You're right.

Can this only be started in test mode?

https://docs.hyperdbg.org/getting-started/build-and-install

Test mode? Running HyperDbg in test mode of Windows?

Yes, unless you have a certificate, you must use test mode.

I wonder if I use hyper to monitor only the memory reading and writing of an address, will it take up a lot of cpu? And this address is not frequently read and written by memory, only once every few minutes, but it is frequently executed. I want to do crc3 protection.

You can configure HyperDbg (from visual studio) to sign it with the test sign if it helps.

I mean, HyperDbg's !monitor command is super fast. In almost all cases, you won't even notice the system slowing down. If the page is something special that's accessed hundreds of times each second, it might slow the system down. Otherwise, it should be fine.

hey there, does HyperDbg fix RIP relative instructions for the page where the ept hook is applied? I noticed that if some relative jmp or call is executed inside the copied page, it leads to a garbage address

It doesn't have any visits. But it is frequently executed, so execution and reading and writing are two different things?

If you mean the '!epthook2' command, then no. It doesn't fix RIP relative instructions (and I think it is also mentioned in the documentation) but for the main EPT hook ('!epthook'), this is not a problem.

So, if you just use '!epthook' it should be fine with all relative instructions.

Or am I misunderstanding the question?

Intel supports execute-only page tables, which means that if you monitor for Read/Write but the page is only executed, there’s no performance penalty since no VM-exit occurs. However, on Intel processors, if you monitor only for Write, a Read access will still trigger a VM-exit. HyperDbg silently handles and ignores these events, but they do introduce some overhead.

So I think in your use case, there wouldn't be any performance degradation.

for example I hooked
nt!ExAllocatePool
, which is located at virtual address
0x500A540
, I created a copy of the original page containing bytes from
0x500A000
to
0x500AFFF
, and set my hook on the copy page + 0x540. When an ept violation occurs and the exit qualification is execute access, the ept handler replaces the original PFN with the PFN of my copied page. Now, what if, for example, on the page where
nt!ExAllocatePool
is located, there was some relative jmp or relative call instruction or any other RIP relative instruction, I just blindly copied it, and now, if it is executed, it will lead to a garbage address.

does '!epthook' resolve RIP relative instructions?

HyperDbg uses an identity map memory layout, which means the addresses wouldn't be changed from the perspective of the kernel memory (regular page table).

It might be changes from the EPT page table view but for kernel, it remains the same.

Yes, it fundamentally doesn't have such a issue based on its design.

can the same be said about user pages?

Yes. The main implementation EPT hooks for instructions in HyperDbg is the '!epthook' command which supports both user-mode and kernel-mode pages. The second implementation of EPT hooks (the '!epthook2' command) only supports kernel-mode pages (not user-mode).

Yes, it works well. If it just monitors reading and writing, it doesn't cause vm to quit. Now I'm trying to sign your dll separately so that it doesn't need to use test mode.

[discord] <unrustled.jimmies> [reply]: I wish intel would support write only ept pages.

Also it looks like sub paging permissions of ept is going to be removed in the future

https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/sub-page-permission.html

`Intel plans to discontinue SPP entirely on future processors`

Yes indeed, SubEPT is deprecated now

Does anyone know how to change this source code into their own private tool? For example, only for a certain process

Is it convenient to use? Do you need to modify anything else?

It has an SDK that you can use to modify it for your own purposes, but due to the complexities of the hypervisor, I don't think it's very easy to work with it like a regular debugger.

https://github.com/HyperDbg/HyperDbg/blob/9bd5ffc7b9644df4d00aef2e6590d46a55d9837b/examples/user/hyperdbg_app/code/hyperdbg-app.cpp

[discord] <inflearner> Anyone managed to make HyperDbg work in Hyper-V ?

I checked it two years ago and it didn't work. I'm not sure about the current state of HyperDbg on hyper-v.

And the reason for that is Microsoft weird requirements for TLFS.

I only use its monitoring address function, and at the same time return all attempts to access this address to a fake memory address, similar to ce dbvm cloak

It seems that hyper has no function similar to ce dbvm cloak?

Yeah, it's possible you can write a script for the !monitor command using HyperDbg.

Setting it up each time is probably a hassle. Overall, I don't think it's very suitable for making cheats or cracks.