- 04 March 2024 (3 messages)
-
In the EptSetupPML2Entry function, the PageFrameNumber parameter represents a 2MB PageFrameNumber. Next, pass PageFrameNumber*PAGE_SIZE to the PhysicalAddress of the EptSplitLargePage function. Is this an error? The PhysicalAddress should be PageFrameNumber*SIZE_2_MB
-
Right now, I don't have access to my computer, I'll check and notify you tomorrow. - 06 March 2024 (4 messages)
-
You're right, something is going wrong here. 🤔
-
As the result, we're missing some page-tables but it seems that those page-tables (edge-sideded) page tables are never accessed during HyperDbg tests. That's why I didn't notify that. Only a small portion of them are in this category.
-
yes, go on and submit a PR. Please submit it to the 'dev' branch.
- 07 March 2024 (25 messages)
-
Joined. -
i actually noticed this a lot -
I had to sometimes jump 2mb+ to epthook
-
otherwise the address would show up as invalid
-
I don't think that this problem can cause an address invalid error. 🤔
-
Can you give me some cases where HyperDbg fails to hook?
-
BTW, this problem is now fixed in the 'dev' branch. You can easily test it to see if it was because of this error.
-
Find a large enough binary and set monitors in it's executable section. Try every page.
-
l 8
-
I mean usermode apps
-
not kernel
-
and I used VA
-
sometimes it would fail until i skipped a large enough chunk (usually tried 0x100000 increments if 0x1000 didnt work)
-
sometimes it'd work no problem
-
not sure what caused the issue exactly
-
there's also an issue when usermode applications crash
-
you can't reallt disable EPT hooks, even if the process launches again and module is at same VA (not COW)
-
you can disable the event though
-
if you don't, you will bsod eventually
-
I assume if you translate the va to pa, and don't use a pid it probably works fine
-
That's most likely because the page is not available in the memory (either it's paged-out or not used as a result demand paging).
-
You need to use the '.pagein' command to that missing range.
https://docs.hyperdbg.org/commands/meta-commands/.pagein.pagein (bring the page into the RAM) | HyperDbg DocumentationDescription of the '.pagein' command in HyperDbg.
-
This will force the operating system to make this page available in the memory and after that, you can use the '!monitor' normally.
-
The reason why this happens is simply because EPT hooks are working based on physical addresses (not virtual addresses), and while there is no page (no pfn), HyperDbg cannot make a hook.
- 10 March 2024 (45 messages)
-
are you Chinese? -
英语都说不明白
-
What kind of slows down? How many EPT hooks? Either !monitor or !epthook?
Generally, you shouldn't be noticed the system slowing down, unless you're hooking a high-rate system functionality (e.g., a syscall/interrupt routine) -
epthookinline is !epthook2? Did you use HyperDbg as a library? or directly from the cli?
-
Is the same with !epthook?
-
can you send me the command (script) you used?
-
This is not a script, you've used it to pause HyperDbg.
-
How to create an action?
This document helps you to create an action for events
-
I mean the way you used it is like you wanted to pause (halt) the debuggee.
-
Do you want to create a log from the debugger? like printf?
-
HyperDbg has three types of actions :
https://docs.hyperdbg.org/using-hyperdbg/prerequisites/how-to-create-an-actionHow to create an action?This document helps you to create an action for events
-
You can either pause the debugger, or run custom code or execute an script.
-
Let me send you a youtube video for reference.
-
No
-
Actually, I think you're applying it incorrectly.
-
Please see: https://www.youtube.com/watch?v=tjsFRBFGis4&list=PLUFkSN0XLZ-kF1f143wlw8ujlH2A45nZY&index=32Dbg3301: HyperDbg 05 01 Intro and Classic Hidden Hooks
View the full free MOOC at https://ost2.fyi/Dbg3301. This course is an introductory guide to HyperDbg debugger, guiding you through the initial steps of using HyperDbg, covering essential concepts, principles, debugging functionalities, along with practical examples and numerous reverse engineering methods that are unique to HyperDbg. Whether you have an interest in reverse engineering or seek to elevate your reverse engineering skills with hypervisor-assisted approaches, this course provides a solid foundation for starting your journey.
-
yep, let me know if you couldn't make it work.
-
-
Hypervisor From Scratch is not updated for years as I wanted to make it untouched to avoid confusion. You should use 'hprdbghv' instead which is actively maintained/updated.
-
Yes, that's probable as you trying to hook a syscall routine.
-
But, again use HyperDbg instead which is a stable/maintained version of Hypervisor From Scratch.
- 19 March 2024 (5 messages)
-
HyperDbg v0.8.2 is now released! 🔥
This update brings support for functions in the script engine.
Read more:
https://docs.hyperdbg.org/commands/scripting-language/constants-and-functionsConstants & FunctionsDescription of constants and functions
-
## [0.8.2.0] - 2024-03-19
New release of the HyperDbg Debugger.
### Added
- Add user-defined functions and variable types in script engine
### Changed
- Fix debuggee crash after running the '.debug close' command on the debugger
- The problem with adding edge MTRR pages is fixed
- All compiler/linker warnings of kernel-mode modules are fixed
- User/Kernel modules of HyperDbg now compiled with "treat warning as error"
- After downloading new symbols it is automatically loaded
- Fix error messages/comments spelling typos -
and with special thanks to @xmaple555 for implementing "functions" in the script engine.
-
Other than that, all the compile warnings are fixed and now HyperDbg compiles with "treat warnings as errors." Lots of warnings maybe 4 or 5 thousands of warnings fixed.
-
Joined. - 22 March 2024 (2 messages)
-
Joined. - 25 March 2024 (1 messages)
- 29 March 2024 (2 messages)
-
Joined. -
Joined. - 30 March 2024 (2 messages)
-
Joined. - 31 March 2024 (1 messages)
