Hi guys , hope your year will be great with a lot of success 🙌 😊 I have a question 😊 I want to increase the number of pre allocated buffers because after some testing I figured out that the maximum is 20 approximate and thanks in advance

Hi,
You can use the 'prealloc' command to preallocate buffers:

https://docs.hyperdbg.org/commands/debugging-commands/prealloc

You can also increase the default number of preallocations using macros in the source code and recompile hyperdbg, but using the 'prealloc' command, you can allocate it without the need to modify the source code. Just remember that this command will run the debuggee for some times, so, you'll lose the context (memory and registers), thus you need to run it before any other commands (maybe once you just start hyperdbg).

Got your point, so it will be more safe to keep track of the whole context change it from the source code probably

Thanks sina for the great explanation

No, I mean by running this command, you'll lose the context (register and memory). You don't need to modify the source code.

HyperDbg has two types of commands. Some commands will lose the context (like the 'prealloc' command) and most of the commands won't lose the context.

Like this one, you can check the 'Remarks' section of the command.

For example this command won't lose the context.

The reason for this is that some commands need interaction with VMX non-root. For example, allocating memory is not possible in the VMX root-mode since paging is disabled (from the OS perspective), so this command will run the debuggee and tries to allocate memory from VMX non-root mode. So, once you run it, the debugger is paused again, and all the registers and memory have been modified.

Ok 👌 got it now! So the hyoerdbg design tried to pre allocated buffers before entring vmx root mode since in this mode memory allocation is not possible or at least safe to request

Yes, and that's why you need to run the 'prealloc' command once you're not using the context (register and memory) when the state of the system is not important for you. For example if you want to use the breakpoint command ('bp'), you probably need to apply your commands immediately while you're expecting HyperDbg to preserve the context (register and memory). In this scenario, if you want to run 'prealloc', HyperDbg will run the debuggee (continue the execution) to allocate buffer for you. So, it's obvious that the registers are changed and you're no longer in the target instruction where you previously put the breakpoint.

So, the easiest way to solve this problem is to preallocate memory before applying any command that the context is meaningful to you. For example, you know that during you debugging journey, you need 1000 more preallocated buffers. So, you preallocate it, then start using other commands like 'bp', etc.

The first HyperDbg release of 2025 is out! 🎉

This version (v0.12) introduces commands for PCI/PCI-e device tree enumeration and IDT dumping, plus many bug fixes.

🔗 Check it out:
https://github.com/HyperDbg/HyperDbg/releases/tag/v0.12

More information:
- https://docs.hyperdbg.org/commands/extension-commands/pcitree

- https://docs.hyperdbg.org/commands/extension-commands/idt

Thanks to Bjorn (he is not in the group), @AMJahangirzad, @binophism, and another contributor whose Telegram account I don’t know.

Great job guys , really appreciate your amazing work

heyy

? .t1 = 0;
? .v = 0;
!monitor x 00D9708D l 2 script {
if ($context == 00D9708D ){
ptr = dd(esp+4);
v0 = db(ptr);
v2 = db(ptr+2);
if (v0 == c1 && v2 == e8){
for (i = 0; i < 20; i++){
ptr = dd(esp+4);
printf("%x ",db(ptr+i));
}
printf("\n");
v4 = db(ptr + 4);
printf("v4 = %x \n", v4);
if (.v < 5) {
.v = .v + 1;
while (.t1 < 90000000){
.t1 = .t1 + 1;
}
printf("after timeout\n");
.t1 = 0;
eip = 00D96EC0;

} else {
.v = 0;
}
}

}
}

always ends with
(19:09:53.695 - core : 0 - vmx-root? yes) [+] Information (DebuggerPerformRunScript:1661) | err, exceeding the max execution count

any clue ?

output:

debuggee is running...
c1 7 e8 16 11 f6 32 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
v4 = 11
(19:09:53.695 - core : 0 - vmx-root? yes) [+] Information (DebuggerPerformRunScript:1661) | err, exceeding the max execution count

so it does not reach printf("after timeout\n");

if i take out while loop, its just fine

Sorry for the late response. Actually this limitation was added previously based on your suggestions. I think @xmaple555 adds it after you report, you have problem getting out of script.

In order to fix it, you can change this value in the source code and recompile HyperDbg:
https://github.com/HyperDbg/HyperDbg/blob/136ba94c293558410cce8994f24460d3760d50b8/hyperdbg/include/SDK/headers/Constants.h#L568

Basically, it only indicates the maximum number of operations allowed for each script.

Hello to everyone

hm, ok.. sounds a bit weird way to get out of script :D

my problem tha ctrl c does not break loop..

if im not mistaken

Yes, but the script engine is running completely independent to the debugger. There is not communication between the script engine and the script engine (other than when the script engine wants to send a message e.g., using printf).

So, it's basically not possible doing that based on the current design.

It's been a while since we passed 3,000 stars on GitHub, but we couldn’t let it go uncelebrated! 🌟🎉

We raise our glass to the awesomest community and those who supported and contributed to HyperDbg. 🍾🥂

https://github.com/HyperDbg/HyperDbg

im in love with that, thanks @Intel80x86

are there any templates for writing and reading memory via ept?

What do you mean by template? What kind of template?

I have a student. He has a diploma on code deobfuscation. I took the hypervisor project from scratch part 8 and would like to add functions for reading and writing to memory via the ept table (this seems to be how hidden hooks work in hyperdbg).

The implementation of monitor hooks in hypervisor from scratch does not work in many scenarios. Over the time, we redesigned it several times to fit for a proper use.

You need to use HyperDbg's implementation for a real world scenario, hypervisor from scratch is just for educational purposes.

I can definitely confirm that

I was working on a real world scenario

With hypervisor from scratch

And i figure out that hyperdbg is much more optimized

Example, if you compare the caching policy in the page table level 2 you will see that hypervisor from scratch put some hypothesis about the nature of memory and that hurt the performance...

Not like hyperdbg

I wanted to try to write\read stealthily into the user mode process memory.

[discord] <fredfredmail4gpt_24979> Issue: The debugging environment is not working stably.
Sometimes, it works fine for tens of commands, but at other times, it crashes or gets stuck after running a simple command like 'process list.' In worse cases, it freezes completely and becomes unresponsive even without any operation. When these issues occur, I have to restart the debuggee OS.
These problems happen frequently, making it very difficult for me to use the debugging environment. I’d like to know if anyone else has experienced similar issues and how I can identify the root cause of these problems.
Any help or advice would be greatly appreciated! Thanks!

Enviroments
Debugger:
CPU: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz 2.70 GHz
OS: Windows 10 Professional 22H2
Netcard adapter: Realtek VEN_10EC&DEV_8168
Debuggee:
VMWare Workstation 15.5.1 build-15018445
VMOS：Windows 10 Professional 22H2
Hyperdbg Version: v0.11.0
Disable Driver Signature Enforcement method: windbg with KDNET setting up manually.

Hi,
I think it should be related to the version of the VMware. You're using a really old version of VMware Workstation. I remember we also had similar issues with VMware Workstation v16, but all of them are fixed with VMware Workstation v17. Please update your VMware Workstation (VMware Workstation is free).

Other than that, your processor is also a little bit old (which is not an issue of course), but there might be some unexpected behaviors since this is a processor that has the original spectre/meltdown patch and honestly, we didn't test any of the newer versions of HyperDbg on these processors for almost 4 years. So, I suggest to use HyperDbg in a newer processor (if you have access) otherwise it's fine.

[discord] <fredfredmail4gpt_24979> [reply]: in fact, I have built another enviroment ,but met the same issue.
it's CPU is I5-10400, and vmware is v17. OS is win11

What kind of command did you use? Is it on the debugger mode or the VMI mode?

[discord] <fredfredmail4gpt_24979> [reply]: The system is in debugger mode, and the debuggee unexpectedly gets stuck. This doesn't occur due to any specific command; sometimes, it freezes completely and becomes unresponsive even without any user interaction. For example, when I first start the debugging environment, everything works fine. However, after a short period, the hyperdbg-cli.exe debugger becomes unresponsive and cannot be operated, even after repeatedly pressing "Ctrl + C." Additionally, the hyperdbg-cli.exe debuggee cannot be terminated via the OS Task Manager.

Hello, how can I compile HyperHV into a .sys file?

@HyperDbgBot Hello, how can I include the Hook.h file in hyperdbg_driver?

[discord] <fredfredmail4gpt_24979> issue: why the events be disabled automatically?
the target process is running and invoke "syscall" repeatly. But the "syscall" hook be triggered for just a few times, then it's doesn't work. after "Ctrl+C", the "events" command shows that the "syscall" event become disabled. please view the detail in the attached log file. I'm not sure if there are something wrong for me? any advice would be greatly appreciated! Thanks!
https://cdn.discordapp.com/attachments/962350355839066130/1329800035185201152/syscall_log.txt?ex=678ba84a&is=678a56ca&hm=37c5a5ad89aec8441bcd7f401a0520db824c21a5f1a28bd9b3563601e4078238&

You shouldn't close the HyperDbg's process using Task Manager. HyperDbg has a driver that needs to be unloaded properly, otherwise, the hypervisor is still operating on your system (a restart of course will fix the problem).

And it's also super weird, none of us have the similar issue. You need to provide me with more low-level details (like a crash log from WinDbg), so I could better find the problem. More information is needed.

Did you see a BSoD at some points?

You can change the configuration type, but it's not recommended. This driver is a DLL (library) not a kernel driver. It does not have IOCTL handler. You can import hyperhv in your project as DLL.

What is Hook.h? Is it your header file or a HyperDbg header file (possibly from SDK)?

I have two guesses for this:

1) You might be using an older driver version along with a newer cli version.
Unfortunately, HyperDbg does not check the driver version with the user-mode application (this is on the to-do list; I have to implement it). So, you might be using HyperDbg that was not unloaded properly from the old versions (e.g., if you restart or close HyperDbg from the task manager). To solve this, run HyperDbg, connect to it in the VMI Mode, then unload and remove the driver.

.connect local
load vmm
unload remove vmm
.disconnect
.exit

And then load HyperDbg again.

—————————————

2) My second guess is that there is any anti-debugging, or hypervisor method running in your system.

—————————————-

3) The !syscall command is not supported in your system (as we mentioned in the documentation). To fix it, you might start using the '!epthook' instead as described here:

https://docs.hyperdbg.org/commands/extension-commands/syscall#alternative-method-for-syscall-interception

—————————————

Please check these solutions and let me know if you still have errors.

Thank

Ask a question. When using SyscallHook, is it more efficient to have an EPT table for each core or to use one EPT table for all cores?

Having a single EPTP is not guaranteed to intercept all hooks since there might be race conditions specially if the rate of execution is high. You need use a multiple EPTP approach (which by default HyperDbg uses multiple EPTPs)

@HughEverett Thank you for your answer. How can I modify Hypervisor-From-Scratch to use multiple EPTPs?

There is not a single line to change, tons of modifications and redesigning EPT hooks have been made. You should not use Hypervisor From Scratch for a real-life scenario. You need to use HyperDbg for that.

@HughEverett The Chinese New Year is approaching, happy New Year.

[discord] <halbgefressen> Hi guys! I am trying to debug an application in VMI mode with the user mode debugger. When I'm trying to attach to an app, the system starts to spinlock and becomes extremely unresponsive. I do not need to break the user mode program, I only need a monitor on an address.

I'm running the debuggee system on an Intel laptop with EFIGuard. Vanguard Anticheat is installed, but I kill it manually before starting HyperDbg. HVCI is disabled according to System Information. Did I oversee something?

[discord] <halbgefressen> ahh, and one time I got this error message from Windows.
https://cdn.discordapp.com/attachments/962350355839066130/1331562088631373876/PXL_20250120_112719416.jpg?ex=67921155&is=6790bfd5&hm=c60b537a8c5d2f82f53c225e1eaa4c65fb60d52ccf6159af0d71417e6f97cea8&

Happy Chinese New Year to you and all Chinese members of the group as well! May this year bring everyone happiness and success. 🎉🎊❤️

And also happy new year to my friend Tony. 😉

This feature is by default disabled and not yet completed. You need to debug your application in the Debugger Mode. Not VMI mode.

[discord] <halbgefressen> [reply]: What is missing for the feature to be completed? I'd be willing to contribute, but haven't found a roadmap or anything of that kind.

Well, at first we decided to implement it using the execute disable bit of the regular OS page-tables because skylake and older processors don't support MBEC. But the result was not satisfying and the implementation wasn't stable. Later we implement the support of '!mode' command with MBEC and it was okay but never really port it to the user debugger in VMI Mode.

Other than that, the approach that we used at that point was not good. We allocate a buffer into the target process which was not a good idea at all. The only solution at that point was using different EPTPs (EPT page tables) for each core to avoid allocating memory on the target process but at that time, HyperDbg only supports a single EPTP. Now, HyperDbg runs on a multiple EPTP environment but again, didn't find time to port it to the user debugger in the VMI mode.

I think this is something that I need to implement since it's a little bit complicated (not the hypervisor part of course), the thing is you probably need to spend a lot of time understanding how I implement it which might be tedious. So, I recommend using the full feature Debugger Mode for now. Or if you want to contribute anything, there are tons of remaining tasks available here:
https://github.com/HyperDbg/HyperDbg/blob/master/CONTRIBUTING.md

[discord] <halbgefressen> Thanks, it seems like I'll have to use the full feature debugger mode then. Gotta figure out how to attach via serial on a machine without a serial port :P

the user-mode debugger in VMI Mode is still in the beta version and not stable. we decided to exclude it from this release and release it in future versions. if you want to test the user-mode debugger in VMI Mode, you should build HyperDbg with special instructions. But starting processes is fully supported in the Debugger Mode.
(it's not recommended to use it in VMI Mode yet!)

I can't get over this error

[discord] <halbgefressen> [reply]: did you read the error message?

I can't get out of vmi mode. I can't start as userdbug.

What are good resources to learn modern hypervisor details? Sina s articles are out of date, it seems

Hypervisor from scratch

Intel Software Developers Manual, vol 3, chapters 25-32. There can't be any better documentation.

It needs modifying and recompiling source code.

Hypervisor From Scratch is out of date? 🤨

It's still valid and works.

Compiled Should I delete it and recompile it?

Yes, but as the command message implied, it's better not to use it.

If you want to use HyperDbg and all of its features, it's better to use it in the Debugger Mode.

Not VMI mode.

My device is UEFI patched, if I install the EFI loader, there won't be any problems with my UEFI settings, right?

I am using both Kali and Windows on my device with Linux Grub boot, Grub won't affect it, right? Also, is there a problem if I use hyperdbg with NT authorization?

Does hyperdbg bypass protection software like enigma and vmprotect?

I ask a lot of questions The result of my learning effort. Can we analyze USB transfers with Hyperdbg?

Is it possible to make a USB monitor?

Nope. HyperDbg doesn't use anything from your UEFI firmware.

HyperDbg doesn't do anything with your bootloader (Grub)

You might be able to do that, we didn't test it recently. Or maybe some modifications in the source code could work on these packers.

Yes, HyperDbg could be used for monitoring both port mapped I/O devices using (!ioin and !ioout) command and you can monitor memory mapped devices using the !monitor command.

Also, for your information, one of my friends made a new command (not yet pushed into the github but will be available in the coming week), that enumerates PCI/PCI-e bars.

So, you can use it to find external devices (PCIe).

Very good

USB itself is not a PCIe device (it could be but it's not the case most of times), but USB xHCI uses the PCIe interface for the configuration (if I remember correctly). So, you could use the new command for getting further information or modify USB controller.

Based on your videos about Hyperdbg, it looks like we're going to see the software packaged and free of obfuscated code. Am I misunderstanding?

software packaged and free of obfuscated? 🤨

Yes

Is it my slide?

I don't remember this one and it's not meaningful for me. Where did you see it?

The software opens in memory, there was information that you went down to the bottom layer in the video, shouldn't this be free of packers and mixers?

Video da ki dökümanlarda...

again, don't have any idea about this one. You probably talking about a video from another person.

The video is mine, but this figure is different

It seems to be an OS-specific figure rather than Intel layers.

Is the plugin in Xdbg yours too?

Hyperhide

Air14 (Air) · GitHub
https://github.com/Air14

No, not mine.

Read what I said

@instw0 I think this PR will fix your long standing demand for fixing the anti-hypervisor method of executing trap flags after VM-exit (e.g., CPUID+Trap Flag). Can you please check it?

https://github.com/HyperDbg/HyperDbg/pull/497

yes, of course

I forgot to say that by default this feature, and other anti-anti-hypervisor and anti-anti-debugging are not activated once you load HyperDbg.

In order to activate them, you need to use the '!hide' command.

https://docs.hyperdbg.org/commands/extension-commands/hide

So, it basically means that, run the '!hide' command before testing it to enter the transparent mode.

[discord] <dfs9096> Hi! Has anyone tried using Hyperdbg to debug anti-cheats? (Specifically EAC)
Did they detect you?

[discord] <._carter> [reply]: I don't believe EAC is as easily fooled by hvs as it was a few years ago.

[discord] <._carter> Is there written documentation that is "Here is what to do, here is how to do it, here is an example of doing it on a dummy application"?

I appreciate the YouTube videos being made, but there's quite a many of them and they aren't as digestible as written text.

You can follow HyperDbg tutorial on OST2 website:

https://ost2.fyi/Dbg3301

There you could find videos + exercises + source code of examples and other resources.

[discord] <t0int> I think this should be added to documentation:
If you have virtualization enabled in your bios and it still shows VT-x is disabled, you should check the "Turn Windows features on or off" for disabling virtualization

I occured this issue myself, i had VT-d and virtualization enabled in my BIOS but it gave an error that VT-x was disabled.
I checked system information and it showed this: "A hypervisor has been detected. Features required for Hyper-V will not be displayed."
after disabling virtualization stuff in "Turn Windows features on or off" the system information showed Hyper-V stuff and it showed VT-x is on.

That's a good suggestion, I'll try to add it to the documentation.

This also breaks WSL2 btw

[discord] <t0int> yes it does

[discord] <t0int> i didnt check disabling what makes it work, i just disabled everything about virtualization

HyperDbg is not compatible with WSL.

Basically it's not compatible with whatever relates to hyper-v, since HyperDbg needs to use VMX instructions on the target system and hyper-v/VBS does not allow it.