaja from crack-latinos? -
I really want to thank you for your reversing tutorials. though i wish there had been more proper English translations.
-
I am currently trying to complete your IDa tutorials through some translation. Please accept my sincere thanks for all your effort.
-
Yeah i saw that but difficult to translate.
-
But your ida and olly tutorials are masterpiece. Really love it.
- 21 June 2023 (47 messages)
-
@ricnar The persian community is much less familiar with you and your tutorials / activities . I'm glad to see you here Ricardo.
Enjoy HyperDbg. -
As I didn't test the current version of HyperDbg (v0.3), on a Win 10 machine and everything was tested only on Win 11, I thought maybe I made some wrong configurations that leads to this error. I couldn't find a Win 10 19h1 iso (like in your case @ricnar) but HyperDbg was pretty okay on a VMware Win 10 22h2 on my 12 Gen i5-12400 machine.
-
Doesn't seem to work for me.
-
That's great, let me know what's the result when your tests finished.
-
-
Joined. -
-
-
I test it before, it only contains the newest 22h2.
-
It doesn't work either
-
-
-
This one is okay.
-
I try to download it now.
-
Hi everyone,
Considering that this is a public group, we have taken the initiative to create an online version of the group at tg-archive.hyperdbg.org. This will ensure that the valuable contributions made by the community are preserved and easily accessible online.
If any of you have privacy concerns regarding this online archive, please kindly inform me so that we can address them appropriately.
Thank you -
None
-
@ricnar I tested HyperDbg on Win 10 1909 at it works perfectly.
-
Seems that the issue might be related to 9 gen processors, but it's kinda weird why you encountered error.
-
Did you test it in any other systems?
-
Joined. - 22 June 2023 (1 messages)
-
Joined. - 24 June 2023 (55 messages)
-
Joined. -
@HughEverett Hey, would you mind if I shared a the signed kernel driver here?
-
Signed it with my EV cert and perhaps could be of use to some people
-
I'm pretty okay with sharing anything but I think it would be problematic for you. Because, as long as I know Microsoft is not interested in modifying its kernel memory by a thrid party driver and as a debugger, HyperDbg has the ability to do this. So, they will blacklist your signature and probably next time, they won't let you sign anything again.
-
ah, that's a fair point
-
I know some people who signed HyperDbg but they use their signed version of HyperDbg privately.
-
Also, while looking through hyperdbg's documentation, I've stumbled upon one area that kind of interests me, although executed in a different manner. https://docs.hyperdbg.org/using-hyperdbg/kernel-mode-debugging/examples/events/monitoring-accesses-to-structures
I'm analyzing a kernel-mode driver that does a lot of changes within the operating system, and I'd like to try and see what kind of memory accesses and writes to, be it in ntoskrnl or other system drivers. What would be the best way to go about this? I've considered placed an EPT-Hook on some specific functions, but it's virtualized to a certain degree. They abuse a couple stuff for hijacking exception handling of the system, etc, and wanted to see if there's perhaps more things they touch that I'm not aware ofMonitoring Accesses To StructuresFinding the writers and reader of memory
-
The only viable idea that came to mind would be hooking the entire driver, and checking registers for a specific list of address ranges..
-
considering disabling r/w protections on system drivers would not be such a good idea..
-
This is exactly the topic of a new feature we're working on right now. We want to add a lot of memory-controlling events to the HyperDbg. But, it's not in a working state yet and probably takes several months to finish. But, one idea is to memory allocation of the target driver maybe that would be helpful.
-
When running in VMI mode, do you think the consequences of disabling r/w protection on a large .data section chunk of a driver would be a huge hinder on performance?
-
I understand the overhead is already huge..
-
You can disable it directly by modifying the source code using this function:
https://github.com/HyperDbg/HyperDbg/blob/a571781e8651998b982a9f53edf8f3d3501a6b2e/hyperdbg/hprdbghv/code/vmm/ept/Ept.c#L299
But, keep in mind that you need to handle #EPT Violations by your own as HyperDbg doesn't expect these EPT Violations.HyperDbg/hyperdbg/hprdbghv/code/vmm/ept/Ept.c at a571781e8651998b982a9f53edf8f3d3501a6b2e · HyperDbg/HyperDbgState-of-the-art native debugging tool. Contribute to HyperDbg/HyperDbg development by creating an account on GitHub.
-
I don't think so,
I did the exact same thing in this branch by using MBEC for user-mode codes, but as I said, it's not in a working state yet but the code might be helpful:
https://github.com/HyperDbg/HyperDbg/tree/memory-introspectionGitHub - HyperDbg/HyperDbg at memory-introspectionState-of-the-art native debugging tool. Contribute to HyperDbg/HyperDbg development by creating an account on GitHub.
-
Thanks! I'll take a look once I get a bit more comfy with the tool :)
-
Hopefully HyperDbg won't start crashing my system randomly like Hyper-V (literally a bsod in every 3 minutes, not using VMs, just having the feature enabled)
-
If you want to develop anything in HyperDbg, it's better to test HyperDbg in a VMware Workstation machine with nested-virtualization.
-
After that, you can use it in your physical machine.
-
At the moment just trying to observe its capabilities, I followed some of the development throughout the years but never actually got to using it (since I only recently switched to latest Intel from AMD)
-
Also mainly for research purposes, been lurking around some virtualization related resources in the past weeks, to see how everything actually works
-
The articles on rayanfam were really great :)
-
Saw the last one on hyperdbg and thought i'd take a look
-
Interesting, Windows doesn't want to load it even though I just signed it..
-
-
Are you sure that you signed it correctly? I mean as long as I know the process of signing drivers for Windows 11 and probably Windows 10 22H2 is changed. After signing it, you have to upload it to the Microsoft portal, so they'll sign it and give a signed version of it for download. Did you upload it there?
-
Yep, otherwise it'd show my certificate instead of microsoft's.
-
It's odd, my other driver works fine.
-
I'll try resubmitting it I guess.
-
You have to submit three drivers. One for Serial Kd, one for hyperdbg HV, and one for HyperDbg Kd.
-
+ One for Hyperlog and hprdbgrev.
-
-
All of them are DLLs and drivers imported by hyperdbg.
-
Oh.
-
I only submitted the kd driver
-
That's probably why, thanks.
-
👍
-
Signed all of them and still the issue persists.. weird
-
oh.. forgot to sign the last one
-
😂
-
However I'm still pretty conflicted about this, sure, it's a hyper-visor assisted debugging tool, but that's not inherently bad. WinDbg runs in kernel-mode, but I assume it's because they expect the user to have test-signing and disabled PG as to not be potentially abused by malware...?
-
Probably, yes. BTW, this is the main reason of a conflict on Twitter.
They even blacklist the Driver signature for ProcessHacker which doesn't have an arbitrary READ/WRITE. Now, you expect they let HyperDbg which has several arbitrary READ/WRITE to be signed? 😅😁
https://twitter.com/processhacker/status/1442439527235153920?s=20 -
True enough..
-
Not like they sign drivers that expose arbitrary r/w and sometimes even kernel execute functionality (from um request) daily..
-
signed every image, now it works fine :)
-
thanks for the help, Sina
-
🤝
-
Are there any scripting functions for retrieving a module base from lm?
-
i.e. I want to retrieve a driver's base address in a script
-
Also, can we combine code & script actions?
-
What is the reason VMI mode is incompatible with !vmcall (etc) on script/custom code modes?
-
Under debugger mode, is there support for Transparency towards kernel-mode drivers?
-
Are there any alternatives at all for Debugger mode to use anything but COM? My motherboard literally doesn't have any serial ports.. (for remote debugging)
-
apparently COM via pcie won't work
-
nevermind, ordered a motherboard with one.. (and a laptop to use as the debugger)
- 25 June 2023 (57 messages)
-
-
-
for anyone not working with legacy hardware and interested in remote debugging:
-
No, 'lm' is a command, not the script function. But, if there is some Windows functions (that are HIGH_IRQL compatible), can be used as a new script function.
-
Yes. It can be combined. You can also create several events with same conditions.
-
No, it's compatible. Where did you see that? 🤨
-
Unfortunately, no.
-
Can't you use a VMware nested virtualization?
It's been a long time that I didn't test the physical COM capability of the HyperDbg, there might be some problems but sure, should be easily solvable once you have the facility to debug it. -
Wow, that's great. 👍
-
Yes, the breakpoint on READ/WRITE is done by using the '!monitor' command.
The documentation:
https://docs.hyperdbg.org/commands/extension-commands/monitor
Example:
https://docs.hyperdbg.org/using-hyperdbg/kernel-mode-debugging/examples/events/monitoring-accesses-to-structures!monitor (monitor read/write/execute to a range of memory)Description of the '!monitor' command in HyperDbg.
-
The exact address is available at $context pseudo-register in script and in debugger:
https://docs.hyperdbg.org/commands/extension-commands/monitor#context!monitor (monitor read/write/execute to a range of memory)Description of the '!monitor' command in HyperDbg.
-
The difference here with WinDbg is that break on READ/WRITE is implemented in EPT level; thus, we won't use Hardware Debug Registers for this purpose and as the result, there is no limitation on quantity or size. You can set as many monitors as you want with unlimited size.
-
Not yet. We didn't write it, but that should be hard as we released HyperDbg SDK.
-
Agree. That should be added to the to-do list.
-
Yes, of course.
@hyperdbg / Public archive of HyperDbg Telegram messages.
- 03 Jun 2023 (1)
- 04 Jun 2023 (1)
- 05 Jun 2023 (1)
- 06 Jun 2023 (18)
- 08 Jun 2023 (6)
- 09 Jun 2023 (1)
- 10 Jun 2023 (1)
- 12 Jun 2023 (1)
- 13 Jun 2023 (2)
- 16 Jun 2023 (6)
- 17 Jun 2023 (3)
- 20 Jun 2023 (330)
- 21 Jun 2023 (47)
- 22 Jun 2023 (1)
- 24 Jun 2023 (55)
- 25 Jun 2023 (57)
- 26 Jun 2023 (42)
- 27 Jun 2023 (131)
- 28 Jun 2023 (70)
- 29 Jun 2023 (1)
- 30 Jun 2023 (3)