Suspending processes in Windows | j00ru//vx tech blog
https://j00ru.vexillium.org/2009/08/suspending-processes-in-windows/
- 02 August 2023 (31 messages)
-
I have to decompile it to see how it works. Because, we have to be sure that the NtSuspendProcess won't access a memory address which might be paged-out. -
No, we can't just call it and expect the suspension. Once you pause the system (CTRL+C), HyperDbg halts everything in VMX root. The problem is we can't call this function from VMX root-mode.
-
Yes. My current idea (which needs some time to implement) is changing the RIP.
-
And intercepting page-faults (#PF) in HyperDbg on the target process.
-
And instead of re-injecting page-faults, just ignore them (until Windows thread scheduler decides to context-switch the process).
-
and this way implement this mechanism.
-
Exactly same as using (event_sc()) function in '!monitor x ...'
-
It just blocks the execution in the target page and won't let it run.
-
We could do the same for the '!loop' or whatever command, but we need to be cautious not blocking execution of other threads.
-
I need some time fixing a rare raise condition that happens in the 't' stepping, after that, I try to get into this mechanism and implement it.
- 03 August 2023 (17 messages)
-
-
-
-
Yes, this is really good advice! 👌
I'll add it to the todo list. -
👌
-
🤨🤨🤨
-
Is it just one time produced? Or it keeps showing this message? Can it be reproduced? 🤔
- 04 August 2023 (50 messages)
-
-
-
-
You mean the '!monitor' is executed before the trap flag?
-
🤔
-
oh, got it.
-
that's a nice trick 👌
-
but even though it works, it doesn't necessarily guarantee this behavior. 🤔
or am I wrong? 🧐 -
you're right.
-
it should work in most of the cases.
-
By the way, you can use another trick as well. I don't know if you notified it or not but once you load a process, if you loaded it again (.start), while the previous process is not yet closed, the page tables are valid for the target process is also valid for the second process. You can use this trick too.
-
And it comes from the fact that Windows allocates memory for each process (static module codes) only once and reuse it in different instances of the same process.
-
-
-
Is the target address dynamically allocated?
-
🤔
-
maybe I'm wrong, or it has other conditions that I do not know. 🤔
- 06 August 2023 (50 messages)
-
Hi, would you please first verify whether HyperDbg is working on VMI mode (local debugging) or not?
-
Besides that, I'm not sure if VMware fusion has some configuration similar to VMware Workstation, but in case, if it's similar, you need something like this:
-
-
Windows Kernel Debugging & Exploitation Part1 – Setting up the lab - VoidSec
How-to set up a VMware lab with Windows Kernel mode debugging enabled via Serial Port (or UART), a step by step guide.
-
Please note the third line in the configuration.
-
Both of them are available in the above link.
-
-
Did you connect to serial?
-
because in VMI mode, the 'debug' command should not be used.
-
Are you testing with the 'master' branch? or the 'dev' branch?
-
because there was a problem recently reported and fixed in the 'dev' branch but is not yet merged to the 'master'.
-
Can you compile the 'dev' branch
-
?
-
okay, test with the 'dev' branch and let me know about the results.
-
-
I think we have enough commits to release HyperDbg v0.5.
-
Let me fix a small issue I noticed in the showing context message
-
and after that, will release the new version.
-
optional recheck? 🤨
-
We can release it but this needs some tests before release. So, I think it's better to release the v0.5 now to at least fix the problem with VMware workstations checksum error, and after that we'll get to this optional recheck. Is it okay?
-
👍
-
Joined. -
hi there, anyone knows if I can somehow load the hyperdbg driver by manual mapping, I'm trying to debug a protected game but it doesn't allow me to run it with test signing enabled
- 07 August 2023 (123 messages)
-
No this simply means that the handshake mechanism which was added recently won't work. And the reason for that is the connection problem. HyperDbg cannot send data over serial.
-
Yes, it works on both user-mode and kernel-mode.
-
So, the serial configuration that I previously sent to you is problematic here. As nothing is received. You can verify it by a simple serial port monitor and send program like putty or XCTU.
-
BTW, what do you trying to know? I mean if you just want to observe the locations where RWX happens, you can create a log in the VMI mode without a serial connection.
-
What do you mean by manual mapping?
-
I think he meant allocating a pool, manually relocating image/fixing imports, overwriting the allocated pool using the vuln driver -
And invoking the driver entry w/o the driver object/reg key
-
🤔
-
GitHub - TheCruZ/kdmapper: KDMapper is a simple tool that exploits iqvw64e.sys Intel driver to manually map non-signed drivers in memory
KDMapper is a simple tool that exploits iqvw64e.sys Intel driver to manually map non-signed drivers in memory - GitHub - TheCruZ/kdmapper: KDMapper is a simple tool that exploits iqvw64e.sys Intel ...
-
this basically
-
yet another gamehacking thingy
-
not sure if you want to support it though
-
Does supporting it need any special consideration on the HyperDbg driver?
-
I mean it would probably be a pain to support this and only gamehackers are going to use it like that
-
Oh. I'm not sure honestly, probably not. You can treat it like a normal driver but you don't have the driver object(the one that gets passed to the DriverEntry)
-
you also can't use SEH loading a driver this way
-
I mean. You can, but it requires a lil bit of modifications to the kdmapper project driver that you are "manually mapping"
-
interesting, I thought supporting it for manually mapped drivers is such an esoteric knowledge only known to true windows kernel wizards lol
-
Not really. You can just google it, the thing is that it won't be pg-compatible, but as for the hyperdbg driver, it is using some pg detected stuff anyways so it won't be an issue lol
-
anyways, I think adding support for this would be awesome because I don't really see any real practical use for hyperdbg except for debugging anti-cheats and also rootkits maybe? But technically speaking, anti-cheats are also rootkits lol. Please correct me if I am wrong here.
-
hey -
anyone know for what i get CLOCK_WATCHDOG_TIEMOUT
-
with my HYPERVISOR
-
-
This can have thousands of reasons, what did you change that leads to this?
-
In VMI mode, you can view (create logs) from the changed buffers, but, you can pause the kernel.
-
Can you verify the serial connection? Is it working properly?
-
Can't halt (pause) the system in VMI mode. But you can create logs.
-
Basically, you need something like this in VMI mode:
!monitor rw 0xfff1234 0xfff1234+100 script {
printf("The address: %llx is modified from: %llx\n", $context, @rip);
} -
This script works perfectly in VMI mode.
-
HyperDbg v0.5 is released.
https://github.com/HyperDbg/HyperDbg/releases
Added
The event calling stage mechanism
New pseudo-registers ($stage) in the script engine
Changed
The disassembler now warns if you mistakenly used the 'u' command over a 32-bit program
The debuggee won't load the VMM module if the debugger is not listening
The debugger and the debuggee now perform a version/build check to prevent version mismatch
Fix the 'eb' command's parsing issue with '0xeb' hex bytes
Fix the connection problem with serial (checksum error) over two VMs
Fix the 't' command's indicator of trap flags and simulatenous stepping of multiple threads
Fix the problem with the '.kill' and '.restart' commands
Show the stage of event once the debugger is paused
Fix sending context, tag, and registers once '!epthook2' wants to halt the debugger -
And also, this is the description of the new 'calling stage' mechanism:
https://docs.hyperdbg.org/tips-and-tricks/misc/event-calling-stageEvent calling stageThe event calling stage in HyperDbg
-
-
-
Do you have any idea why? Does it have something in TLS?
-
Weird, how it can find a chance to run code. 🤔
I don't know if there is anything other than TLS, that is executed before the entrypoint. 🤨 -
Yeah. Send it please.
-
-
-
-
-
- 08 August 2023 (21 messages)
-
Probably no, as long as I don't have a physical access to such a computer. But as @ricnar mentioned, the problem with this version is really weird, I don't know what's happening there that VMLANCH fails to execute.
But, one thing that was interesting for me was the fact that you said the '.connect' works, basically there is no difference between the '.debug' and the '.connect'. Are you loading the driver successfully? 'load vmm'? Or just connecting without loading the driver? -
and the '.connect' bsod the debuggee too? or not?
-
😳
-
So, this is not same as the problem @ricnar mentioned.
-
This problem could be fixed, if you can setup a WinDbg (kdnet) to test it.
-
Do you have visual studio (+WDK)? If you can allocate some time for it, we could debug HyperDbg together step-by-step here to find the problem and fix it.
-
Windows 10 is pretty okay. Once HyperDbg crashes the system, WinDbg will detect it. After that, we can investigate through the '!analayze -v' results.
-
Hey, I'm trying to make a python script in which I load the HyperDbg DLLs and use them to send commands and receive their outputs. Specifically, I want this to work with scripts.
Ex:
HyperDbgInterpreter('? printf(@rax); ')
---> Callback:
read() -> "123"
Sadly, neither HPRDBGCTRL.HyperDbgInterpreter(), nor script-engine.ScriptEngineSetTextMessageCallback() are triggered for PRINTF() or PRINT().
Any help? -
here's my current script:
import ctypes
def test_callback(txt: ctypes.c_char_p) -> int:
print("AAAAAAAAAAAAAAAAAAAAA")
return 0
if __name__ == "__main__":
# Load HyperDbgCTRL into memory
hdbg_script_dll = ctypes.cdll.LoadLibrary("./script-engine.dll")
proto_callback = ctypes.WINFUNCTYPE(
ctypes.c_int, # Return type
ctypes.c_char_p # Param 1
)
cb = proto_callback(test_callback)
hdbg_script_dll.ScriptEngineSetTextMessageCallback(cb)
hdbg_dll = ctypes.cdll.LoadLibrary("./HPRDBGCTRL.dll")
# hdbg_dll.HyperDbgSetTextMessageCallback(cb) <-- also doesn't work
hdbg_dll.HyperDbgInterpreter(ctypes.c_char_p(b"!? printf(\"asdasdyasd\");")) -
Looked into it further and
ScriptEngineFunctionPrint(UINT64 Tag, BOOLEAN ImmediateMessagePassing, UINT64 Value)
{
#ifdef SCRIPT_ENGINE_USER_MODE
ShowMessages("%llx\n", Value);
#endif // SCRIPT_ENGINE_USER_MODE
#ifdef SCRIPT_ENGINE_KERNEL_MODE
//
// Prepare a buffer to bypass allocating a huge stack space for logging
//
char TempBuffer[20] = {0};
UINT32 TempBufferLen = sprintf(TempBuffer, "%llx", Value);
LogSimpleWithTag(Tag, ImmediateMessagePassing, TempBuffer, TempBufferLen + 1);
#endif // SCRIPT_ENGINE_KERNEL_MODE
}
should internally be calling g_MessageHandler() in ShowMessages() ?? -
Ah wait scripts are interpreted in the debuggee I think
-
Think I'll just be fowarding everything over sockets
- 09 August 2023 (186 messages)
-
Hi, you need to register your custom 'printf-like' function there. You used ScriptEngineSetTextMessageCallback, but that's wrong, this function should be called instead: HyperDbgSetTextMessageCallback.
-
-
And ShowMessages() will eventually call it.
-
VS+WDK makes us able to test and fix codes with more flexibility but it's not necessary. Only having WinDbg '!analyze -v' results most of the times works as well.
-
Driver signature enforcement is disabled?
-
Yes
-
How did you disable it?
-
I did once during startup and once through cmd bcdedit + restart
-
Can you verify it in the "System Information"?
-
-
This one.
-
You run the Windows with Test Mode?
-
Am I right?
-
WinDbg is connected to the VM?
-
And you cannot load HyperDbg driver?
-
🤨🤨🤨
-
I didn't get the point. WinDbg is connectd to the guest but you get this error?
-
this one.
-
It's super weird 🙂
-
-
The right picture is in the VMware?
-
VBS is disabled in both sides?
-
and also can you confirm that the debugger VM (WinDbg) is able to pause the debuggee VM?
-
This is weird, maybe previously loaded HyperDbg driver which not yet unloaded?
-
Can you delete HyperDbg files (including drivers) without annotations (like it's used by other process)?
-
I'm gonna see whether the driver files are previously loaded or not.
-
yes
-
because we don't know which one is still loaded in the system.
-
Go on the same file (that won't be deleted), then use 'connect local' and 'load vmm'
-
after that, run 'unload remove vmm'
-
to delete the drivers.
-
no worries, copy the cli from whatever version you have
-
yes
-
I think it's better to first run it locally 'connect local' 'load vmm'
-
to make sure that it works in VMI Mode.
-
After that 'unload remove vmm'
-
Once we confirm that it works in VMI Mode, we will get to the '.debug' problem.
-
yes
-
yes
-
that's why I say it's weird
-
Generally, HyperDbg shows this message only if the error message of driver loading indicates an integrity error.
-
I don't have any idea which component is preventing it from running
-
🤔
-
Did you also test this method?
https://www.tenforums.com/tutorials/156602-how-enable-disable-driver-signature-enforcement-windows-10-a.htmlHow to Enable or Disable Driver Signature Enforcement in Windows 10 - Windows 10 Help ForumsHow to Enable or Disable Driver Signature Enforcement and Test Mode in Windows 10
-
No, I mean pressing shift and restarting
-
-
This one
-
yes, it means that HyperDbg's driver is loaded
-
yes
-
Did you run '.connect' or '.debug'?
-
.
-
Are experiencing this BSOD on '.connect' for the first time?
-
I thought the problem is only for the '.debug'.
-
Okay, I hope that we don't conclude that the error is because of 'error number 7', with 'Guest Invalid State' of the VMLAUNCH instruction.
-
Because, this is something that processor doesn't give more information about what exactly happened and can have thousands of reasons.
-
If this is a CPU error, then no. It won't help. It's not a software error, CPU throws it without further information. WinDbg can tell us that the reason for error is because CPU gave this error, but it doesn't have further information why this error happens.
-
🤨🤨🤨
-
Really? It works on Win 11 with a 9 gen Intel processor?
-
What could be wrong 🤔
-
This shows that, something is changed in Windows that we didn't notice. 🤔🤔🤔
-
But it's kinda weird, because the first release of HyperDbg was developed on a Skylake 6 gen Intel CPU. After that, I moved to a 12 gen Alder Lake processor. But, I didn't change anything special since then. That's why it should be compatible with older processors as well.
-
Can you load the pdb file of the hprdbghv and get the result of '!analyze -v' again?
-
Yes
-
Of course, use the pdb file of the version that you used in VM
-
Why? 😅
-
It doesn't necessarily lead to solving the issue 😁😅
-
Debugging HyperDbg is really hard. I can't count the number of times, HyperDbg crashed random processes in the system without a clue of what's happening there. 🤪
-
There are some facilities there like 'LogInfo' macro function designed to debug HyperDbg by sending the information out in the serial port before crashing the entire system.
-
Bad news, this is the same error @ricnar encountered.
-
As it's in kernel, probably the only option is HyperDbg.
-
Also, ddimon has this functionality but didn't test it:
https://github.com/tandasat/DdiMonGitHub - tandasat/DdiMon: Monitoring and controlling kernel API calls with stealth hook using EPTMonitoring and controlling kernel API calls with stealth hook using EPT - GitHub - tandasat/DdiMon: Monitoring and controlling kernel API calls with stealth hook using EPT
- 10 August 2023 (1 messages)
-
Joined. - 12 August 2023 (3 messages)
-
Joined. -
How can I do a step-by-step tracing on amd-v(svm)?
-
Hi,
If you mean simple tracing (like WinDbg's "t" command) then you can use WinDbg or if it's a user-mode application both WinDbg and x64dbg. I'm sure x64dbg has some tracing facilities. But, if you are looking for something like instrumentation step-in in HyperDbg (user-mode to kernel-mode), I can't think of any alternative way other than HyoerDbg on Intel processors. Maybe 'dtrace' can help but I'm even not sure if it works on AMD processors or not. - 13 August 2023 (4 messages)
-
Joined. -
I thought it’s common sense to check manual/guide before asking “what my computer do” kind questions😓 - 15 August 2023 (1 messages)
-
Joined. - 18 August 2023 (1 messages)
- 21 August 2023 (165 messages)
-
-
header value?
-
what kind of value?
-
Would you please send me the file.
-
I'm gonna test it now
