- 01 June 2025 (2 messages)
-
Thank you for your reply. I will do my best to debug serial communication as I have two hosts with RS232.
-
Great. Thanks
- 02 June 2025 (8 messages)
-
Joined.
-
How to open the ui file, I didn't find the corresponding exe
-
Or do I need to compile it myself
-
Joined.
-
I'm not aware of the current state of the GUI. You should ask its original author in the GitHub.
-
He is also a Chinese guy so you can also contact him directly.
-
Interesting project and blog post, related to hypervisors:
https://secret.club/2025/06/02/hypervisors-for-memory-introspection-and-reverse-engineering.html -
Good quality material. Invalidating TLB and EPT caches is not really accurate though :P
- 03 June 2025 (27 messages)
-
-
-
-
Are there people here who understand the xHCI controller well? I have a question about the Event Ring and Transfer Ring.
-
[discord] <unrustled.jimmies> [reply]: hmm, yeah.
```
invept_all_contexts();
This call performs an All Contexts invalidation, instructing the CPU to discard all EPT-derived translations for the current EPT pointer (EPTP).
```
It sounds like they meant to use `Single-context invalidation` since i don't think they are using multiple EPTPs per LP which would align with their explanation. (i could be wrong here) -
Hi! Just hit it here. People who know might not be sure they are xhci experts or not.
-
Good job! You’re a careful reader! The author seems to be missing the dual-tagged (combined) mappings.
-
What I’m saying is invvpid also might be used to flush EPT cache.
-
Invept all contexts is a safest option, but it has a noticeable performance penalty.
-
The difference between invvpid and invept is invept also flushes mid level page table entries cache
-
But if pml4, pdpte and pdes don’t change, invvpid is enough
-
ok,thanks bro
-
-
Sure. Send the PR. I'll check once I have access to my laptop.
-
[discord] <unrustled.jimmies> this might just be happening to me but asking here, when you folks are running hyperdbg or any other hv with ept hooks on kernel functions (like hvfs with its default ept hook on exallocatepoolwithtag ref impl), do you see high system interrupts in Task Manager? even with just a hook on exallocatepoolwithtag, it goes up to 80% until i kill the hv.
nothing conclusive from intel vtune (i cant get to this view https://www.intel.com/content/www/us/en/docs/vtune-profiler/user-guide/2023-0/analyzing-interrupts.html).
using wpr it looks like it could be icue but im guessing other folks have icue/rgb stuff on their pc and use the hv so want to check if it happens to you as well. (i havent looked into this deeply yet)
https://imgur.com/a/w8cOj4V -
Where did you get vtune? :)
-
So what's happening here is that CPU is spending its time in a VMX root mode and the guest has no idea about it
-
So it just counts the lost time as spent in interrupts
-
[discord] <unrustled.jimmies> [reply]: i downloaded the full oneApi base toolkit i think.
-
Oh, a public version, I see
-
[discord] <unrustled.jimmies> [reply]: ah so its just expensive vmexits showing up as interrupts
-
vmexits + vm exit handling code and everything related to vmx root mode
-
[discord] <unrustled.jimmies> got it, ill take a look into this given that info
-
To be more precise, it depends on the execution context during the vmexit
-
so the load might be spread around different applications in the case of breakpoints
-
But you got the idea
-
[discord] <unrustled.jimmies> [reply]: yep.
- 04 June 2025 (4 messages)
-
why was that? I trying to install the driver, but fails. I used the physical pc, and connect the debugger by serial port.
-
my computer is win10
-
Did you run HyperDbg (on the debuggee side) with the administrator (UAC) privilege? Can you first run it on the VMI mode (local debugging) to see if it's working or not? (.connect local and then load vmm)
-
@zuypt thanks for PR.
I have a question, do you expect time in microseconds on the 'microsleep' function on the script engine? Am I getting it correctly? - 08 June 2025 (1 messages)
-
[discord] <unrustled.jimmies> Has anyone gotten hyperdbg remote debugging to work with a serial usb cable https://www.amazon.com/dp/B0DJF3WR4K or does it need to be an actual serial cable? my pc detects and sets it up as a com port. (ignore the com5, hdbg only goes up to com4 and i changed it to com2) before running.
https://cdn.discordapp.com/attachments/962350355839066130/1381408560096739438/Screenshot_2025-06-08_114331.png?ex=6847687a&is=684616fa&hm=fddeb3631f372164352377c9fcec4709505a4fdbb5803d9ced9813b1ce989523& - 09 June 2025 (23 messages)
-
It has to be an actual serial cable with an actual serial port on the target side. Otherwise it is a natively USB device, so hyperdbg would need a usb driver which is a whole different story.
-
[discord] <unrustled.jimmies> [reply]: got it, unfortunately my pc is too modern so i will also need a serial port pcie card.
-
It won’t help either, sorry. It has to be a built in one, good old 3F8 port based.
-
Can you check out pulsedbg sdk and see it fits your goals? If so, we can try and debug the multi core startup issues.
-
[discord] <unrustled.jimmies> [reply]: Yeah, i wouldn't mind trying to get pulsedbg to work since i can use that as well plus it would be a good learning experience.
I bought the following for another reason (dci stuff) but it hasn't arrived yet - https://www.datapro.net/products/usb-3-0-super-speed-a-a-debugging-cable.html - Im guessing this will work on pulse as the standard usb 3.0 debugging cable.
Can pulsedbg work with this one as the serial (i already have this one on hand)? if not ill just have to wait for the usb debug cable - https://www.amazon.com/dp/B0DJF3WR4K -
It’s the right cable, yeah! It makes sense to wait for it to arrive since it would be also easier to collect pulsedbg logs with it.
Were you planning to use DCI? Do you have sourcepoint debugger or intel system studio? -
[discord] <unrustled.jimmies> I have the intel one right now (there are no public boards that support arrowlake rn so someone said he can help me enable dci on my board, we'll see) but i might get source point as well since i heard about it on a recent security stream (off by one) and the blogs they posting is the kind of stuff i want to do https://www.asset-intertech.com/resources/blog/
-
Yeah, you won’t be able to debug Arrow Lakes, just the boards supported by source point. I also experienced odd behaviour from source point crew - they refused to sell it to me without explanation. Hopefully you will be able to buy it.
But nevertheless, even if you had intel system debugger NDA, you still would not be able to debug platforms newer than Raptor Lake due to a new debugging protection architecture. Sad, I know. -
[discord] <unrustled.jimmies> yeah at this point im willing to change the cpu variable to something that works.
-
[discord] <unrustled.jimmies> I spoke to Alan Sguigna from sourcepoint over email and he mentioned they would have full ARL support by end of July so we'll see if that actually ends up happening or not based on the new debugging protection architecture you just mentioned.
They claim to already have some ARL support now (he said need a motherboard that works for it - https://www.asset-intertech.com/wp-content/uploads/2025/04/ReadMe-SourcePoint-Intel-7.12.68.pdf which can only be gotton with an NDA with intel rn)
```
These will all be complete for ARL in our G17 release, targeted for end of July.
``` -
Also bear in mind that using jtag is no fun. It is very unstable and slow. It is worth for debugging very specific small pieces of code. The only advantage I see is that it can trap VMX transitions
-
I guess it has to be a specific debug platform then
-
[discord] <unrustled.jimmies> Yeah, weird that they wouldn't sell to you since their new marketing angle seems to be security/malware analysis/windows internals.
-
-
It is. I tried contacting them several times but looks like they banned me or something, they just don’t reply anymore. No explanation given.
-
It pisses me off a bit since I literally work at Intel lol
-
[discord] <unrustled.jimmies> "large public company" = doesn't make sense trying to reason about it since im not sure if they even know why they can't sell to you.
-
[discord] <unrustled.jimmies> have you tried recently since that was 3 years ago.
-
I did, a year ago. They just don’t reply
-
But I don’t need source point that much to beg them :)
-
[discord] <unrustled.jimmies> [reply]: haha yeah.
-
-
Joined.
- 10 June 2025 (5 messages)
-
[discord] <inflearner> Hi guys,
I did anyone manage to load easy anti cheat with HyperDbg loaded ?
Even with !hide (which got improved recently, i get a BSOD). -
HyperDbg from its very first release supports hooking memory (v0.1). The support for full debugging in VMI mode is on the priority list but not done yet. Next release we will introduce our new platform for improved transparent (hidden) debugging of nested virtualization environments (it's a work in progress).
-
The '!hide' command (and the transparent mode) is completely redesigned. Starting from the next release, you see a new project that will be added to HyperDbg to support new (improved) anti-debugging and anti-hypervisor techniques.
-
[discord] <inflearner> [reply]: Goated ! Thanks man.
I checked out the hyper-evade branch, I guess the features you are talking about are there.
I get a BSOD on !hide.
Is it normal ? I can debug if needed. -
Yes, but the hyperevade branch is not yet merged in the 'dev' branch. So, you need to wait until we finish testing it and creating automatic tests. Right now, it's normal to see BSOD since it's not tested yet.