- 01 December 2023 (1 messages)
- 04 December 2023 (1 messages)
- 05 December 2023 (1 messages)
- 06 December 2023 (2 messages)
- 07 December 2023 (4 messages)
-
There is actually a project that a community member currently working on it, however, it is still in the early stages of development and far from completion.
https://github.com/HyperDbg/RedDbgGitHub - HyperDbg/RedDbg: Hypervisor-based debugger for AMD processorsHypervisor-based debugger for AMD processors. Contribute to HyperDbg/RedDbg development by creating an account on GitHub.
-
The project that sina threw off is working, but there is no interface, but it is completely ready for tracing and using the type as DBI (denuvo and many other applications are quietly traced). I don't want to make a command interface and I'm making a GUI, and the GUI takes a very long time. - 08 December 2023 (4 messages)
-
What do you need it for? Are there definitely no other solutions to this problem?
-
In theory, you can make a global variable or a bool array that says that you have reached the Thread Suspend condition/situation, and then in another thread that you initialized before entering VM ROOT mode, make a Thread Suspend. I kind of also when I needed to record a trace from a traceable application.
- 09 December 2023 (20 messages)
-
Did you ask about hyperdbg or specifically about hypervisors?
-
This is how the VMEXIT_EXCP_BP handler works
-
Ah, I get it now. I thought you were asking about the hypervisor in general -_-
-
You need to ask sina, since I don't really use hyperdbg, since I have amd -_-
https://github.com/HyperDbg/HyperDbg/blob/fac10fd8309bd40a43c6caa3eac2f33e4e2a1e65/hyperdbg/hprdbgctrl/code/debugger/commands/debugging-commands/lm.cpp#L385
This command is supposed to work in nonvmx root mode. But not exactly.
This command, as I understand it now, requests a list of modules and logically it works in non vmx root, but I don't really understand what you mean by that.
Its direct execution does not seem to depend on vmx root mode...HyperDbg/hyperdbg/hprdbgctrl/code/debugger/commands/debugging-commands/lm.cpp at fac10fd8309bd40a43c6caa3eac2f33e4e2a1e65 · HyperDbg/HyperDbgState-of-the-art native debugging tool. Contribute to HyperDbg/HyperDbg development by creating an account on GitHub.
-
I think it's better to write to Sina or he will answer you here himself a little later. I just thought that you were just asking about hypervisors not about hyperdbg.
- 10 December 2023 (7 messages)
-
Sorry for the late reply, I'm super busy these days! 🤪
Well, for this question, suspending threads in VMX-root mode doesn't make sense. It's because Windows regularly sends NMIs to all the cores to make sure if all other cores are working and running and if you suspend it from VMX-root (even though those NMIs are still delivered) but Windows cannot context switch threads and as the result the entire system will be halted (crashed). -
So, you need an OS-specific approach. For example, changing the RIP of the thread to somewhere else (like an infinite thread). This exactly what we do previously.
-
This video.
-
It's basically a simple infinite loop.
-
Other than that, I agree that we should find a way to avoid continuing debuggee for the 'lm' command. Basically, we need to read kernel-module addresses from somewhere or some APIs that HIGH_IRQL compatible. Because from what I remember, reading user-mode modules doesn't need continuing the debuggee (though it continues the debuggee right now).
-
If you want to start with HyperDbg, you can consider this tutorial as well, might be helpful:
https://ost2.fyi/Dbg3301Debuggers 3301: HyperDbgThis class teaches you how to use HyperDbg, a virtualization-based debugger.
- 11 December 2023 (2 messages)
-
- 12 December 2023 (6 messages)
-
HyperDbg doesn't support breakpoints on VMI Mode. It supports breakpoints on the Debugger Mode (VMware).
-
In future versions, we might find a way to support the 'bp' command in the VMI Mode probably only for user-mode applications but that also should work on non-system applications as pausing critical system applications will result in a halt and BSOD of the system.
- 13 December 2023 (6 messages)
-
Last time that I checked, it wasn't working but I didn't check why. I don't have any idea what's the problem but generally should not be that hard to support virtualbox.
-
Right now it works well on both VMware Workstation pro and VMware Player (free) and other VMware products (e.g., Esxi).
-
HyperDbg has plenty of options for getting code coverage. One option is using the '!monitor' command's execution interception option.
https://docs.hyperdbg.org/commands/extension-commands/monitor!monitor (monitor read/write/execute to a range of memory)Description of the '!monitor' command in HyperDbg.
-
Another option is using undocumented '!mode' command to intercept and measure code coverage in user-mode or kernel-mode.
-
Please also check the instrumentation step-in, and the '!track' command. These commands might also be helpful:
https://docs.hyperdbg.org/commands/debugging-commands/i
https://docs.hyperdbg.org/commands/extension-commands/tracki (instrumentation step-in)Description of the 'i' command in HyperDbg.
-
This instrumentation step-in is also recently exported in script engine as a function which can also be used for measuring code coverage though it's not yet well-tested and not documented.
- 14 December 2023 (1 messages)
-
Joined. - 20 December 2023 (1 messages)
- 22 December 2023 (1 messages)
- 24 December 2023 (1 messages)
- 25 December 2023 (2 messages)
-
Hi, thanks for sharing.
- 26 December 2023 (1 messages)
- 28 December 2023 (1 messages)
