- 01 September 2025 (8 messages)
-
Build & Install | HyperDbg DocumentationThis document helps you to build and install HyperDbg
-
Test mode? Running HyperDbg in test mode of Windows? -
You can configure HyperDbg (from visual studio) to sign it with the test sign if it helps.
-
I mean, HyperDbg's !monitor command is super fast. In almost all cases, you won't even notice the system slowing down. If the page is something special that's accessed hundreds of times each second, it might slow the system down. Otherwise, it should be fine.
- 02 September 2025 (21 messages)
-
hey there, does HyperDbg fix RIP relative instructions for the page where the ept hook is applied? I noticed that if some relative jmp or call is executed inside the copied page, it leads to a garbage address -
If you mean the '!epthook2' command, then no. It doesn't fix RIP relative instructions (and I think it is also mentioned in the documentation) but for the main EPT hook ('!epthook'), this is not a problem.
-
So, if you just use '!epthook' it should be fine with all relative instructions.
-
Or am I misunderstanding the question?
-
Intel supports execute-only page tables, which means that if you monitor for Read/Write but the page is only executed, there’s no performance penalty since no VM-exit occurs. However, on Intel processors, if you monitor only for Write, a Read access will still trigger a VM-exit. HyperDbg silently handles and ignores these events, but they do introduce some overhead.
-
So I think in your use case, there wouldn't be any performance degradation.
-
for example I hooked
nt!ExAllocatePool
, which is located at virtual address
0x500A540
, I created a copy of the original page containing bytes from
0x500A000
to
0x500AFFF
, and set my hook on the copy page + 0x540. When an ept violation occurs and the exit qualification is execute access, the ept handler replaces the original PFN with the PFN of my copied page. Now, what if, for example, on the page where
nt!ExAllocatePool
is located, there was some relative jmp or relative call instruction or any other RIP relative instruction, I just blindly copied it, and now, if it is executed, it will lead to a garbage address. -
does '!epthook' resolve RIP relative instructions?
-
HyperDbg uses an identity map memory layout, which means the addresses wouldn't be changed from the perspective of the kernel memory (regular page table).
-
It might be changes from the EPT page table view but for kernel, it remains the same.
-
Yes, it fundamentally doesn't have such a issue based on its design.
-
can the same be said about user pages?
-
Yes. The main implementation EPT hooks for instructions in HyperDbg is the '!epthook' command which supports both user-mode and kernel-mode pages. The second implementation of EPT hooks (the '!epthook2' command) only supports kernel-mode pages (not user-mode).
-
[discord] <unrustled.jimmies> [reply]: I wish intel would support write only ept pages.
Also it looks like sub paging permissions of ept is going to be removed in the future
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/sub-page-permission.html
`Intel plans to discontinue SPP entirely on future processors`Sub-page PermissionIntel researchers have discovered potential issues with the Sub-page Permission (SPP) feature. Although these issues pose no security risk, Intel recommends discontinuing SPP support in all cases.
-
Yes indeed, SubEPT is deprecated now -
It has an SDK that you can use to modify it for your own purposes, but due to the complexities of the hypervisor, I don't think it's very easy to work with it like a regular debugger.
-
HyperDbg/examples/user/hyperdbg_app/code/hyperdbg-app.cpp at 9bd5ffc7b9644df4d00aef2e6590d46a55d9837b · HyperDbg/HyperDbg
State-of-the-art native debugging tools. Contribute to HyperDbg/HyperDbg development by creating an account on GitHub.
- 04 September 2025 (1 messages)
- 06 September 2025 (3 messages)
-
[discord] <inflearner> Anyone managed to make HyperDbg work in Hyper-V ?
-
I checked it two years ago and it didn't work. I'm not sure about the current state of HyperDbg on hyper-v.
-
And the reason for that is Microsoft weird requirements for TLFS.
- 07 September 2025 (8 messages)
-
Yeah, it's possible you can write a script for the !monitor command using HyperDbg.
-
Setting it up each time is probably a hassle. Overall, I don't think it's very suitable for making cheats or cracks.
-
HyperDbg v0.16 is released! 🐞💫✨
This version adds a new event command '!xsetbv', along with bug fixes, performance improvements, and progress on the user-mode debugger in VMI mode.
Check it out:
https://github.com/HyperDbg/HyperDbg/releases/tag/v0.16
For more information, check the documentation:
https://docs.hyperdbg.org/commands/extension-commands/xsetbvRelease v0.16 · HyperDbg/HyperDbgHyperDbg v0.16 is released! If you’re enjoying HyperDbg, don’t forget to give a star 🌟 on GitHub! Please visit Build & Install to configure the environment for running HyperDbg. Check out the Q...
-
[discord] <rayanfam> [reply]: Thanks to @unrustled.jimmies for helping with this release. 💙 💜
-
Interesting talk, apparently he used HyperDbg for a part of his demo:
https://github.com/0x4ndr3/Presentations/tree/main/Sikkerhetsfestivalen%202025Presentations/Sikkerhetsfestivalen 2025 at main · 0x4ndr3/PresentationsContribute to 0x4ndr3/Presentations development by creating an account on GitHub.
- 08 September 2025 (1 messages)
-
Joined. - 09 September 2025 (4 messages)
-
[discord] <btylor0> [reply]: Is there a recording of the talk or just the slides
-
I don't know if they record it or not, you need to reach to original author for that.
- 10 September 2025 (3 messages)
-
Joined. - 11 September 2025 (3 messages)
-
Joined. -
Joined. - 13 September 2025 (2 messages)
- 14 September 2025 (1 messages)
-
Joined. - 15 September 2025 (19 messages)
-
Are you sure? I just check it over Virus Total and only 1 unknown AV detects it 🤔
https://www.virustotal.com/gui/file/846ce97893413ba4daeb50176f4ebd73bb4ce3de1fcab66f64585f91323e5e77?nocache=1 -
-
-
I don't really know what to do with it, hyperdbg-cli.exe is only ~150 line code CLI that imports libhyperdbg.dll.
-
Great. How do you send the report?
-
Great. Thanks.
-
👍
-
Joined. -
hello
-
HyperDbg News & Updates
HyperDbg notifications and updates (Group: @HyperDbg)
-
is this an official channel?
- 17 September 2025 (3 messages)
-
Great. Thanks for reporting the false positive.
- 19 September 2025 (2 messages)
- 20 September 2025 (1 messages)
-
Joined. - 21 September 2025 (1 messages)
- 22 September 2025 (23 messages)
-
[discord] <territory3351> Does HyperDbg support Intel ultra series CPU?
-
[discord] <territory3351> After I entered vmx, the system became very slow
-
[discord] <territory3351> Then the write msr event occurs and the system crashes
-
[discord] <territory3351> Can anyone help me? Thanks
-
Yes, of course. It supports the Intel Core Ultra series and has been pretty stable in my tests on different machines, especially on Meteor Lake. I haven't tested it on Lunar Lake.
-
What is this processor?
-
And can you explain how you used it? Because MSRs by default doesn't create VM-exits on HyperDbg if they are not out of range.
-
[discord] <territory3351> [reply]: Thanks for your reply. My processor is an Intel(R) Core(TM) 5 220H. I haven't done anything special and am using the EPT feature. When I virtualize a third or fourth CPU, the system starts to slow down, throws a "write msr 0x400000xx" error, and then crashes.
-
[discord] <territory3351>
https://cdn.discordapp.com/attachments/962350355839066130/1419575278900084796/image.png?ex=68d24200&is=68d0f080&hm=4e54ca4ade9d69c7bfcd77946dceae42a5e651b9aa0c8a403a1fd389aea1a1a5& -
Is it a HyperDbg code? Are you using hyperhv as a library?
-
What about HyperDbg itself? If you run HyperDbg, does it still crash?
-
Something tells my that hyper-v is involved since 0x40000000 is its synthetic msr region. As a related question, does hyperdbg disable vtx for the guest?
-
Not really. We usually just pass the hyper-v TLFS VMCALLs to the top level hypervisor if the VMCALL is not invoked by HyperDbg.
-
Oh cool
-
Just curious to know, what do you mean by disabling VT-x? Something like not letting it enable the VMX from CRs?
-
Yeah, what I do is report vtx disabled in bios through the relevant msr (don’t remember which one)
-
So the guest system is like “okay, no VMX enabled” and I don’t have to deal with hyperv related stuff
-
well, since HyperDbg runs after the system is already booted, could we also implement this? I mean, Windows already thinks that it has VT-x enabled. In that case, should we still disable it for Windows?
-
I guess it’s too late for that but that moment..
-
On a bright side, you support hyperv tlfs, which is cool
-
[discord] <territory3351> [reply]: yes!
-
Do you have the same problem with HyperDbg (hyperdbg-cli.exe) then?
-
Joined. - 23 September 2025 (2 messages)
-
[discord] <territory3351> [reply]: There is no problem using hyperdbg-cli.exe. It seems that the problem is with my code. Thank you!
-
ok. Let me know if you find the problem. You could copy the codes that are related to initialize hyperdbg from hyperkd.sys.
- 24 September 2025 (1 messages)
-
[discord] <territory3351> [reply]: In order to support AntiCheatEngine, I modified the processing of read msr 0x40000000 ~ 0x400000F0, which caused a crash in ultra. Hahahahaha😅
- 25 September 2025 (25 messages)
-
Is this channel only about HyperDbg or can we talk about hypervisor development in general?
-
Feel free to talk about hypervisors in general
-
I was following the Hypervisor from Scratch tutorial and setup my VMCS. After vmlaunch, I don't get any error codes (execution does not continue after vmlaunch) but neither any VMEXITS. WinDbg's !running -i -t does not show anything related to my driver too. I tried setting breakpoints to my VMEXIT handler and the guest memory (using ba). But didn't hit anything.
What could be wrong? -
Are you using hyperdbg code as a reference?
-
No. Only the tutorial (or guide) itself and its source code.
-
Can you check the return value of the __vmx_vmlaunch intrinsic? (assuming you're using it)
-
Well I cannot as the execution does not continue after vmlaunch. Which is the intended behavior for a successful vmlaunch
-
It starts executing in vmx guest mode, jumping to the code that was set up in the VMCS
-
Which is bunch of HLT instructions. But I do not get any VMEXITs to my handler, as said.
-
Have you set up HLT exiting in IA32_VMX_PROCBASED_CTLS?
-
Yep.
-
It's hard to tell without the code reference
-
Does the core keep running after that?
-
What is it executing then?
-
Yeah, pretty much idle as shown in WinDbg. The system continues as usual.
-
Idle? Is it in the system idle thread?
-
If break into it in windbg, where does it stop?
-
Most of the time on "running -i -t" command. I meant that system runs as if (and most likely) nothing happened
-
Can you point vmcs to start on int 3 instruction?
-
So you would at least know if execution was transfered to the right place
-
Let me see.
-
I managed to get a result from vmlaunch and read VM_INSTRUCTION_ERROR field. Its 0x7.
-
WinDbg was kicking me out after execution of vmlaunch. A "step over" results in whole rest of the driver code to be skipped.
-
VM entry with invalid control field
-
Yeah. Just checked the Intel's book.
- 27 September 2025 (1 messages)
-
In this video, I showcase the power of a VMM (HyperDBG) manipulating instructions (cpuid) and memory visibility of a process. In the first demo, I set up a vm exit handler to manipulate the response… | André Lima
In this video, I showcase the power of a VMM (HyperDBG) manipulating instructions (cpuid) and memory visibility of a process. In the first demo, I set up a vm exit handler to manipulate the response to the CPUID instruction seen by any process in the Guest OS to "Sikkerhets25" (presented this at Sikkerhetsfestivalen) - which is relevant for malware checking on where are they being executed - and in the second demo I track a specifc memory position (first have to context switch into the process using its PID), and I ignore "writes" ++i on that variable having the process think the writing worked while actually not, shown by the reading of that same variable after a ++, having the same value. This type of tech (Intel VT-X in this case) can be used by EDRs, since it is completely "invisible" to the Guest OS (and any malware/process running in it), as opposed to software and hardware breakpoints which are easily detected with anti-RE techniques. The ignoring of "writes" is very useful for an EDR to avoid malicious…
- 28 September 2025 (24 messages)
-
Any ideas why I am getting a 0x21 right after vmlaunch in my vmexit handler?
I set up everything according to the Hypervisor from scratch tutorial, yet, I am still getting Invalid VMCS structure. -
SDM has a complete description of the checks performed on the vmcs fields before vmentry. You can implement them in your code to find out the excat reason for the failure
-
I tried to do these checks. Even compared the segment bases, access rights, selectors to the ones in host GDT table with WinDbg. No luck.
-
*They matched 1:1
-
You've missed some checks, did a typo in the code, it could be literally anything. There are dozens of reasons for vmcs to be misconfigured and it's not clear what you're trying to achive, how you debug your stuff or where your code is. It is a guesswork without extra information.
-
So shall I send out entire VMCS initialization?
-
As an option, I could take a look. But the best way to solve this is to implement a vmcs checker according to SDM vol 3 chapter 28.3 entirely. If CPU says it is a "VM-entry failure due to invalid guest state" then it is "VM-entry failure due to invalid guest state" and nothing else.
-
So the VMCS check should be performed after the vmlaunch, not before?
-
I think the fastest and the easiest way is to copy the initial VMCS fields from already working hypervisors like HyperDbg and then extend them based on your requirements.
-
That is what I did as a last resort
-
Spending time on finding whats wrong in this problem is just a waste of time IMO.
-
Yeah. With the error of "VMCS is invalid" being not descriptive at all.
-
Before
-
You don't have any means of getting the exact error from the ucode unfotunately
-
Tried using VMCS auditor. But quickly realized it would be too inefficient to fill all those fields one by one
-
It is better than guesswork, right?
-
I think that might be the stupidest type of bug thing I've ever seen
-
pushfq is kicking me out of my VMCS initialization function right into vmlaunch
-
Sorry, this code doesn't help
-
In what sense?
-
It's out of context
-
In sense that sending my code does no good, or that this part of the code is not enough?
-
It's not enough
- 29 September 2025 (19 messages)
-
That's all VMCS initialization code I've got.
-
Could you kindly share the code somewhere else, like pastebin (if this code is not on github)?
It is still out of context, like for example, what does adjust_controls do? -
Sure.
Take a look:
https://privatebin.net/?b72a02bc702a01ee#ATnyoRxjJB43WkHAUAwTt7HdjcoXbBnazkcCHjJ2kQwSEncrypted note on PrivateBinVisit this link to see the note. Giving the URL to anyone allows them to access the note, too.
-
What CPU do you have?
-
An i5 core, 11th gen
-
tiger lake?
-
I don't remember the exact code
-
I've made hypervisors in C before, they worked. It should not be a CPU issue.
-
DId you fill the vmcs in the same way? Because if it is some rust issue, then I'm not a rust expert
-
Do you start in the OS or in UEFI?
-
Nvm, I see Windows kernel
-
No. It was a direct copy paste of Hypervisor from Scratch tutorial. But I tried that too in Rust, didn't work.
-
I don't see anything suspicious in the code logic. Probably someone with better rust knowledge could spot a problem. I'm a C programmer.
-
It's something around // VMCS GUEST FIELDS area, since it's code 0x21
-
I am doubting there is something wrong in segmentation. Did you see anything?
-
Non sure tbh. As I mentioned I don't have experince with rust, so not sure if I'm reading that right. Guest state could be anything wrong with cr3, cr0, cr4, segmentation, msrs debugctl, par, efer and optional {perf global ctl, bnd cfgs, rtit ctrl, pkrs, cet (if those are enabled already)}, guest activity state, interruptibility state and pending debug excveptions
-
Well, does Sina have an idea?
-
Of course, @honorary_bot is more knowledgeable and experienced than me in anything related to Intel processors, and generally hypervisors. If he couldn't find the problem, I'm even less likely to. My suggestion for this problem is: do not waste your time trying to find the error. Just copy all of the configuration from a working hypervisor, use it, and extend it. There is really no benefit in understanding what goes wrong with VMCS checks inside a CPU. Understanding it also doesn't give you any benefit or technical experience, as these are simply CPU checks.
-
There are a couple of good hypervisor projects in rust, you could copy the VMCS configurations from them.
- 30 September 2025 (5 messages)
-
I did try to copy from memN0ps, if you try to inspect the source code, you would see its almost 1:1
-
Since I ran out of ideas, but no, no luck.
-
Maybe its something related to segmentation? Maybe my VMWare config?
-
[discord] <jakob944> You could try asking in OS Dev discord, maybe they can help out
-
It might be because of segmentation. You could also check your hypervisor VMCS field with checks that are done in Qemu. That might also help.
@hyperdbg / Public archive of HyperDbg Telegram messages.
- 01 Sep 2025 (8)
- 02 Sep 2025 (21)
- 04 Sep 2025 (1)
- 06 Sep 2025 (3)
- 07 Sep 2025 (8)
- 08 Sep 2025 (1)
- 09 Sep 2025 (4)
- 10 Sep 2025 (3)
- 11 Sep 2025 (3)
- 13 Sep 2025 (2)
- 14 Sep 2025 (1)
- 15 Sep 2025 (19)
- 17 Sep 2025 (3)
- 19 Sep 2025 (2)
- 20 Sep 2025 (1)
- 21 Sep 2025 (1)
- 22 Sep 2025 (23)
- 23 Sep 2025 (2)
- 24 Sep 2025 (1)
- 25 Sep 2025 (25)
- 27 Sep 2025 (1)
- 28 Sep 2025 (24)
- 29 Sep 2025 (19)
- 30 Sep 2025 (5)