Thank you for your reply. I will do my best to debug serial communication as I have two hosts with RS232.

Great. Thanks

How to open the ui file, I didn't find the corresponding exe

Or do I need to compile it myself

I'm not aware of the current state of the GUI. You should ask its original author in the GitHub.

He is also a Chinese guy so you can also contact him directly.

Interesting project and blog post, related to hypervisors:

https://secret.club/2025/06/02/hypervisors-for-memory-introspection-and-reverse-engineering.html

Good quality material. Invalidating TLB and EPT caches is not really accurate though :P

@HughEverett I cannot figure out how to edit grammar.txt for 1 function call with zeroop func and a return value

i tried something like this

~~~
CALL_FUNC_STATEMENT->.ZeroOpFunc2 ( @.ZeroOpFunc2 ) @IGNORE_LVALUE
.ZeroOpFunc2->rdtsc rdtscp
~~~

Are there people here who understand the xHCI controller well? I have a question about the Event Ring and Transfer Ring.

[discord] <unrustled.jimmies> [reply]: hmm, yeah.

```
invept_all_contexts();

This call performs an All Contexts invalidation, instructing the CPU to discard all EPT-derived translations for the current EPT pointer (EPTP).
```

It sounds like they meant to use `Single-context invalidation` since i don't think they are using multiple EPTPs per LP which would align with their explanation. (i could be wrong here)

Hi! Just hit it here. People who know might not be sure they are xhci experts or not.

Good job! You’re a careful reader! The author seems to be missing the dual-tagged (combined) mappings.

What I’m saying is invvpid also might be used to flush EPT cache.

Invept all contexts is a safest option, but it has a noticeable performance penalty.

The difference between invvpid and invept is invept also flushes mid level page table entries cache

But if pml4, pdpte and pdes don’t change, invvpid is enough

ok,thanks bro

@HughEverett i figured it out. Can you help me check the pull the request I just made

Sure. Send the PR. I'll check once I have access to my laptop.

[discord] <unrustled.jimmies> this might just be happening to me but asking here, when you folks are running hyperdbg or any other hv with ept hooks on kernel functions (like hvfs with its default ept hook on exallocatepoolwithtag ref impl), do you see high system interrupts in Task Manager? even with just a hook on exallocatepoolwithtag, it goes up to 80% until i kill the hv.

nothing conclusive from intel vtune (i cant get to this view https://www.intel.com/content/www/us/en/docs/vtune-profiler/user-guide/2023-0/analyzing-interrupts.html).

using wpr it looks like it could be icue but im guessing other folks have icue/rgb stuff on their pc and use the hv so want to check if it happens to you as well. (i havent looked into this deeply yet)

https://imgur.com/a/w8cOj4V

Where did you get vtune? :)

So what's happening here is that CPU is spending its time in a VMX root mode and the guest has no idea about it

So it just counts the lost time as spent in interrupts

[discord] <unrustled.jimmies> [reply]: i downloaded the full oneApi base toolkit i think.

Oh, a public version, I see

[discord] <unrustled.jimmies> [reply]: ah so its just expensive vmexits showing up as interrupts

vmexits + vm exit handling code and everything related to vmx root mode

[discord] <unrustled.jimmies> got it, ill take a look into this given that info

To be more precise, it depends on the execution context during the vmexit

so the load might be spread around different applications in the case of breakpoints

But you got the idea

[discord] <unrustled.jimmies> [reply]: yep.

why was that? I trying to install the driver, but fails. I used the physical pc, and connect the debugger by serial port.

my computer is win10

Did you run HyperDbg (on the debuggee side) with the administrator (UAC) privilege? Can you first run it on the VMI mode (local debugging) to see if it's working or not? (.connect local and then load vmm)

@zuypt thanks for PR.
I have a question, do you expect time in microseconds on the 'microsleep' function on the script engine? Am I getting it correctly?

[discord] <unrustled.jimmies> Has anyone gotten hyperdbg remote debugging to work with a serial usb cable https://www.amazon.com/dp/B0DJF3WR4K or does it need to be an actual serial cable? my pc detects and sets it up as a com port. (ignore the com5, hdbg only goes up to com4 and i changed it to com2) before running.
https://cdn.discordapp.com/attachments/962350355839066130/1381408560096739438/Screenshot_2025-06-08_114331.png?ex=6847687a&is=684616fa&hm=fddeb3631f372164352377c9fcec4709505a4fdbb5803d9ced9813b1ce989523&

It has to be an actual serial cable with an actual serial port on the target side. Otherwise it is a natively USB device, so hyperdbg would need a usb driver which is a whole different story.

[discord] <unrustled.jimmies> [reply]: got it, unfortunately my pc is too modern so i will also need a serial port pcie card.

It won’t help either, sorry. It has to be a built in one, good old 3F8 port based.

Can you check out pulsedbg sdk and see it fits your goals? If so, we can try and debug the multi core startup issues.

[discord] <unrustled.jimmies> [reply]: Yeah, i wouldn't mind trying to get pulsedbg to work since i can use that as well plus it would be a good learning experience.

I bought the following for another reason (dci stuff) but it hasn't arrived yet - https://www.datapro.net/products/usb-3-0-super-speed-a-a-debugging-cable.html - Im guessing this will work on pulse as the standard usb 3.0 debugging cable.

Can pulsedbg work with this one as the serial (i already have this one on hand)? if not ill just have to wait for the usb debug cable - https://www.amazon.com/dp/B0DJF3WR4K

It’s the right cable, yeah! It makes sense to wait for it to arrive since it would be also easier to collect pulsedbg logs with it.
Were you planning to use DCI? Do you have sourcepoint debugger or intel system studio?

[discord] <unrustled.jimmies> I have the intel one right now (there are no public boards that support arrowlake rn so someone said he can help me enable dci on my board, we'll see) but i might get source point as well since i heard about it on a recent security stream (off by one) and the blogs they posting is the kind of stuff i want to do https://www.asset-intertech.com/resources/blog/

Yeah, you won’t be able to debug Arrow Lakes, just the boards supported by source point. I also experienced odd behaviour from source point crew - they refused to sell it to me without explanation. Hopefully you will be able to buy it.
But nevertheless, even if you had intel system debugger NDA, you still would not be able to debug platforms newer than Raptor Lake due to a new debugging protection architecture. Sad, I know.

[discord] <unrustled.jimmies> yeah at this point im willing to change the cpu variable to something that works.

[discord] <unrustled.jimmies> I spoke to Alan Sguigna from sourcepoint over email and he mentioned they would have full ARL support by end of July so we'll see if that actually ends up happening or not based on the new debugging protection architecture you just mentioned.

They claim to already have some ARL support now (he said need a motherboard that works for it - https://www.asset-intertech.com/wp-content/uploads/2025/04/ReadMe-SourcePoint-Intel-7.12.68.pdf which can only be gotton with an NDA with intel rn)

```
These will all be complete for ARL in our G17 release, targeted for end of July.
```

Also bear in mind that using jtag is no fun. It is very unstable and slow. It is worth for debugging very specific small pieces of code. The only advantage I see is that it can trap VMX transitions

I guess it has to be a specific debug platform then

[discord] <unrustled.jimmies> Yeah, weird that they wouldn't sell to you since their new marketing angle seems to be security/malware analysis/windows internals.

It is. I tried contacting them several times but looks like they banned me or something, they just don’t reply anymore. No explanation given.

It pisses me off a bit since I literally work at Intel lol

[discord] <unrustled.jimmies> "large public company" = doesn't make sense trying to reason about it since im not sure if they even know why they can't sell to you.

[discord] <unrustled.jimmies> have you tried recently since that was 3 years ago.

I did, a year ago. They just don’t reply

But I don’t need source point that much to beg them :)

[discord] <unrustled.jimmies> [reply]: haha yeah.

Guys! The latest version of the debugger can hook memory in VMI (physical computer) mode and is it planned to add full remote debugging?

[discord] <inflearner> Hi guys,

I did anyone manage to load easy anti cheat with HyperDbg loaded ?

Even with !hide (which got improved recently, i get a BSOD).

HyperDbg from its very first release supports hooking memory (v0.1). The support for full debugging in VMI mode is on the priority list but not done yet. Next release we will introduce our new platform for improved transparent (hidden) debugging of nested virtualization environments (it's a work in progress).

The '!hide' command (and the transparent mode) is completely redesigned. Starting from the next release, you see a new project that will be added to HyperDbg to support new (improved) anti-debugging and anti-hypervisor techniques.

[discord] <inflearner> [reply]: Goated ! Thanks man.

I checked out the hyper-evade branch, I guess the features you are talking about are there.

I get a BSOD on !hide.

Is it normal ? I can debug if needed.

Yes, but the hyperevade branch is not yet merged in the 'dev' branch. So, you need to wait until we finish testing it and creating automatic tests. Right now, it's normal to see BSOD since it's not tested yet.

Actually, for this specific case, the modifications are so extensive that if I keep it in the above-mentioned branch, it might cause a lot of git conflicts for our other contributors. I'm going to merge it into the 'dev' branch, but please don’t use it until we merge it into the 'master' branch and release v0.14.

[discord] <unrustled.jimmies> Hugh, do you folks have a Kanban board or something where you are planning next features / deciding what to work on now/next or does individuals pretty much do their own thing? If so i wouldn't mind picking up some tasks.

I'll have some tasks for you once USB debug cable arrives ;)

Just kidding

[discord] <unrustled.jimmies> i just got today actually, i can take a look at pulsedbg now as well.

[discord] <unrustled.jimmies> just got off work.

Oh wow, nice

[discord] <inflearner> [reply]: Make HyperDbg hiding mode not blue screen when EAC launches X)

[discord] <unrustled.jimmies> yeah i live like 10 mins away from datapro but i selected shipping so took 4 days to get here .

If I use Debugger mode(serial) instead of VMI will I see system errors before BSOD or same as VMI ?

Generally speaking, HyperDbg should show you something whenever you're using serial (in the debugger mode). So, in most of the cases, HyperDbg shows a message. If you couldn't see any message, either an unhandled error happened in HyperDbg which (hopefully) WinDbg gets it and could show an !analyze -v or the overall processor (system) went to a hanging state which are harder to know what goes wrong.

Thanks, I'll try it out.

It's because I get a BSOD when EAC loads. I'm sure the next updates you talked about will fix it.

Probably EAC trying to detected some hv's with obscure methods

When you use the '!hide' command? or just normally when HyperDbg is running?

Both with and without !hide.
On master and dev branch.

Without !hide, seems to be a bug. They definitely do something dirty with the HyperDbg that it crashes the system. So, if you have more details, like a crash analysis (!analyze -v), please send it to us. We'll fix it or you can also fix it yourself and create a PR on GitHub.

you can partially get past this by starting hyperdbg after EAC's initialized

the crasher refires after ~5 minutes or so

but you might get some more concrete info after that point

Hey! 👋
Just a friendly reminder, let’s please avoid discussing topics related to anti-cheat bypass with HyperDbg here. Thanks for understanding. 🙂

[discord] <unrustled.jimmies> Any interesting uses for HLAT for HyperVisor based Debugging anyone taken a look at? (Just started reading up on this so i could be mis-understanding the use case here)

One case i can think of is EPT allows shadow hooks but we still need an Executable PTE visible in the Guest. Or if we want to have executable code but if anything tries to read it (it would see all 0s for ex) but the page permissions needs to still be executable which would look a bit weird for anything scanning for this. (why is this page executable but all 0s)

HLAT + EPT seems like it would allow Stealth Hooks/Stealth Execution + Stealth PTE as well.

https://static.sched.com/hosted_files/osseu2020/ce/LSSEU20_kernel%20integrity%20enforcement%20with%20HLAT%20in%20a%20virtual%20machine_v3.pdf
https://techcommunity.microsoft.com/blog/windowsosplatform/protecting-linear-address-translations-with-hypervisor-enforced-paging-translati/4399739

On use of monitor command with pid for a valid process in debugee vm I am getting following error:
err, you cannot specify process id while the debugger is paused in the debugger mode. You can use the '.process' or the '.thread' command to switch to the target process's memory layout (c0000040)

This is my command : !monitor w 7FF6608EA250 7FF6608EA254 pid 240 script{

Same command works well in local vmi mode.
I am using hyperdbg version 0.13

It's not really an error, in the debugger mode since the system is freezed, you cannot put monitor or ept hooks in the target process by process id.

Since once you pause the debugger, it's on the memory layout (cr3) of HyperDbg process (not your target process).

As the error message suggests, just use either the '.process' or '.thread' command to switch to your target process memory layout before applying the hook.

ok thank you. so i need to be in that process context before using! monitor command.

Yes (in the debugger mode). In the VMI mode, it's not needed.

@HughEverett Gratz! Your channel is big enough for spammers

Why hyperdbg's wmexit can't use DbgPrintEx these windows apis

As @HughEverett explained on the blog post, it's because this function is not compatible with all IRQL levels. IRQL might not be a good term to use. A better way of explaining it is that it's might cause paging which couldn't work on vmx root mode. Read this part of the blog post:
https://rayanfam.com/topics/hypervisor-from-scratch-part-8/#challenges

Search for DbgPrint

In HyperDbg you need to use the custom routine, LogInfo for this purpose.

Ok, thanks for the answer

[discord] <_1k31> I follow guild and try to build in vs 2022 I got link error and C2220, I had look folder there no file "libhyperdbg.lib" in it
https://cdn.discordapp.com/attachments/962350355839066130/1386162831816130642/image.png?ex=6858b43c&is=685762bc&hm=86397f6f9751bf0a88c47ccedb3b112f761910f1c0852fb49c9bb44068398d1c&

Try build each solution (project) separately in the visual studio.

[discord] <_1k31> Nah I think I found why, cause script-engine enable "set warn to error"

[discord] <_1k31> And script-engine unsuccessful build and other two build depend on it

[discord] <_1k31> But why ` Token->Type = UNKNOWN;` is warn message?

[discord] <_1k31> The reason why Token->Type = UNKNOWN; results in an error message is usually due to a name conflict.
Your project has two different definitions of TOKEN_TYPE:
1. Your own TOKEN_TYPE enum (in script-engine\header\common.h, which has an UNKNOWN member).
2. The Windows SDK also has a _TOKEN_TYPE enum (in winnt.h/ntifs.h), but it does not have an UNKNOWN member—only TokenPrimary and TokenImpersonation.
If you include <windows.h> or other Windows headers, it can cause a conflict with the TOKEN_TYPE name. The compiler gets confused between your TOKEN_TYPE and the Windows TOKEN_TYPE, so UNKNOWN cannot be found, resulting in an error.

[discord] <_1k31> So is my sdk too new?

👍

Yeah, it might be the reason.

The guest is frozen and I'm unable to resume it.

VMWare nested virt not supported with Debugger mode + transparency?

Are you on the 'dev' branch?

No, this is the latest release from github.

Ah, my mistake then. I thought, I removed it.

Don't use it for now. The transparent-mode (!hide) command is completely redesigned (and it's available as the 'hyperevade' project in the 'dev' branch), however, it's not ready to be used.

Hopefully, we could release it together with the user-mode debugger (in the VMI Mode).

thank you

[discord] <territory3351> hello guys~ How to call the EptHokMonitorHook in HV to make it as simple as the EptHokInlineHook?

You can check ApplyEventMonitorEvent to see how this function applies the !monitor events:

https://github.com/HyperDbg/HyperDbg/blob/80a434d49d3af9208004eb00295ed06386a2b3d1/hyperdbg/hyperkd/code/debugger/core/Debugger.c#L2825

[discord] <territory3351> [reply]: thanks!

Does it support amd?

No, HyperDbg doesn't support AMD for now. Maybe in the future, right now we don't have any plan for that unless someone in the community is volunteer to add the support for AMD processors.

[discord] <unrustled.jimmies> [reply]: Supporting AMD for a HV based Debugger would be annoying due to no execute only NPTs.

And no monitor trap flag

👍

Ah, that would be really hard then. There are lots of HyperDbg features that are dependent on MTF.

Hi, how can i prevent to propagate #DB to guest OS with hypervisor exception hook?

Yes, you need to short-circuit the event. Sth like:

!exception 0x1 script {
if(whatever condition) {
event_sc(1);
}
}

https://docs.hyperdbg.org/tips-and-tricks/misc/event-short-circuiting

Ah, sorry this will just ignore the #DB. You can tell HyperDbg not to handle #DBs (inject it to guest) using this command:

test trap off
https://docs.hyperdbg.org/commands/debugging-commands/test

Other than that, you could also inject a #DB using the script engine:
https://docs.hyperdbg.org/commands/scripting-language/functions/events/event_inject

Thank you! I'll check it.

HpyerDBG's VT is compatible with most Intel CPUs, and there will be no blue screen stuck@HughEverett

HyperDbg is supported on most Intel processors, but we recommend using a 4th‑generation or newer CPU. Some features such as the !mode command and the user‑mode debugger (scheduled for the next release), no longer support 6th‑gen (Skylake) or older processors, due to the absence of MBEC (Mode Based Execution Control).

We have observed some issues on Meteor Lake processors with bare‑metal (not VMware Workstation’s nested virtualization) setups that use hybrid Performance and Efficiency cores. These issues are currently under investigation.

Other than these exceptions, HyperDbg should (hopefully) work fine on other processors.

Ah, there is also one specific 9th gen processor (i7 9750h) which some users report that HyperDbg has problem on this specific processor. But, generally 9th gen processors are tested several times and other than this specific processor, other 9th gen processors are fine.

Thank you very much for your answers