• 01 June 2025 (2 messages)
  • @ma_jiajue #9963 10:27 AM, 01 Jun 2025
    Thank you for your reply. I will do my best to debug serial communication as I have two hosts with RS232.
  • Great. Thanks
  • 02 June 2025 (8 messages)
  • @Callingme98 #9965 12:07 PM, 02 Jun 2025
    Joined.
  • @6595241063 #9966 04:27 PM, 02 Jun 2025
    How to open the ui file, I didn't find the corresponding exe
  • @6595241063 #9967 04:30 PM, 02 Jun 2025
    Or do I need to compile it myself
  • @Heart_Sender #9968 05:11 PM, 02 Jun 2025
    Joined.
  • I'm not aware of the current state of the GUI. You should ask its original author in the GitHub.
  • He is also a Chinese guy so you can also contact him directly.
  • @HughEverett #9971 10:00 PM, 02 Jun 2025
    Interesting project and blog post, related to hypervisors:

    https://secret.club/2025/06/02/hypervisors-for-memory-introspection-and-reverse-engineering.html
  • @honorary_bot #9972 10:07 PM, 02 Jun 2025
    Good quality material. Invalidating TLB and EPT caches is not really accurate though :P
  • 03 June 2025 (27 messages)
  • @zuypt #9973 04:12 AM, 03 Jun 2025
    @HughEverett I cannot figure out how to edit grammar.txt for 1 function call with zeroop func and a return value
  • @zuypt #9974 04:13 AM, 03 Jun 2025
    i tried something like this
  • @zuypt #9975 04:13 AM, 03 Jun 2025
    ~~~
    CALL_FUNC_STATEMENT->.ZeroOpFunc2 ( @.ZeroOpFunc2 ) @IGNORE_LVALUE
    .ZeroOpFunc2->rdtsc rdtscp
    ~~~
  • @m3xTa1nes #9976 05:01 AM, 03 Jun 2025
    Are there people here who understand the xHCI controller well? I have a question about the Event Ring and Transfer Ring.
  • @HyperDbgBot #9977 b o t 05:35 AM, 03 Jun 2025
    [discord] <unrustled.jimmies> [reply]: hmm, yeah.

    ```
    invept_all_contexts();

    This call performs an All Contexts invalidation, instructing the CPU to discard all EPT-derived translations for the current EPT pointer (EPTP).
    ```

    It sounds like they meant to use `Single-context invalidation` since i don't think they are using multiple EPTPs per LP which would align with their explanation. (i could be wrong here)
  • Hi! Just hit it here. People who know might not be sure they are xhci experts or not.
  • Good job! You’re a careful reader! The author seems to be missing the dual-tagged (combined) mappings.
  • @honorary_bot #9980 06:08 AM, 03 Jun 2025
    What I’m saying is invvpid also might be used to flush EPT cache.
  • @honorary_bot #9981 06:08 AM, 03 Jun 2025
    Invept all contexts is a safest option, but it has a noticeable performance penalty.
  • @honorary_bot #9982 06:09 AM, 03 Jun 2025
    The difference between invvpid and invept is invept also flushes mid level page table entries cache
  • @honorary_bot #9983 06:10 AM, 03 Jun 2025
    But if pml4, pdpte and pdes don’t change, invvpid is enough
  • @6595241063 ↶ Reply to #9970 #9984 07:59 AM, 03 Jun 2025
    ok,thanks bro
  • @zuypt #9985 08:15 AM, 03 Jun 2025
    @HughEverett i figured it out. Can you help me check the pull the request I just made
  • Sure. Send the PR. I'll check once I have access to my laptop.
  • @HyperDbgBot #9987 b o t 07:29 PM, 03 Jun 2025
    [discord] <unrustled.jimmies> this might just be happening to me but asking here, when you folks are running hyperdbg or any other hv with ept hooks on kernel functions (like hvfs with its default ept hook on exallocatepoolwithtag ref impl), do you see high system interrupts in Task Manager? even with just a hook on exallocatepoolwithtag, it goes up to 80% until i kill the hv.

    nothing conclusive from intel vtune (i cant get to this view https://www.intel.com/content/www/us/en/docs/vtune-profiler/user-guide/2023-0/analyzing-interrupts.html).

    using wpr it looks like it could be icue but im guessing other folks have icue/rgb stuff on their pc and use the hv so want to check if it happens to you as well. (i havent looked into this deeply yet)

    https://imgur.com/a/w8cOj4V
  • @honorary_bot #9988 07:30 PM, 03 Jun 2025
    Where did you get vtune? :)
  • @honorary_bot #9989 07:30 PM, 03 Jun 2025
    So what's happening here is that CPU is spending its time in a VMX root mode and the guest has no idea about it
  • @honorary_bot #9990 07:31 PM, 03 Jun 2025
    So it just counts the lost time as spent in interrupts
  • @HyperDbgBot #9991 b o t 07:31 PM, 03 Jun 2025
    [discord] <unrustled.jimmies> [reply]: i downloaded the full oneApi base toolkit i think.
  • @honorary_bot #9992 07:32 PM, 03 Jun 2025
    Oh, a public version, I see
  • @HyperDbgBot #9993 b o t 07:32 PM, 03 Jun 2025
    [discord] <unrustled.jimmies> [reply]: ah so its just expensive vmexits showing up as interrupts
  • @honorary_bot #9994 07:32 PM, 03 Jun 2025
    vmexits + vm exit handling code and everything related to vmx root mode
  • @HyperDbgBot #9995 b o t 07:34 PM, 03 Jun 2025
    [discord] <unrustled.jimmies> got it, ill take a look into this given that info
  • To be more precise, it depends on the execution context during the vmexit
  • @honorary_bot #9997 07:35 PM, 03 Jun 2025
    so the load might be spread around different applications in the case of breakpoints
  • @honorary_bot #9998 07:35 PM, 03 Jun 2025
    But you got the idea
  • @HyperDbgBot #9999 b o t 07:35 PM, 03 Jun 2025
    [discord] <unrustled.jimmies> [reply]: yep.
  • 04 June 2025 (4 messages)
  • @ma_jiajue #10000 03:05 PM, 04 Jun 2025
    why was that? I trying to install the driver, but fails. I used the physical pc, and connect the debugger by serial port.
  • @ma_jiajue #10001 03:06 PM, 04 Jun 2025
    my computer is win10
  • Did you run HyperDbg (on the debuggee side) with the administrator (UAC) privilege? Can you first run it on the VMI mode (local debugging) to see if it's working or not? (.connect local and then load vmm)
  • @HughEverett #10003 05:08 PM, 04 Jun 2025
    @zuypt thanks for PR.
    I have a question, do you expect time in microseconds on the 'microsleep' function on the script engine? Am I getting it correctly?
  • 08 June 2025 (1 messages)
  • @HyperDbgBot #10004 b o t 11:04 PM, 08 Jun 2025
    [discord] <unrustled.jimmies> Has anyone gotten hyperdbg remote debugging to work with a serial usb cable https://www.amazon.com/dp/B0DJF3WR4K or does it need to be an actual serial cable? my pc detects and sets it up as a com port. (ignore the com5, hdbg only goes up to com4 and i changed it to com2) before running.
    https://cdn.discordapp.com/attachments/962350355839066130/1381408560096739438/Screenshot_2025-06-08_114331.png?ex=6847687a&is=684616fa&hm=fddeb3631f372164352377c9fcec4709505a4fdbb5803d9ced9813b1ce989523&
  • 09 June 2025 (23 messages)
  • It has to be an actual serial cable with an actual serial port on the target side. Otherwise it is a natively USB device, so hyperdbg would need a usb driver which is a whole different story.
  • @HyperDbgBot #10006 b o t 02:20 AM, 09 Jun 2025
    [discord] <unrustled.jimmies> [reply]: got it, unfortunately my pc is too modern so i will also need a serial port pcie card.
  • It won’t help either, sorry. It has to be a built in one, good old 3F8 port based.
  • @honorary_bot #10008 02:51 AM, 09 Jun 2025
    Can you check out pulsedbg sdk and see it fits your goals? If so, we can try and debug the multi core startup issues.
  • @HyperDbgBot #10009 b o t 04:53 AM, 09 Jun 2025
    [discord] <unrustled.jimmies> [reply]: Yeah, i wouldn't mind trying to get pulsedbg to work since i can use that as well plus it would be a good learning experience.

    I bought the following for another reason (dci stuff) but it hasn't arrived yet - https://www.datapro.net/products/usb-3-0-super-speed-a-a-debugging-cable.html - Im guessing this will work on pulse as the standard usb 3.0 debugging cable.

    Can pulsedbg work with this one as the serial (i already have this one on hand)? if not ill just have to wait for the usb debug cable - https://www.amazon.com/dp/B0DJF3WR4K
  • It’s the right cable, yeah! It makes sense to wait for it to arrive since it would be also easier to collect pulsedbg logs with it.
    Were you planning to use DCI? Do you have sourcepoint debugger or intel system studio?
  • @HyperDbgBot #10011 b o t 06:08 AM, 09 Jun 2025
    [discord] <unrustled.jimmies> I have the intel one right now (there are no public boards that support arrowlake rn so someone said he can help me enable dci on my board, we'll see) but i might get source point as well since i heard about it on a recent security stream (off by one) and the blogs they posting is the kind of stuff i want to do https://www.asset-intertech.com/resources/blog/
  • @honorary_bot #10012 06:13 AM, 09 Jun 2025
    Yeah, you won’t be able to debug Arrow Lakes, just the boards supported by source point. I also experienced odd behaviour from source point crew - they refused to sell it to me without explanation. Hopefully you will be able to buy it.
    But nevertheless, even if you had intel system debugger NDA, you still would not be able to debug platforms newer than Raptor Lake due to a new debugging protection architecture. Sad, I know.
  • @HyperDbgBot #10013 b o t 06:17 AM, 09 Jun 2025
    [discord] <unrustled.jimmies> yeah at this point im willing to change the cpu variable to something that works.
  • @HyperDbgBot #10014 b o t 06:21 AM, 09 Jun 2025
    [discord] <unrustled.jimmies> I spoke to Alan Sguigna from sourcepoint over email and he mentioned they would have full ARL support by end of July so we'll see if that actually ends up happening or not based on the new debugging protection architecture you just mentioned.

    They claim to already have some ARL support now (he said need a motherboard that works for it - https://www.asset-intertech.com/wp-content/uploads/2025/04/ReadMe-SourcePoint-Intel-7.12.68.pdf which can only be gotton with an NDA with intel rn)

    ```
    These will all be complete for ARL in our G17 release, targeted for end of July.
    ```
  • @honorary_bot #10015 06:21 AM, 09 Jun 2025
    Also bear in mind that using jtag is no fun. It is very unstable and slow. It is worth for debugging very specific small pieces of code. The only advantage I see is that it can trap VMX transitions
  • @honorary_bot #10016 06:23 AM, 09 Jun 2025
    I guess it has to be a specific debug platform then
  • @HyperDbgBot #10017 b o t 06:27 AM, 09 Jun 2025
    [discord] <unrustled.jimmies> Yeah, weird that they wouldn't sell to you since their new marketing angle seems to be security/malware analysis/windows internals.
  • It is. I tried contacting them several times but looks like they banned me or something, they just don’t reply anymore. No explanation given.
  • @honorary_bot #10020 06:33 AM, 09 Jun 2025
    It pisses me off a bit since I literally work at Intel lol
  • @HyperDbgBot #10021 b o t 06:35 AM, 09 Jun 2025
    [discord] <unrustled.jimmies> "large public company" = doesn't make sense trying to reason about it since im not sure if they even know why they can't sell to you.
  • @HyperDbgBot #10022 b o t 06:36 AM, 09 Jun 2025
    [discord] <unrustled.jimmies> have you tried recently since that was 3 years ago.
  • @honorary_bot #10023 06:37 AM, 09 Jun 2025
    I did, a year ago. They just don’t reply
  • @honorary_bot #10024 06:37 AM, 09 Jun 2025
    But I don’t need source point that much to beg them :)
  • @HyperDbgBot #10025 b o t 06:38 AM, 09 Jun 2025
    [discord] <unrustled.jimmies> [reply]: haha yeah.
  • @instw0 #10026 07:23 AM, 09 Jun 2025
    Guys! The latest version of the debugger can hook memory in VMI (physical computer) mode and is it planned to add full remote debugging?
  • @infearner #10027 04:17 PM, 09 Jun 2025
    Joined.
  • 10 June 2025 (5 messages)
  • @HyperDbgBot #10028 b o t 12:18 PM, 10 Jun 2025
    [discord] <inflearner> Hi guys,

    I did anyone manage to load easy anti cheat with HyperDbg loaded ?

    Even with !hide (which got improved recently, i get a BSOD).
  • HyperDbg from its very first release supports hooking memory (v0.1). The support for full debugging in VMI mode is on the priority list but not done yet. Next release we will introduce our new platform for improved transparent (hidden) debugging of nested virtualization environments (it's a work in progress).
  • The '!hide' command (and the transparent mode) is completely redesigned. Starting from the next release, you see a new project that will be added to HyperDbg to support new (improved) anti-debugging and anti-hypervisor techniques.
  • @HyperDbgBot #10031 b o t 06:33 PM, 10 Jun 2025
    [discord] <inflearner> [reply]: Goated ! Thanks man.

    I checked out the hyper-evade branch, I guess the features you are talking about are there.

    I get a BSOD on !hide.

    Is it normal ? I can debug if needed.
  • Yes, but the hyperevade branch is not yet merged in the 'dev' branch. So, you need to wait until we finish testing it and creating automatic tests. Right now, it's normal to see BSOD since it's not tested yet.