After the vmlaunch, the guest continues right before my "virtualized" check. But after a few instructions of asssembly or so (like call, sub rsp), I end up in this trap frame with bunch of msr reads and msr writes on my vmexit. Playing with the bugcheck parameters, I saw this. mov cr8, rcx. So, what could be the problem? Should I add CR8_STORE_EXITING and CR8_LOAD_EXITING controls or something?

.cxr fffff806`0f94bbd0
rax=0000000000001000 rbx=fffff80609764101 rcx=00000000000000c6
rdx=fffff8060976c930 rsi=fffff8067c610bb0 rdi=0000000000000001
rip=fffff8067bea23b8 rsp=fffff8060f94c620 rbp=fffff8060f94c6a0
r8=0000000000000064 r9=0000000000000028 r10=ffffaf0f0ef3b040
r11=0000000000563d71 r12=0000000000000001 r13=ffffd4828fc1d238
r14=ffffd4828fc1d201 r15=ffffd4828fc1d201
iopl=0 nv up di pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010046
nt!KiInterruptDispatchNoLockNoEtw+0x78:
fffff806`7bea23b8 440f22c1 mov cr8,rcx

Well, now at iretq of KiInterruptDispatchNoLockNoEtw.
And the original bugcheck is a EXCEPTION_ON_INVALID_STACK with stack value of fffffffffffffff8

I set an exception bitmap on my VMCS control fields, and it looks like I am getting an exception 0x10 on iretq. With interruption type 3.

Yup, its a general protection fault.

[discord] <oninaig> Racking my brain trying to figure out why I cannot get bitwise operators to work in monitor scripts:
```
Line 7:
b_0 = (q ) & 0xff;
^
Syntax Error: Invalid Syntax
```

[discord] <oninaig> I cannot for the life of me set up a monitor that monitors all writes from a specific PID, it never likes whatever I try:
```
HyperDbg> !monitor w 0 7ffffffffffffff va pid 0x2620 stage post output {Writes3} script { printf("{\"time\":\"%s\",\"pid\":\"0x%llx\",\"tid\":\"0x%llx\",\"rip\":\"%p\",\"addr\":\"%p\",\"qwords\":[", $time, $pid, $tid, $ip, $context); i = 0; first = 1; while (i < 32) { pa = virtual_to_physical($context + i); if (pa != 0) { if (first == 0) { printf(","); } printf("\"%llx\"", dq_pa(pa)); first = 0; } i = i + 8; } printf("]}\n");}
err, invalid address (c0000005)
address may be paged-out or unavailable on the page table due to 'demand paging'
please refer to https://docs.hyperdbg.org/tips-and-tricks/considerations/accessing-invalid-address for further information

```

It might happen that after VMLAUNCH, a context switch happens and you end up in a new routine, so other instructions might get a chance to be executed.

Not sure if I understand the problem. Are you still having the same problem with this issue?

https://github.com/HyperDbg/HyperDbg/issues/552

You know what, it reminds me of this meme: 😅

https://x.com/HyperDbg/status/1856294527373353192

You cannot monitor the entire address range from 0x0 to 0x7ffffffffffffff!
HyperDbg (and all EPT hooks) operate based on physical addresses, which means the target address should be valid and available (Windows memory manager should previously allocate and assign it) so there is a physical address that HyperDbg could monitor it.

This address range is almost impossible to be entirely valid for a single process.

Well, the context is fine, I made that sure. But an iretq results in a GPA, and a crash.

This is the stack of KiInterruptDispatchNoLockNoEtw on VMCS when the VMEXIT happens due to the exception

Meanwhile, before I init my VM this is how it looks

Still, being flooded with HvlLogGuestCrashInformation, EXCEPTION_ON_INVALID_STACK, with my vm_exit_dispatcher on the "faulty code".
Anyone has an idea?
https://privatebin.net/?584a609a3f038bb4#6WmsAfRNRNw931E4BkQpYk39jh4C1nEjYCpKGuVkiBZx

[discord] <unrustled.jimmies> Can you upload the full code somewhere and i can take a look? I'm already seeing issues with the stack, i can confirm.

Well, full code is so big and I think these are the only relevant fields. Which issues you see?

Well, there were a lot of problems, indeed.

https://github.com/staarblitz/HyperRing

Can any of you give it a look and help me on why its crashing? Here is the full source code of my hypervisor

[discord] <paimon001_> [reply]: hmm..........I don't know if it's my problem, the built product is a dll
https://cdn.discordapp.com/attachments/962350355839066130/1426814914579922996/19C895C9-D9A1-46C1-A43F-40B92534DB55.png?ex=68ec9870&is=68eb46f0&hm=9fff63d9558cc1d9033d8c68281023ca14160a44c908ab3bc88c90bfbee50464&

You need to use "cargo make"

hi guys, I just come back to hyperdbg. does anyone know this problem ?

when I copy and paste text

I think this is the problem with CLang interpreter of Visual Studio.

You could disable it like this.

From the :

Tools > Options...

so we don't use clang-format to auto format for hyperdbg?

wait, I just found ctrl K+ D still being able to auto format after disable it

I usually use Clang Power Tools:
https://clangpowertools.com/

It's a visual studio extension.

And they are nice people developing it, they always fix issues as we report them.

[discord] <unrustled.jimmies> [reply]: Hey man i haven't had the spare cpu cycles to take a look at this yet. For now this is all i have (disable exception exiting to avoid the vmexit storm and it will triple fault so the cause of this should be the thing to root cause). Double check you saving the guest regs/state inc all of the vmcs guest fields properly for vmlaunch and vmexit/entry. Should this be rax? (issue still seems to be stack curruption). Just take a look at how hyperdbg does it or barevisor on ghub which is in rust. https://github.com/staarblitz/HyperRing/blob/9298cccc2a3569c9d35764ca13427c1cfcdc8a22/src/hyper_ring/src/intel/vm/exit_handler.rs#L279

Yes. It should be rax. But is that the entire problem? And very much thanks you for sparing time looking at my issue.

https://www.youtube.com/watch?v=FXIScbxJTZw

Yep. I looked at barevisor, matrix-rs and a lot of hypervisors made in Rust. If you check my code, my VMCS initialization matches 1:1 to barevisor. But still, why I am getting a stack corruption? The stack after the "vmlaunch" is still fine. But after an interrupt, its trashed. Could it be due to a invalid kernel mode GS?

Are you building in Debug mode or Release mode?
Try switching it sometimes it affects the stack.

It shouldn't affect the stack. That is the problem. And its not my stack, its the OS stack that gets corrupted

[discord] <unrustled.jimmies> [reply]: Guest RBP is getting overwritten, then the overwritten value is saved and restored if im reading that right.

https://github.com/staarblitz/HyperRing/blob/9298cccc2a3569c9d35764ca13427c1cfcdc8a22/src/hyper_ring/src/intel/vm/exit_handler.rs#L277

matrix-rs looks like it does it correctly using xchg instruction. https://github.com/memN0ps/matrix-rs/blob/309ac2a0322be5320c80c34f2a631e21a05fcb74/hypervisor/src/intel/vmlaunch.rs#L151

also XMMx is assuredly getting trashed as well even if you don't call into the windows abi because llvm uses these vector registers aggressively (eg even for a 2 element array move in release build) - https://godbolt.org/z/EoseoKoTP

(not sure this is even the main issue).

---

As an aside i was hoping rust would support completely disabling `target-feature=-sse,-sse2,-mmx` because floats can already be emulated if sse is disabled but it seems like they will go in the opposite direction and mandate sse2 in the future for x86-64 targets. `warning: target feature `sse2` must be enabled to ensure that the ABI of the current target can be implemented correctly, = note: this was previously accepted by the compiler but is being phased out; it will become a hard error in a future release!` which sucks since it would have been a simple cmd line flag that would be needed to avoid saving and restoring XMM registers on vmexits (as long you didn't call into or link with other ppls code).

Correct. Missed that.

Would FXSAVE do the job?

[discord] <unrustled.jimmies> Eliminate variables, don't add.

What do you mean? Shouldn't I save floating point registers?

I updated the code as you have suggested. Check it now.

But still, iretq and crash.

[discord] <unrustled.jimmies> [reply]: I recently wrote a Intel TraceHub STH driver to use in a no_std env to add logging to my "hv" project (hv in quotes cuz i haven't even started the hv part yet) and saw this comment about PT trace data regions being USWC (i think this is just intel talk for WC).

It got me thinking about how this can be handled in a generic way as opposed to handling every random device . I don't see "IgnorePat" being set in HyperDbg EPT (to true or false) on purpose so its defaulting to False. So it looks like, (just in the case of UC vs WC ) as long as a driver in the guest appropriately maps its mmio using the type of cache it needs (which is where the burden should fall anyways), address translation should correctly calculate the effective cache to be UC or (WC since WC is the only memory type that survives when EPT=UC and IgnorePAT = False).

I do plan on using 4kb pages for MMIO regions as honorary_bot suggested but for HyperDbg the EPT being 1gb pages should work as well (assuming no other issues) since the SDM uses the phrase `For the last EPT paging-structure entry used to translate a guest-physical address`.

(in my case it ended up being moot becuase a dev should have no need to map or do anything with this PT region but it did lead me to looking into this a bit more).
https://cdn.discordapp.com/attachments/962350355839066130/1431549427012735107/sth_log.png?ex=68fdd1cc&is=68fc804c&hm=bbac2644b5dea8cdc1cc94b44bf01ff8c3d744b10da03576d5e3befda231b76e&
https://cdn.discordapp.com/attachments/962350355839066130/1431549427390353418/sth_logged.png?ex=68fdd1cc&is=68fc804c&hm=bfd99f28b135b59714e7e45b4732be4bbf3596754ff7d9244e18ffad3bdfb14c&
https://cdn.discordapp.com/attachments/962350355839066130/1431549428002459838/mmio_uswc.png?ex=68fdd1cc&is=68fc804c&hm=29af165173748fee35aca7d65ef9998630ffa19af27cb3e76a8ead08474f8673&

I'm not sure if I understand it thoroughly. Could you please add a context and a bit of background of what you are trying to do?

[discord] <unrustled.jimmies> Following up on the earlier discussion we had about the memory type for mmio regions and how to handle the cases where they are remapped by the OS / not described by the MTRR and the mmio page needs something other than UC.

Based on 30.3.7.2 and the fact that HyperDbg's EPT has IgnorePAT = False, we get WC memory type support, at least, if its needed for that page in the guest.
https://cdn.discordapp.com/attachments/962350355839066130/1432066113105297448/Screenshot_2025-10-26_104603.png?ex=68ffb2ff&is=68fe617f&hm=81f27e37071603ee094c9a568ee0ca8b6c6a189d32a8a387921573b57452f02a&

[discord] <unrustled.jimmies> Also i ran into a heisenbug (happened only once and never again) yesterday where hyperdbg got a EPT violation on `HalpPciMmConfigWriteHandlers`. i will debug and let you know what i find.
https://cdn.discordapp.com/attachments/962350355839066130/1432068071111262270/Screenshot_2025-10-26_110152.png?ex=68ffb4d2&is=68fe6352&hm=858d06f68309cc63b9134586db4f96ffdebe1980e2a5b94aa71d503bf6aa2ec0&

Sorry for the late response. Yes, I also noticed that there is a problem without our current implementation.

Even though, it works but from my experience in a Meteor Lake machine that uses MMIO above 512 GB, after some time (let say 5 minutes) it will eventually crash (BSOD).

Before mapping the above 512 GB, the device crashes immediately but right now, I confirmed that it works and the functionality is correct (since I was able to play a music using HD Audio device that we mapped above 512 GB), but again at random places, it crashes the system.

I tried to find the problem but I couldn't find a definite pattern for the BSOD, so I could conclude about the problem, but I expect it to be because of this way of mapping it.

Hello mr. Sina, you made very good debugger I like it very much. I have a question, is there a command with which you can disable epthook, cpuid hooks or other?

Hi, thanks for your kind words. Yes, you can disable or remove (and re enable) commands using the 'event' command:
https://docs.hyperdbg.org/commands/debugging-commands/events

Also you can disable/enable events directly from the script engine:
https://docs.hyperdbg.org/commands/scripting-language/functions/events

Great lol, thanks very much for the useful information. This debugger really is next generational for reverse engineering, I look forward to making a contribution or two in the near future!

🙏

Cannot do vmlaunch in Hyper-V? I enabled the nested virtualization via Set-Processor but after vmlaunch, it just hangs.

For supporting Hyper-V, you need to implement all requirements made by Microsoft from TLFS. Even HyperDbg is not fully compatible with TLFS.

Hi I have another question, how to get past the trap flag anti-debug trick? !hide doesn't seem to work against it(popfq,rdtsc,nop) it always cause a vmexit.
I've also tried turning off breakpoints, but it just give system freeze . tyvm

Hell.

Hey,
The '!hide' command is disabled for now because if we compile the hyperevade project along with HyperDbg, anti-viruses flag it since it contains anti-debugging and anti-vm strings. For now, we disabled it to find a solution for it but you can manually enable it and compile HyperDbg to use it. You just need to change this macro and it re-compile HyperDbg:

https://github.com/HyperDbg/HyperDbg/blob/22096da60ed954172b9ebaf020754755231fdfd8/hyperdbg/hyperevade/header/pch.h#L31