Page 1 - Dec 2024 @hyperdbg Telegram message archive.

@HyperDbgChannel #8383 04:28 PM, 03 Dec 2024

HyperDbg v0.11 is released! ✨

This version comes with bug fixes, improvements, and two new commands for viewing Local APIC (XAPIC/X2APIC) and IO APIC.

Big shoutout to Björn Ruytenberg for joining the team for bringing PCIe support to HyperDbg!

https://github.com/HyperDbg/HyperDbg/releases/tag/v0.11.0

Check it out:
https://docs.hyperdbg.org/commands/extension-commands/apic

https://docs.hyperdbg.org/commands/extension-commands/ioapic

photo_2024-12-03_16-28-49.jpg

@HyperDbgChannel #8384 04:28 PM, 03 Dec 2024

photo_2024-12-03_16-28-49.jpg

@DoubleFetch #8385 05:55 AM, 06 Dec 2024

Joined.

@282877022 #8386 06:40 AM, 06 Dec 2024

Joined.

@7806029674 #8387 04:10 PM, 06 Dec 2024

Joined.

@Fly_Dragon_Fly #8388 05:28 AM, 07 Dec 2024

Joined.

@xssaint ↶ Reply to #8049 #8390 10:04 PM, 08 Dec 2024

sticker.webm

@HughEverett #8393 03:10 PM, 11 Dec 2024

Starting from the next version (v0.12), HyperDbg will support the '!pcitree' command. You can use it from the 'dev' branch now.

https://docs.hyperdbg.org/commands/extension-commands/pcitree

photo_2024-12-11_15-10-04.jpg

@HughEverett #8394 03:10 PM, 11 Dec 2024

photo_2024-12-11_15-10-04.jpg

@HyperDbgBot #8395 b o t 04:59 PM, 11 Dec 2024

[discord] <jamlee7879> @HyperDbgBridge
Is Rayanfam in the group? Things aren't working properly here. The registry entries for DbgView aren't working properly either. It took me about an hour to figure out the correct way to do it. Here's what you should do:
Save the following content as dgbview.reg.
Double-click on dgbview.reg.

```
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Debug Print Filter]
"DEFAULT"=dword:0000000f
```
https://cdn.discordapp.com/attachments/962350355839066130/1316449218633928724/image.png?ex=675b1660&is=6759c4e0&hm=828c61954ef4c4123a50b78220337f9999819a81292ad551763e8655a98fcedb&

None

@HyperDbgBot #8397 b o t 05:03 PM, 11 Dec 2024

[discord] <jamlee7879> it works for me. my win version is 10.0.16299
https://cdn.discordapp.com/attachments/962350355839066130/1316450184007385099/image.png?ex=675b1746&is=6759c5c6&hm=519cbc2fcbf829fa164e17084e0366b7e0c0e5074fb3be8a911d086e4e590392&

None

@HyperDbgBot #8398 b o t 05:09 PM, 11 Dec 2024

[discord] <jamlee7879> you could consider patching the article. 😄
https://rayanfam.com/topics/hypervisor-from-scratch-part-2/#viewing-debugging-messages-in-dbgview

Hypervisor From Scratch – Part 2: Entering VMX Operation

We write about Windows Internals, Hypervisors, Linux, and Networks.

@LG_Preset #8399 04:27 PM, 12 Dec 2024

Joined.

@HughEverett ↶ Reply to #8398 #8400 04:57 PM, 12 Dec 2024

Nice catch. You can send your patch to the blog using this repo:
https://github.com/rayanfam/rayanfam.github.io/tree/main/_posts

rayanfam.github.io/_posts at main · rayanfam/rayanfam.github.io

You can visit the website at: https://rayanfam.com - rayanfam/rayanfam.github.io

@HyperDbgBot #8401 b o t 02:25 PM, 13 Dec 2024

[discord] <jamlee7879> @HyperDbgBridge https://github.com/rayanfam/rayanfam.github.io/pull/2 Do you have time to review it?

fix: set Debug Print Filter to dword:0000000f by Jamlee · Pull Request #2 · rayanfam/rayanfam.github.io

my windows is 10.0.16299, the registry entries for DbgView aren't working. It took me about an hour to figure out the correct way to do it. Save the following content as dgbview.reg. Doub...

@HyperDbgBot #8402 b o t 05:31 PM, 13 Dec 2024

[discord] <jamlee7879> Checked in successfully for 'hypervisor-from-scratch-part-2'
https://cdn.discordapp.com/attachments/962350355839066130/1317182006190280714/image.png?ex=675dc0d6&is=675c6f56&hm=91e6ccffd96bea431c7a7874768e590b9379d3dcdb86319ac7097608203ae61b&

None

@HughEverett ↶ Reply to #8401 #8403 10:13 PM, 13 Dec 2024

Merged! 👍

@HughEverett ↶ Reply to #8402 #8404 10:13 PM, 13 Dec 2024

Great. Thanks for fixing it.

@afkuvzrkar #8405 03:23 AM, 14 Dec 2024

document_2024-12-14_03-23-56.mp4

@zzzzzzzzzzw111 #8406 11:45 AM, 15 Dec 2024

Joined.

@HyperDbgBot #8407 b o t 05:54 PM, 15 Dec 2024

[discord] <jamlee7879> In Linux, each process has its own page table. However, according to the concept of shadow page tables, it seems that there is only one page table for the guest. This seems very strange.
https://cdn.discordapp.com/attachments/962350355839066130/1317912800395399219/shadow-page-tables-1.png?ex=67606971&is=675f17f1&hm=1a24bfdbcdcae67675e731575ebe01ef151b97f61fd90ba7a7f6eb7c27301627&

None

@HyperDbgBot #8408 b o t 05:58 PM, 15 Dec 2024

[discord] <jamlee7879> Many diagrams are drawn in this way, but I don't understand why only one page table is drawn for the guest. Clearly, there should be multiple page tables (one for each process).
https://cdn.discordapp.com/attachments/962350355839066130/1317913591650713721/703cb802dfdf67ea4295e3fdd8d6d9fe.png?ex=67606a2d&is=675f18ad&hm=eca03a1625753c826ceccd0c301c338ab31ceb44e9db6e09fac291f1a87e4e46&

None

@honorary_bot ↶ Reply to #8408 #8409 06:03 PM, 15 Dec 2024

I don't know which material you're researching, but it looks like a description of a hypervisor for a pre-EPT era. Hypervisor would trap page faults and mask CR3 register, so that it would replace needed pages for the guest OS on the fly. Indeed, you would have to mask all related page tables (for every related process). However, it's more like an implementation detail, that's why it's probably out of scope for your material.

@HyperDbgBot #8410 b o t 06:10 PM, 15 Dec 2024

[discord] <jamlee7879> I'm currently reading "hypervisor-from-scratch-part-4". The architecture diagram of the shadow page table in it doesn't quite match the Linux memory management logic that I knew before, so I'm a bit confused.

My understanding is the same as that shown in this diagram.
https://www.ryanstan.com/mmu-virtualization-shadow-page-tables.html
https://cdn.discordapp.com/attachments/962350355839066130/1317916799718785165/shadow-page-tables-diagram.png?ex=67606d2a&is=675f1baa&hm=2465f1cf56627b2a46e465caf83e28c81d27045ecfaa3609840c7d26023dabf0&

@honorary_bot ↶ Reply to #8410 #8411 06:15 PM, 15 Dec 2024

Oh, that's a question for the author then, hehe

@honorary_bot #8412 06:17 PM, 15 Dec 2024

But my take is hypervisor doesn't know anything about the guest, whether it is linux, dos or etc. Hypervisor's purpose is to virtualize the execution environment.

@honorary_bot #8413 06:18 PM, 15 Dec 2024

There are indeed separate page tables on Linux and Windows, and that's the reason you trap CR3 writes in the hypervisor as well

@pzwcsndm #8414 03:22 PM, 16 Dec 2024

Joined.

@qsPfIg873371717 #8415 07:54 AM, 17 Dec 2024

Joined.

@7811530886 #8417 02:25 PM, 17 Dec 2024

Joined.

@anna_junet #8418 02:27 AM, 18 Dec 2024

Joined.

@anna_junet #8419 02:47 AM, 18 Dec 2024

hi.everybody. i use debug model to debug process. i use the .pagein command will trigger blue screen. and it will 100% trigger. I'm not sure it's a bug. Can anyone answer my questions? Thank you very much.😊

@anna_junet ↶ Reply to #8419 #8420 02:55 AM, 18 Dec 2024

when i use monitor command monitor address 00007ffb6bee0000. the hyperdbg will show (err, invalid address). then i use the .pagein w 00007ffb6bee0000 command. and 100% trigger windows blue screen. i use vm as guest. intel i3 cpu.

@HughEverett ↶ Reply to #8419 #8421 09:58 AM, 18 Dec 2024

Hi,
I actually respond it in the github (https://github.com/HyperDbg/HyperDbg/issues/488) but will send it here for further discussion:

There might be two issues in this scenario.
First, the address might be actually invalid. Are you 100% sure that the address is valid?
If the address is invalid in the OS, HyperDbg will just inject a #PF and it will crash the system since Windows assumes it as a not-expected error.
Second, it's kinda weird that you used .pagein w which means injecting a 'write'. Change it to the default behavior (without 'w') might fix the issue, so the command should be:

.pagein 00007ffb6bee0000

Let me know whether the above command fixes the problem or not.

Use .pagein will 100% trigger windows blue screen. · Issue #488 · HyperDbg/HyperDbg

Describe the bug I use debugger mode to debug process. And i want to debug dll running condition. i use "!monitor rw 00007ffb6bee0000 l 500" command to monitor memory. but kHyperDbg show ...

@anna_junet ↶ Reply to #8421 #8422 10:25 AM, 18 Dec 2024

thank your for your replay.I will try the above respond and contact you immediately if there is any result.thank your

@anna_junet ↶ Reply to #8421 #8423 02:35 AM, 20 Dec 2024

hi,
First. i sure the address is actually valid. I use the command 'lm um pid xxx' to get the address. As in the screenshot below.
Second, i run command ".pagein 00007ff9dd850000" in host computer. but the guest computer still blue screen.

@anna_junet #8424 02:35 AM, 20 Dec 2024

photo_2024-12-20_02-35-50.jpg

@HughEverett ↶ Reply to #8424 #8426 09:52 AM, 20 Dec 2024

Are you sure that you're delivering the #PF to the correct process layout? You can check it by using the '.process' command.

@HughEverett ↶ Reply to #8424 #8427 09:56 AM, 20 Dec 2024

Running the 'lm' command as mentioned in the documentation, runs the debuggee for some times, thus, you'll loose the context (memory, registers, and process). So, you might end up injecting page fault to a different process and as HyperDbg is operating at the kernel, the page fault injection will be delivered to the Windows kernel and it's not a surprise to see BSOD.

@HughEverett ↶ Reply to #8423 #8428 09:58 AM, 20 Dec 2024

When do you execute this command? I mean at what stage of a process and after which command?
Did you see this video for the reference?

https://youtu.be/MjDW2gS3lBg?si=jBLvS0C458Erw7A2

Dbg3301: HyperDbg 10 09 Bringing Pages Into RAM

View the full free MOOC at https://ost2.fyi/Dbg3301. This course is an introductory guide to HyperDbg debugger, guiding you through the initial steps of using HyperDbg, covering essential concepts, principles, debugging functionalities, along with practical examples and numerous reverse engineering methods that are unique to HyperDbg. Whether you have an interest in reverse engineering or seek to elevate your reverse engineering skills with hypervisor-assisted approaches, this course provides a solid foundation for starting your journey.

@anna_junet ↶ Reply to #8427 #8430 10:46 AM, 20 Dec 2024

got it. thank you for your reply. i didn't watch the video. I think that's the problem. I will try the above respond and i will reply this post if have any process. thank your.

@anna_junet ↶ Reply to #8427 #8432 02:57 AM, 23 Dec 2024

hi,I'm pretty sure the address is valid.The end result the guess computs is still a blue screen.

@anna_junet #8433 02:59 AM, 23 Dec 2024

photo_2024-12-23_02-59-16.jpg

@anna_junet #8434 02:59 AM, 23 Dec 2024

photo_2024-12-23_02-59-34.jpg

@HughEverett ↶ Reply to #8434 #8435 11:04 AM, 23 Dec 2024

I see the issue now. Check the RIP address where you paused and examine the execution of the target process. It appears to be in the page-fault handler, which operates in the kernel rather than user mode. If you inject a page fault while the page-fault handler is already active, it can trigger multiple page faults (or a double fault, if I’m not mistaken), ultimately leading to a Blue Screen of Death (BSoD).

@HughEverett ↶ Reply to #8433 #8436 11:05 AM, 23 Dec 2024

You need to intercept the process while it's in the user-mode (not kernel mode) and then inject the page-fault.

@HughEverett #8437 11:10 AM, 23 Dec 2024

You should not use the '.pagein' after the '.process'. Since in the implementation, both of the use the same mechanism (even injection in VMCS). So, now that I'm thinking about it, it couldn't work since we're not buffering multiple interrupts/faults/exceptions.

@HughEverett #8438 11:13 AM, 23 Dec 2024

You have plenty of other options, you can start the process using the '.start' command (which intercepts the first instruction of the entry point in the user mode) or you could put !epthook on known user-mode functions that you know it will called or maybe putting a !monitor on a buffer or piece of code, all of them work. Just make sure that your RIP register is in the user-mode and the process is your target process.

@anna_junet #8439 01:13 AM, 24 Dec 2024

got it. thank your very much.😊

@HughEverett ↶ Reply to #8439 #8440 01:24 AM, 24 Dec 2024

Did you test it? Is the problem solved? I see you also closed the GitHub issue.

@anna_junet ↶ Reply to #8436 #8441 01:30 AM, 24 Dec 2024

No. Haven't been tested yet. Isn't that the solution?

@HughEverett ↶ Reply to #8441 #8442 01:35 AM, 24 Dec 2024

Yeah, but there could be a lot of unexpected conditions we didn’t think of (which might cause new errors 🙂). Typically as HyperDbg runs at the hypervisor level, the user needs to consider a ton of factors plus have a solid understanding of CPU internals to figure out what’s going on and how to handle it.

@HughEverett ↶ Reply to #8441 #8443 01:36 AM, 24 Dec 2024

BTW, if you encounter any further error, please don't hesitate to post them here and we would be glad to help.

@anna_junet #8444 01:39 AM, 24 Dec 2024

got it.thank your very much.

@5593422848 #8445 07:03 AM, 24 Dec 2024

Joined.

@anna_junet #8446 02:58 AM, 25 Dec 2024

hi.sina. Merry Christmas. Can you answer my question? How to debug application user-mode on hyperdbg?

@HughEverett ↶ Reply to #8446 #8451 03:29 AM, 25 Dec 2024

Hi,
Merry Christmas. 🎄
Actually in HyperDbg, there is no difference between debugging a user mode application or a kernel mode code (by design) since it operates at the hypervisor-level. Though, there are plenty of command and functions that facilitate the user mode debugging like the '.start' command or the other commands for switching into a target process.

@HughEverett ↶ Reply to #8446 #8452 03:31 AM, 25 Dec 2024

So, it's basically about the process memory layout. You can do whatever you want as long as you're in the memory layout of your target process (CR3).

@HughEverett ↶ Reply to #8446 #8453 03:33 AM, 25 Dec 2024

I recommend going through the OpenSecurityTrainings' course for HyperDbg, since there are plenty of examples where we used HyperDbg for debugging user mode applications:

https://p.ost2.fyi/courses/course-v1:OpenSecurityTraining2+Dbg3301_HyperDbg+2023_v1/about

Debuggers 3301: HyperDbg

This class teaches you how to use HyperDbg, a virtualization-based debugger.

@anna_junet #8454 04:02 AM, 25 Dec 2024

got it.Thank your very much.I'm sorry to bother you in Christmas.

@Mhe1402 #8455 10:54 AM, 25 Dec 2024

Joined.

@7865201591 #8456 10:37 PM, 25 Dec 2024

Joined.

@Alesice #8458 09:32 AM, 28 Dec 2024

Joined.

@HughEverett #8459 05:10 AM, 30 Dec 2024

Starting from the next version (v0.12), the new command for dump IDT entries will be added to HyperDbg. You can test it on the 'dev' branch now.

https://docs.hyperdbg.org/commands/extension-commands/idt

photo_2024-12-30_05-10-39.jpg

@HughEverett ↶ Reply to #8459 #8460 05:13 AM, 30 Dec 2024

At this point, we have most of the commands related to handling interrupts, exceptions, and faults. These include !idt for dumping IDT entries, !apic and !ioapic for viewing the state of the Local APIC and I/O APIC in both XAPIC and X2APIC modes, and commands like !exception and !interrupt for intercepting (hooking) interrupts and exceptions.

@HughEverett ↶ Reply to #8460 #8461 05:14 AM, 30 Dec 2024

There are also commands for interrupt redirection of Intel VT-d that will be added in the future versions.

@hyper_dbg #8462 08:31 PM, 30 Dec 2024

Joined.

@IsNerverMore #8463 06:08 PM, 31 Dec 2024

Joined.

@HughEverett #8464 07:38 PM, 31 Dec 2024

Happy New Year, everyone! 🎉🎊

Wishing you an amazing 2025 ahead!

This year, we’re excited to work on adding new features to HyperDbg, including support for PCI Express, UEFI, and firmware debugging. As always, your contributions are greatly appreciated!

@HughEverett ↶ Reply to #8464 #8465 07:38 PM, 31 Dec 2024

None

@S4l3H #8466 07:58 PM, 31 Dec 2024

Happy new year HyperDbg Family! 🤝
Hope we all learn more stuff👉, level up 🌡, and do amazing projects in 2025! 👍

@AleeAmini #8467 09:15 PM, 31 Dec 2024

Happy new year guys🎄🎄😘

2025

2024

2023

2022

2021

2020