I just noticed the version of WDK and SDK updated recently

compiler still outputs the binary files, but ApiValidator returns error code

🤔

Did you update it manually? 🤨
By default, it's up to the latest version in HyperDbg

yes, I had changed

I guess the problem is that my host os version does not update to win 11

It works fine on win 11

https://github.com/HyperDbg/HyperDbg/pull/297

This is an incredibly significant contribution, @xmaple555. Hats off really. 👍👍👌

can we replace string with wstring for the related command functions ? I want to support wstring for script engine, but I noticed there are a lot of functions involved to be changed

Hi,
What do you mean by realted command functions? What kind of functions? 🤨

like HyperDbgCheckMultilineCommand

from https://github.com/HyperDbg/HyperDbg/blob/94dba4945533a9ad2feb78da5734636ebcacecf6/hyperdbg/hyperdbg-cli/hyperdbg-cli.cpp#L82

change string to wstring

Yep, you can change it. That's a good idea. Up until December I have the plan of fixing all warnings (and enable treat warnings as error) in HyperDbg, so probably I need to re-test every functionality, thus, I will re-test script engine as well.

And also, if everything goes well, we will release a new version of HyperDbg in the coming days to support applying events instantly.

Which mean, HyperDbg no longer continues the debuggee for some time to apply events and all the events like !epthook, !monitor, !syscall, etc. will be applied instantly thus preserve the system state (context).

This one would be huge step in the project timeline. Because it's known to be the worst design issue of HyperDbg which will be fixed soon. 😎

how about only support English character for wide string for now?

because it needs to change a lot of code to support other language

🙃

Do you mean that you want to keep it as it is for now? Because right now it supports ASCII characters. Or any special change?

what I meant is if we need to do like this
? {
if(wcscmp(L"中文",$pname) == 0){
printf("the two strings are same");
}else {
printf("the two strings are not same");
}
}

Got it, but is it even possible to support this without supporting the entire wsting? 🤔

yes there is wstring version of memcpy function

You mean that cannot support sth like this right now:
? {
if(strcmp(L"中文",$pname) == 0){
printf("the two strings are same");
}else {
printf("the two strings are not same");
}
}

but if user specifies a buffer that has a wide-char string, then it is supported.

Am I get it correctly?

only supported for English alphabet
? {
if(wcscmp(L"only English",$pname) == 0){
printf("the two strings are same");
}else {
printf("the two strings are not same");
}
}

Yes. That would be okay. 👍

Hello!

https://www.youtube.com/watch?v=idFUiURTUr4
Above are my results for the past week, it remains to finish some things and that's it.

@Nitr0_G Made this initial GUI for HyperDbg, and RedDbg. Here's the very first demo. Let us know, if you have any feedback.

no amd processor to run RedDbg 🥲

Finally, the new instant event mechanism is ready. Right now, HyperDbg applies events instantly without continuing the debugger. This means you won't lose the current context and it guarantees to keep the system state (registers, and memory) untouched while applying events (like !epthook, !monitor, !syscall, etc.).

perfect good move

is included in the last dev?

Yep, actually it was the worst design problem of HyperDbg which is now fixed.

Does hyperdbg work well with Ghidra?

Yes. I also merged it as 'v0.7 RC2' to the master branch.

Is it detectable to any anti-cheats?

👍

broo 💀

it is

//2short

HyperDbg is not integrated with Ghidra as long as I know, but you use them together separately.

WTF

why?

okay thanks

For those who can't build (and test the latest release), you can download github built artifacts here:
https://github.com/HyperDbg/HyperDbg/actions/runs/6796257043

thanks

Probably yes, as we're currently spending our time fixing the fundamental design issues rather than making HyperDbg more transparent. It's generally more transparent than classic debuggers (e.g., windbg) by its nature as it didn't use any OS-made debugging API but still, there are a lot of footprints that advanced anti-hypervisor and and anti-debugging techniques can detect it.

You're welcome. BTW, you don't need to use that 'eb @rip xx xx xx' loop trick anymore! 🙃

😃

None

maybe is easier now to make a script to page in a memory range

maybe only reading a byte in each block

the system will page each block

One new thing came to my mind my right now that I need to test 🤔
I was thinking about using the INTERRUPT_WINDOW_EXITING field of the VMCS. This configuration bit causes the guest (debuggee) to throw a VM-exit once the guest is ready to receive an interrupt (or exception). If we could inject a series of pages while making this bit active to inject all of them, then it could solve our problem.

Not sure if it works, but I try to test it to see if it works this way, or not 🤔

👍

Okay thank you

But do you foresee that there will be one day that there’s absolutely no way for you to get around anti-cheats detections?

That means that it’ll always be detected no matter what you do

If we’re talking about VMX specifically, then it’s kinda hard to work around timing detections

Exactly, but the good (and bad) thing is that Microsoft activated VBS. So, anti-hypervisor methods are no longer able to rely only on microarchitectural side channels.

I don't thing so, this is a never ending cat and mouse fight.

Tbh, I don’t use them coz i prefer not to pose performance

Do games work with VBS?

But we still can make the debugger substantially better in terms of transparency.

Nope, I disable it but I think most of the users won't disable it on their computers and this way anti-cheat makers have to ignore a lot of hypervisor-based detection methods.

When you say timing detections, are you referring to heartbeat?

Not sure what heartbeat is. I’m talking about measuring instructions execution times, specifically the ones which cause vm exits. For instance cpuid causes unconditional exits. You could tweak tsc, sure. But then I’m not sure how to properly synchronise tsc among other cores

A universal solution is less likely to exist. There's many, many different ways you can detect a running hypervisor. What makes this process more bearable is that hypervisors are becoming a more commonly used thing for ensuring computer security (VBS under Hyper-V, etc). Anti-cheats have to take this into account, because frankly, explaining that a user has to turn this feature and this thing off, go into BIOS and whatnot is unreliable. The future is in masking and hijacking "whitelisted" hypervisors (which has been done)

What anti-cheats prioritize is knowing flaws of commonly used hypervisors for illicit purposes, and abusing them to crash the system. This also happens with something like Hyper-V running, they know this specific case is handled, but might not be handled correctly if it's hijacked.

When it comes to timing attacks, there's so many areas you have to take care of, and so many potential cases where it would fail. The most common is measuring the time it takes for cpuid, as said above, you basically wrap a cpuid call with a timer, and check how much time has elapsed.

That's one of the easier ones, but then you have other types as well, like you might try to add a couple of junk instructions to inflate the execution time, and see whether it was actually taken account when you check the elapsed time.

You could also trigger a context switch, do some extended operations and then compare the time it would take to execute when you cause an unconditional exit

there's many ways you can do this

for the crashers, it's mostly just looking at behavior of instructions that cause unconditional exits with different ways, checking if exceptions are injected properly, ...

happy

Thank you so much for this ❤️

does anyone know how to bypass EAC with hyperdbg loaded?

Here's the description of these instant events.

https://docs.hyperdbg.org/tips-and-tricks/misc/instant-events

Generally, it needs lots of considerations (like pre-allocating pools, broadcasting functions to halted cores in VMX root-mode, etc.). I tried to make these considerations as transparent as possible from the users' perspective; however, the user might encounter some limitations in applying instant events. For example, if the user wants to apply tens of events (say 20 or more) instantly and without continuing the debuggee, then it should tell HyperDbg beforehand to prepare the environment and allocate some pools (using the 'prealloc' command), or if the user wants to apply an event with a large script, again HyperDbg should be notified about it. In most of the regular usages, you won't notice these limitations as it tries to handle and replace buffers automatically when the user continues the debuggee but in any case, if you don't have a normal event then the solution is notifying HyperDbg before applying which is described there.

Another new addition to HyperDbg v0.7 is its support for string comparisons (thanks to @xmaple555 for implementing it!).

Here's an example of how you can use this string comparison to pause (halt) the debuggee if a special file name (path) is passed to nt!NtCreateFile.

https://docs.hyperdbg.org/commands/scripting-language/examples/pause-the-debugger-conditionally

That would probably be against the terms of service of EAC

EAC is already detailed in a lot of RE blogs and found to not be malicious, there's no need to reverse it

Lol

it’s really not

the last comprehensive blog or reversal was in 2019

HyperDbg now fully supports the concurrent use of other debuggers such as x64dbg and windbg when HyperDbg is loaded.

https://docs.hyperdbg.org/commands/debugging-commands/test

To use it, you need to disable breakpoint (#BP) and debug break (#DB) interception of HyperDbg by using the following commands:

4: kHyperDbg> test trap off

4: kHyperDbg> test breakpoint off

To test it, you need to either compile the 'master' branch or use GitHub Artifacts of the 'master' branch.

Hi, nice to meet you all

This was actually right. I change the '.pagein' command to support a range of addresses.

The new implementation uses the interrupt-window exiting bit of the VMCS and injects each page once the interrupt-window is open. So, right now you can bring multiple pages (a range of addresses) into the RAM.

https://docs.hyperdbg.org/commands/meta-commands/.pagein

@ricnar please check it once you have free time 🙂
It's on the 'dev' branch.

and also this demo shows how it works.

Thanks i will check

the last compiled version has this feature included?

the dev version has

i think a good step for hyperdbg is to create a plugin for use ret sync

this connects with IDA /GHIDRA and the GUI is syncronixed when you step trace or break

https://github.com/bootleg/ret-sync

it has windbg, x64dbg and ollydbg plugins yet

this is only an idea

Yes

yes that's also a really good feature that should be added.

that could be awesome

can I give you a suggestion to the pagein command?

this is not necessary at all but i think is confortable

I think the pagein command with a range of memories is great, but I think that without much effort this option could be added.

pagein start_address size

by exaple

pagein 401000 8000

to page 0x8000 bytes from 0x401000

We are lazy, hehehe

Sure, that will be added

when I typed the pagein command the target reboots

i will retry

i will retry

after that the last attempt it rebooted, i will try now

now it seems to work

🤔

Does it work as expected?

yes

using the moitor command in that range

it breaks in the OEP

and also, as you probably noticed, the '!monitor' event is applied instantly without continuing the debuggee.

yes

perfect

thanks

the second attemp it gives me this error

0: kHyperDbg> !monitor x 401000 408000
err, the page modification is not applied, make sure that you don't put multiple EPT Hooks or Monitors on a single page (c0000026)

Did you clear the prev events?

it did not let me use the monitor command two times in the second process of the same target

yes

It's disabled, not removed

You should use 'event c all' to clear them

i will try

How ever, clearing events is not applied immediately

Clearing event just disables the event, and after you continue debuggee it will actually be removed from the system

So, basically you don't need to that, just re-enable your previous event

yes

i will retry

i reboot the machine and now the pagein command works

but monitor not

it skips the first instruction executed

i cleared the event

🤔

i will retry

it worked now

Can you also check the process? I mean use the '.process' command to see if you're in the target process

now it works

👍

Did you get what was the last problem?

🤔🤔🤔

i don't know

i retry and worked

maybe i cleared the event with a wrong number

i don't know

sometimes

it reboots the target

without a crash

It only reboots

This is probably caused by the changes we made for MTRRs because of the changes made for 13 gen processors. I will investigate and fix that.

i retry

it skips the monitor command again

sometimes it fail

Does it have any TLS or a separate thread?

nop

sometimes worked

maybe it need to take a time after the monitor command

to press G?

This probably has some technical reasons for this file. 🤔

Pressing 'g' just continues the target thread with a trap flag

Is there any 'pushf' or 'popf' somewhere?

it worked one time the next it did not work

one attempt succesfull. the next attempt not succesfull

the page in command worked always

the monitor x fals sometimes

failed

Can you check the physical address of the target address?

Like '!va2pa 401000' ?

and also the second time again with the '!va2pa 401000'.

Generally, the EPT hooks are applied on physical address.

failed

fails

sorry i dint clear the events

In the second attempt the GPA (Guest Physical Address) is changed? Am I right?

i will retry now

After that you need to press 'g'

to make sure the effects of the EPT are removed.

now it worked

i will retry till fail

If the physical address is changed, then it cannot intercept the 'x' of the '!monitor'

EPT works based on guest physical addresses

it failed

it changed the physical address

So if the physical address is changed then you should remove that event and re-apply the '!monitor' event.

i will try

it didn't let me

because the physical address didn't change. Uses the same physical address.

how?

ah

i will make this only if changes

The process didn't closed. Windows just assigns new physical addresses if the process completely closes.

Honestly, didn't get what you trying to do 🤔
Why do you need clear the event at this stage? Because as long as the process is open, the physical address remains the same.

but the process is not open

i reopened

theprevious process is closed

bot the next attempt failed

in a new process

two consecutive attepts in the same target in different process

one worked the next failed

it one attempt is succesfulle

the next attempt will fail

And also one thing to keep in mind is if two processes are open then the second process uses the same physical address.

the first process is closed

the second attempt is a new process

Windows allocates the same physical address for both of the processes to avoid resource waste.

but this is a problem

monitor didn't work the second time

I mean in the second process, if the first process is closed, you need to apply a new '!monitor' event.

Is it the reason for the error?

i cleared the event of the previous process

and reapply monitor

and then what was the error?

and fails

it skips the monitor range

the second time

if skips the X

the first instruction executed

in the first process it worked

Got it, I have to test it.

the second attempt in a new process with events cleared

it does not work

this is the video

includes the fail

is in spanish but you can see the comands

i sent the program

yes

the video is uploading

in the video you can see the first time worked

the second none

and so on

and after i recieve your suggestion of clear the event

and i apply

and is the same

Thanks, I will check and fix it.

i think monitor have some value hooked to the previous value

Yes, it's also written in the documentation that it's the responsibility of the user to take care of their EPT hooks in the scenarios when Windows wants to re-map (change) the physical address e.g. when process is closed.

Because otherwise HyperDbg doesn't have any clue about Windows memory manager.

What I don't understand is why if Windows changes the physical address, doesn't Hyperdbg also change and use the new one?

Generally, HyperDbg is supposed to be unaware of the operating system. Though, we in some scenarios we didn't follow this rule. Like in the '.process' command where we actually parse everything based on the _EPROCESS.

No, it won't. How could we know that?

I mean how could we know that Windows changes the physical address?
And is it even necessary? Because the physical address remains unaffected in the process lifetime.

If hyperdbg would follow the new physical address, the monitor command should work, I calculate without knowing that if it doesn't work it is because it keeps the previous one and Windows has a new one

I mean there is no way we could understand that Windows creates a new physical address for the target process.

but is a new process

I don't know anything about this but I think maybe there should be one more check to see if it is a process with a new pid to discard the previous events and values.

when hyperdbg executes the start command

maybe

or an option

to clear all

when start

The complexity of implementing it this way is too high. Because as you might know HyperDbg is not able to switch to other processes in vmx-root mode.

but when executes the start command is in the context of the new process

That's possible but what if the process is not actually closed? E.g., it modified the page attributes of the .code segment and instructions? In this scenario if another process uses the same physical address, a new physical address will be allocated for the process that modified the code.

maybe an option

in start

start clear path xxxxxxxxx

maybe it cant tested the pid and checks the old pagein and the new pagein and put and advertise

if the phyisical address is the same or not

if monitor was used previously in the same target and a new pid is detected and advertise can be showed

when monitor is repeated

Maybe I'm just thinking of some way to check the point of failure and warn about it.

I think it's too complex to be handled as a VMX-root based solution. If it was supposed to run in the VMX non-root mode in PASSIVE_LEVEL, it was easy to implement but it's a pain (and not guaranteed to work) if we want to check another process in the VMX root-mode.

That's why HyperDbg even doesn't let the user to specify the 'pid' parameter for the memory READ/WRITE commands while the debugee is halted in the Debugger Mode.

New video from @ricnar:

https://youtu.be/KVxV6epwMPc?si=1QS54Y-bi01U4Q40

This one is added (with an 'l' option), like:
.pagein 0x7fff1234 l 8000

HyperDbg v0.7 is released!

Check out: https://github.com/HyperDbg/HyperDbg/releases/tag/v0.7.0

Starting from HyperDbg v0.7 (this version), events are guaranteed to keep the debuggee in a halt state (in the Debugger Mode); thus, nothing will change during its execution and the context (registers and memory) remain untouched.

Added
- HyperDbg now applies events immediately as implemented in the "instant events" mechanism
- The Event Forwarding mechanism is now supported in the Debugger Mode
- The Event Forwarding mechanism now supports external modules (DLLs)
- event_clear(EventId) function in script engine
- HyperDbg now supports string inputs for strlen and other related functions thanks to @xmaple555
- New semantic tests for the script engine (50 to 59) is added mainly for testing new string and memory comparison functions
- strlen and wcslen functions now support string and wide-character string as the input
- strcmp(Str1, Str2), wcscmp(WStr1, WStr2) and memcmp(Ptr1, Ptr2, Num) functions in script engine thanks to @xmaple555
- The debug break interception (#DB) manipulation option is added to the 'test' command
- The '.pagein' command, now supports address ranges (length in bytes) to bring multiple pages into the RAM

Changed
- Fix the problem with the "less than" and the "greater than" operators for signed numbers thanks to @xmaple555
- Fix the problem checking for alternative names thanks to @xmaple555
- Fix the crash by turning off the breakpoints while a breakpoint is still active thanks to @xmaple555
- Fix the crash on reading symbols on remote debuggee thanks to @xmaple555
- The 'prealloc' command is updated with new instant-event preallocated pools
- Fix wrong removing of EPT Hook (hidden breakpoints)
- The 'event' command, no longer continues debuggee for clearing events, instead just disables the event and removes the effects of the event when debuggee continues
- $id pseudo-register changed to $event_id
- $tag pseudo-register changed to $event_tag
- $stage pseudo-register changed to $event_stage
- Fix adding pseudo-registers with underscore in the script engine
- Fix the boolean expression interpretation in if conditions in the script engine
- HyperDbg now intercepts all debug breaks (#DBs) if it's not explicitly asked not to by using the 'test' command
- Fix '%d' bug in script engine