This will be awesome for unpacking

I will try, maybe I will share a video with my experiences using it in some time

Thanks

When running the command.

I tried to patch vmcall on a pid with 90 90 90

i.e, the custom code thingy

I tried to use it with conditions as well, nope.

Tried a script to log at least, also not allowed

Didn't get the point. You gonna patch a VMCALL like change the memory (editing memory)?

Yes.

I guess I could’ve searched for bytes and added an ept hook

it’s just hard to do because I need to clone an entire driver, ept hook the complete binary (due to access timings)

forward read to the clone

or ept hook only the instructions but its a pita to automate with a script

maybe the sdk will be easier to use

(and I also can’t load hyperdbg until after the driver’s loaded, because it freezes my system)

anyways; got myself a laptop and new mobo with com port, so I can find where the freeze happens and patch that..

Just waiting for the cable to come, I didn’t have it in any of my 6 pcs, some had ports but not the correct cable :/

Still didn't get the point but anyway, if you want to edit memory then you can use 'e*' commands like:
https://docs.hyperdbg.org/commands/debugging-commands/e

If you want to intercept VMCALLs then it's a completely different thing. In this case, you can use the '!vmcall' event command:
https://docs.hyperdbg.org/commands/extension-commands/vmcall

But in case if you want to modify (patch) the memory once you encounter a VMCALL, then you could write an script for the '!vmcall' event, in which it modifies the memory using script functions:
https://docs.hyperdbg.org/commands/scripting-language/functions/memory/eb-ed-eq

Yes, but !vmcall interception seems to not work under VMI.

At least from when I tried.

Are you sure that the target machine execute VMCALL? Because, it's not really common. The only virtual machine that I encounter to execute VMCALL is hyper-v. In nested virtualization environments like VMware, no VMCALLs will be executed. HyperDbg executes VMCALL for its internal usage but those VMCALLs are supposed to be transparent from the 'events'.

I mean it's kinda weird for me why your target environment wants execute VMCALL? If it a hypervisor itself, then how HyperDbg can even debug it?

🤔

The anti-hv aspects call it.

Of the driver

Wrapped in SEH

along with other things

hello

i changed the context to this process

how is the equivalent of windbg !process 0 -1

to check the actual process

Hi, what does "!process 0 -1" do ? Does it show the information of the running processes? or the current process?

current process context

i this is !process -1 0 sorry

.process (without any parameter) showes the current context and '.process list' shows all processes.

https://docs.hyperdbg.org/commands/meta-commands/.process#examples

thanks

👍🏻

anyway, there is a command map (between debuggers), might be useful. Sure it doesn't cover everything but might be helpful:

https://hyperdbg.github.io/commands-map/

thanks

another question the lm command in windbg shows the pdb file downloaded

and you can know if the symbol is downloaded or not

here the lm command does not show if the file has the symbol downloaded or not

Not exactly the same but '.sym table' works somehow in the same way.

perfect thanks

why this happem?

1: kHyperDbg> .sym download
loading symbol 'c:\Symbols\ntdll.pdb\75f14e124f6f8595b922d69f10c037891\ntdll.pdb'... could not be loaded
loading symbol 'c:\Symbols\kernel32.pdb\d40085df05d6d9e38611c48f717c20521\kernel32.pdb'... could not be loaded
loading symbol 'c:\Symbols\kernelbase.pdb\b5bee0e5d00b2fc77c9d4568aa7cb0aa1\kernelbase.pdb'... could not be loaded
loading symbol 'c:\Symbols\advapi32.pdb\cd5ba18dc9d5b08b75f2a08f368012e01\advapi32.pdb'... loaded
loading symbol 'c:\Symbols\msvcrt.pdb\8f2b808e7da36eb90342fdd8bca575db1\msvcrt.pdb'... could not be loaded
loading symbol 'c:\Symbols\sechost.pdb\f0ccaf8276ce8711a7e0e92ad742f0701\sechost.pdb'... could not be loaded
loading symbol 'c:\Symbols\rpcrt4.pdb\af37c920e612b73650237fa1e0be85261\rpcrt4.pdb'... could not be loaded
loading symbol 'c:\Symbols\shlwapi.pdb\755b230288bf549eb86d22f54afa45f71\shlwapi.pdb'... could not be loaded
loading symbol 'c:\Symbols\ws2_32.pdb\5c73fc6f5404081459a8538913657c761\ws2_32.pdb'... loaded
loading symbol 'c:\Symbols\psapi.pdb\ee2878ac2a70fe7d5febbfc5e9b124a01\psapi.pdb'... could not be loaded

not loaded

sorry so many questions

i made a reload

Probably it's already loaded?

Sure thing.

Sorry

Is it solved? Was it already loaded?

yes but i have another problem

from remote kernel debugging a process cannot start

0: kHyperDbg> .start path C:\Users\ricnar456\Desktop\caffeine64.exe
debuggee is running...

does not start in the target

and does not return to the host debugger

yes; this is a problem that recently occurs. Probably something is changed in Windows that our process starting mechanism is not working anymore. I have to find it and solve it.

thanks

I'll let you know once it's fixed.

thanks

hello

i have this error

Hi,
For which command? How can I reproduce it?

Triple fault error typically occurs during guest execution when the CPU encounters three consecutive faults without successfully recovering from any of them.

i don't know, yesterday i let the target debbugging, running with G command and today appears in this state

nothing can be made only restart

cannot be paused or break with ctrl c

or return to the execution of the target

you mean, you can't use HyperDbg anymore? even restarting guest doesn't help ?

restarting was the only way

cannot break in the host console

with ctrl C

Yes; this is bad fault that can't be recovered.

but the thing is, how can I reproduce it to handle this situation?

maybe a bsod tonigth

Can you reproduce it ?

i don't know the target was running tonigth

maybe some bsod happen

oh, you mean after some (probably) hours, HyperDbg starts showing triple fault errors?

i don't know

Did you just run hyperdbg's hypervisor without any event (e.g., !syscall, or !epthook)?

this is a laboratory target maybe some fault can occurr

only connect hyperdbg to target and type G

At the very start point, HyperDbg starts showing triple faults?

or after some times?

if this happens again i will give more attention

👌👍

this happened while i was sleeping

i found the cmd looping in this state

i don't know was happen in the night

if this happen again i give it more attention

I have to create a guide for debugging HyperDbg itself. Because these errors are really hard to investigate and reproduce.

Specially when it comes to multi core systems

🤪

😘

👍

which is the command similar to .reload /user

to load the user mode symbols

in a context

it loads the kernel symbols only

do you mean only user-mode symbols? because generally, '.sym reload' should load symbols for both user-mode and kernel-mode.

I mean all the symbols user and kernel, in the list only kernel symbols are listed, user mode symbols are omitted

I am in the context of an executable not listed, ntdll.dll, kernel 32.dll etc are not listed too

In windbg reload /f only load kernel symbols when remote kernel debugging are performed

Only using reload / user loads user symbols

Look the addresses user mode addresses are not displayed

It also loads user-mode symbols as well.

It's the result of '.sym table'

i see

the command lm is incomplete

it does not list all the modules

only kernel modules

This is the result of 'lm' command. Do you want to see the user-mode modules? or load symbols for user-mode modules?

i use lm in windbg to see the pdbs, but is used to list all the modules

lm not list all the modules here

No, lm command also shows user-mode modules. (but it won't load symbols for them, loading symbols are only available on '.sym' command).

lm list only kernel modules

lm does not list the user modules here

look the table

look the lm command

the user modules are not displayed

what's the result of 'lm um' command ?

display only kernel modules

ahh

i see

lm um

should only display user-mode modules. not kernel mode.

the list is parted in two parts

yes yes

i think in one only list like windbg

but here there are two list

user mode and kernel mode

sorry

👍

I'm used to working with windbg for years sorry

That's pretty okay. Don't be sorry.

other question

is normal the context change when using some command?

i changed the context to me process

yes; some commands change the context.

thanks

Some commands change the context, some commands won't . It's mentioned on 'Remarks' section of each command in the documentation. For example for 'lm' command:
https://docs.hyperdbg.org/commands/debugging-commands/lm#remarks

by example if i change the context to my process and use lm, the list is the hyperdbg modules

ah i see

the pid need to be used

Some commands won't. E.g., bp command.

thanks

yes, it gets a 'pid' in parameters.
https://docs.hyperdbg.org/commands/debugging-commands/lm#parameters

This one is one of the fundamental changes that should be fixed in the future versions.

For example, one of the users also mentioned some scenarios that are not possible to handle in HyperDbg :

https://github.com/HyperDbg/HyperDbg/issues/231#issuecomment-1560746770

maybe the tonight error was produced for the target entering in sleep mode and hyperdbg loose conection or so

this is probable. I never test it in sleep mode.

hehe

This one was new 😄.

😂😂

it happened again the bug

when i returned from eating

Did it go to sleep mode?

If you can build HyperDbg again, please add the following code in the 'Vmexit.c' file.

LogError("Err, triple fault error occurred");

LogInfo("Target RIP: %llx\n", VCpu->LastVmexitRip);
CHAR Instruction[MAXIMUM_INSTR_SIZE] = {0};

MemoryMapperReadMemorySafeOnTargetProcess(VCpu->LastVmexitRip, Instruction, MAXIMUM_INSTR_SIZE);

for (size_t i = 0; i < MAXIMUM_INSTR_SIZE; i++)
{
Log("%x ", Instruction[i]);
}

DbgBreakPoint();

It will help investigate the problem, but in any case, if you can find a deterministic way of reproducing the error, it would be even better.

@ricnar The good news is that I found the reason why the '.start' command behaves abnormally. One of the assumptions (that works previously) was setting Hardware Debug Breakpoints (#DB) on the entrypoint when the module was loaded. For some reason, one raise condition happens there and it eventually fails the starting process. I changed the mechanism and instead of using #DBs, I manipulate the EPT page-level attributes to prevent instruction fetch once the target entrypoint page is loaded and it works like a charm! However, I have to find a way of invalidating EPT entries on all the cores after reaching the target entrypoint. I think it would be completely fixed (hopefully) tomorrow and a new version of HDbg (v3.1) will be ready with a working '.start' command.

Nope

Thanks

Tomorrow I will rebuild the driver to get the error

Thanks

Thanks for sharing it here. I was frequently looking it up while trying to learn hyperdbg. I was searching if there is anything equivalent to 'dx' commands

no, HyperDbg doesn't have anything like dx command, unfortunately.

hello

where i put this code?

replacing something?

or at the end?

there?

yes

Exactly

But, I'm not really optimistic about finding the exact reason for this error this way. There might be some clues but bugs that are not deterministically reproducible are really hard to investigate.

It does not compile

A lot of errors

VS 2022? Did you clone it with '--recurisve' git flag?

Yes

git clone --recursive https://github.com/HyperDbg/HyperDbg.git

Severity Code Description Project File Line Suppression State
Error LNK1181 cannot open input file 'C:\Users\ricnar\Desktop\NEW HYPRDBG\HyperDbg\hyperdbg\build\bin\release\HPRDBGCTRL.lib' hyperdbg-cli C:\Users\ricnar\Desktop\NEW HYPRDBG\HyperDbg\hyperdbg\hyperdbg-cli\LINK 1

this file is not locate there

can you compile 'hprdbgctrl' just this project?

i openned the sln and complie

What are other errors? There are 7 errors there.

Severity Code Description Project File Line Suppression State
Error MSB3073 The command "msbuild C:\Users\ricnar\Desktop\NEW HYPRDBG\HyperDbg\hyperdbg\\dependencies\zydis\msvc\Zydis.sln /m /p:Configuration="Release MT" /p:Platform=x64 /target:zydis /target:zycore /p:OutDir=C:\Users\ricnar\Desktop\NEW HYPRDBG\HyperDbg\hyperdbg\/libraries/zydis/user/
:VCEnd" exited with code 1. hprdbgctrl C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v170\Microsoft.CppCommon.targets 150

Severity Code Description Project File Line Suppression State
Error MSB1008 Only one project can be specified. hprdbgctrl C:\Users\ricnar\Desktop\NEW HYPRDBG\HyperDbg\hyperdbg\hprdbgctrl\MSBUILD 1

Severity Code Description Project File Line Suppression State
Error LNK1181 cannot open input file 'C:\Users\ricnar\Desktop\NEW HYPRDBG\HyperDbg\hyperdbg\build\bin\release\hprdbghv.lib' hprdbgkd C:\Users\ricnar\Desktop\NEW HYPRDBG\HyperDbg\hyperdbg\hprdbgkd\LINK 1

maybe removing the space ' ' between "NEW HYPRDBG" folder?

11>Driver is 'Universal'.
11>Inf2Cat task was skipped as there were no inf files to process
11>Done building project "hprdbgkd.vcxproj".
========== Rebuild All: 12 succeeded, 0 failed, 0 skipped ==========
========== Rebuild started at 7:56 AM and took 26.093 seconds ==========

I have to also fix this issue. Probably it needs some quotations there.

i will copy to the another machine when i have the problem

in this machine i let hyperdbg running since saturday and continues working

i wll try and let you know

thanks

The current mechanism for '.start' is not good right now. Sometimes it might not break on the entrypoint, specially in the newer version of Windows.

But, the newest version is also available which addresses all of these issues. It's currently available (and working) in the 'dev' branch. But right now, I'm testing it.

at least it started

I'll let you know, when the new mechanism for process interception is ready.

It might sometimes work, sometimes not work.

0: kHyperDbg> u rip
00000001`4002601c 48 83 EC 28 sub rsp, 0x28
00000001`40026020 E8 33 3C 00 00 call 0x0000000140029C58
00000001`40026025 48 83 C4 28 add rsp, 0x28
00000001`40026029 E9 1A FE FF FF jmp 0x0000000140025E48
00000001`4002602e CC int3
00000001`4002602f CC int3
00000001`40026030 48 89 5C 24 08 mov qword ptr ss:[rsp+0x08], rbx
00000001`40026035 57 push rdi
00000001`40026036 48 83 EC 20 sub rsp, 0x20
00000001`4002603a 48 8D 05 5F 15 02 00 lea rax, ds:[0x00000001400475A0]
00000001`40026041 8B DA mov ebx, edx
00000001`40026043 48 8B F9 mov rdi, rcx
00000001`40026046 48 89 01 mov qword ptr ds:[rcx], rax
00000001`40026049 E8 BE 3C 00 00 call 0x0000000140029D0C
00000001`4002604e F6 C3 01 test bl, 0x01
00000001`40026051 74 08 jz 0x000000014002605B
00000001`40026053 48 8B CF mov rcx, rdi
00000001`40026056 E8 99 4D FE FF call 0x000000014000ADF4

perfect

i let the target running

trying to reproduce the other bug

The current state of detecting and intercepting the entrypoint in HyperDbg is really complicated. We didn't use any Windows API or any debug flag to start the process. That's why it's not stable right now. But, I'll tell you to test once I conclude the new patch is working.

perfect

i am working now but i let the target running to catch the triple bug

sexy

it does not crash now

when i restart the machine i change two things

the memory was too low (2g) i changed to 8g

i changed 2 processors to 1 processor

maybe the memory was too low or the 2 processors affects

2GB might be the reason.

Yeah, agree.

tomorrow i let the 8g and will return to 2 processors

if does not crash again it was the low memory

Yes.