Yeah, I think the video of both talks will also be published.

Slides and recordings for our @FOSDEM talks are up! Join [Björn Ruytenberg] and [Sina Karvandi] for an in-depth introduction into @HyperDbg 's features and internals, or find out what's the latest in anti-anti-debugging techniques and HV transparency for malware reversing:

- https://fosdem.org/2026/schedule/event/APB9WC-mbec_slat_and_hyperdbg_hypervisor-based_kernel-_and_user-mode_debugging/

- https://fosdem.org/2026/schedule/event/CDPRDX-invisible_hypervisors_debugging_with_hyperdbg/

@oa7331 This is a link both to slides and recordings of two talks. 👆

Hello. I set IA32_LSTAR to the address of my own assembly function in order to hook syscalls, but whatever I put inside it causes a crash.I copied someone's code, but again when the content of the assembly changes, it doesn't work anymore(even nop) . Do you have any idea what is the case? Tnx ❤️❤️

Hi! How exactly does it crash? DO you have any info about the exception?

When I load the driver, it crashes. No minidump. Just accsess violation.

How exactly do you set up your hook? Where does the code reside?

I just put 151 Instead of 36

Where do you see that it was access violation? Any additional info?

No, I didn't find any other information.

Can't figure out what you're trying to execute in your syscall handler. cmp, je? je where? what if not - there seems to be an invalid opcode (as shown in windbg)

Oh, wait, is Kernel Virtual Address Shadowing enabled on your system? It is anti-meltdown mitigation enabled by default. You kernel driver is not mapped when syscall is invoked, that's why it might fail.

What does the stack look like when it throws an access violation?

It worked, thank you. ❤️❤️❤️❤️

You’re welcome!

Has anyone isolated the source code for hyperdbg?

I’d like to ask whether the current version supports VT nested virtualization. If not, is there any plan to add it in the future？

What do you mean by source code isolation? 🤔

HyperDbg could run on nested virtualization environments (VMware nested virtualization) but it doesn't support nested virtualization for another hypervisor.

And right now, it is not on the list but patches are always welcome :)

I wrote my own hyperviter, but why does it run so slowly in a VM

Which vm? Nested virtualization is slow by nature. But it still should be usable. Trave your vmexits and do benchmarking via rdtsc

Yes, I use hvpp

Hvpp?

Hyper-V?

Or using host with VBS and windows filtering platform?

[discord] <jakob944> are there any plans to port HyperDbg to Linux yet?
I'm currently looking at implementing EPT Hooks in Linux and am brainstorming with the architecture.
What I've first thought about was gbd <-> qemu <-> kvm. I've build a qemu monitor which I trigger over gdb. Qemu called a kvm ioctl which then was supposed to set the breakpoint.
I stopped implementing the EPT logic in kvm thought, since I dislike how I'm debuging the whole guest OS instead of the specific programm only.
I now thought about leveraging kvm and try to modify it so it runs as Host Hypervisor, since coding the whole setup from scratch seems like a pretty big pain..

If someone has any experience or ideas what the best way to be, while leveraging existing tools already I'd appreciate input

Yes, there is a plan to port HyperDbg to Linux but it probably needs a lot of time since it is not that easy. @Alish014 is working on it at the moment. You can see the progress here:
https://github.com/HyperDbg/HyperDbg/tree/dev/hyperdbg/linux

But as I said, it won’t be that easy and will probably take a long time.

[discord] <jakob944> Sounds good, I might jump in and help out

yeah sure. you could aslo create a discussion here or on GitHub and coordinate with him regarding what should be done next.

[discord] <jakob944> I wanted to open a discussion on GH, it seems that a new thread/discussion is disabled thought

[discord] <jakob944> anyway, if there's help needed/wanted just let me know Alish. I'm currently looking for new project connected to Linux EPT Hooking

Hey Jakob,
I’ve just recently started working on this project, so I’m still exploring the direction and trying to understand the challenges involved.
At this stage, I don’t yet have a clear picture of whether we’ll need
Feel free to take a look at the Linux project directory and see if there’s anything you think could be improved
we can open a separate discussion to coordinate properly.

[discord] <easyantiheat> [reply]: did you consider supporting SVM or is technically a hassle ?

No, it's not on the to-do list for now. It definitely has its own technical difficulties, but we think that supporting Linux with the same structure would provide more benefits. Maybe SVM will also be supported in the future.

Supporting linux guests or hosts? Or both?

In any case, I think supporting SVM would be easier. API needs a lot of generalization.

Both of them.

Well, I think there are certain features that are not available in AMD virtualization like MTFs (Monitor Trap Flags)

If that's the case, we extensively use MTFs in HyperDbg, so we might even need to redesign certain things.

HyperDbg v0.18 is released! 🎉✨

This version adds support for including external scripts using #include in the script engine, as well as initial refactoring for potential future support for Linux.

Check it out:
https://github.com/HyperDbg/HyperDbg/releases/tag/v0.18

More information:
https://docs.hyperdbg.org/commands/scripting-language/casting-and-inclusion

wow, nice!

Thanks to @Alish014, Hari , and @xmaple555 for their contributions in this release.

[discord] <unrustled.jimmies> the cpu automatically disables LBR recording when a #DB exception is delivered and software needs to re-enable, not sure if this is handled or not but just an fyi.

Also take a look at LOAD/SAVE_DEBUG_CONTROLS entry/exit ctrls so you can only log the LBR of the guest.

[discord] <rayanfam> Do you have experience with LBR/BTS?

[discord] <rayanfam> I have another question, is BTS already deprecated? Or not?

[discord] <unrustled.jimmies> If by experience you mean completely bricking my system because i enabled 128mb IPT buffer in my bios then i guess 🤣

I've used LBR and ITH/PT (Intel Processor Trace + TraceHub (one of the destinations could be a buffer in memory like BTS)).

BTS seems like the pre-cursor (+ records only branches) to PT. Its def legacy but can't say if its deprecated or not tho or if/when it will no longer be in newer cpus.

does hyperdbg support qemu?

Guys, this is an English speaking group. Thanks for understanding. 🙂

Not yet (or at least I didn't check).

👍

Why should hyperdbg support this? KVM has nested virtualization. Guest hypervisors should work fine.

Well, I don't see a problem why it shouldn't be able to run HyperDbg in QEMU. They do have a VMX (VT-x) emulation, but usually things won't work without testing.

But I also don't understand why someone would need HyperDbg in QEMU, since QEMU is a full system emulator and provides a more comprehensive system view than HyperDbg, but at the cost of significantly slower performance.

https://github.com/HyperDbg/HyperDbg/issues/567

This one is an interesting observation. I didn't know there are systems that map regular OS stuff (RAM) above 512 GB in the physical memory.

Curious to know what could be the reason why they made such a design decision. 🤔

Where do you see the address above 512g?

Is this the one? core=0 pa=0x100d74000 - not like above 512g

There should not be physical addresses above 512g, even for MMIO. 512g is 39 bits, which is max phys address bit for ARL

Basically, CPU won't have enough lines to address a system address like this

I see that its in VMware, but it is also unlikely that vmware would mess with virtualized max phys address

yeah you're right. though I think he/she meant that it is tested differently for the physical address since this error message is not within regular HyperDbg log error codes.

I'm not sure I understand what's going on there tbh

@clauvio are you the one creating this issue? could you add more details on it?

yes,i had found the problem.
In EptGetPml1Entry func,
PML1 = (PEPT_PML1_ENTRY)PhysicalAddressToVirtualAddress(PML2Pointer->PageFrameNumber * PAGE_SIZE);
it return null on my laptop with U9-275HX
I don't know why

I tried another way to get it by Recording PML2 entry -> PML1 VA in EptSplitLargePage func,and it works on my pc then.

i have one i7-1165g7 laptop, tested the lastest version hyperdbg and no problem

I tagged that message because I first think that may be one of reason to cause this problem ,but I found that it seems not related to it

[discord] <unrustled.jimmies> Might be an issue with `MmGetVirtualForPhysical` returning junk for the given PA. (it just statically indexes into the PFNDB using bits from the PA).

maybe.So I tried to avoid using this

[discord] <staarblitz.> I was implementing MSR fuzzing for my hypervisor. But I hit a roadblock.
Changing host IDT freaks out WinDbg. After a few instructions, WinDbg hangs for 30 seconds, and then continues. I know WinDbg is so reliant on interrupts, but only thing I did was changing the #GP handler. Somehow in the next few lines of assembly (without me causing a #GP on purpose at all), I get a crash which has no indication of what went wrong:
```
0: kd> k
# Child-SP RetAddr Call Site
...
04 ffffe28e`924ff740 fffff804`cb0aeca8 nt!KiBugCheckDispatch+0x69
05 ffffe28e`924ff880 fffff804`6143e9cb nt!KiPageFault+0x468
06 ffffe28e`924ffa18 ffffffff`80001108 win_hv!run_vmx_guest+0xfb
07 ffffe28e`924ffa20 0000681e`0000681e 0xffffffff`80001108
08 ffffe28e`924ffa28 fffff804`614508f9 0x0000681e`0000681e
09 ffffe28e`924ffa30 fffff804`61440274 win_hv!x86::bits64::vmx::vmread+0x29
0a ffffe28e`924ffab0 fffff804`6144069f win_hv!hv::hypervisor::intel::guest::vmread+0x14 ]
0b ffffe28e`924ffb00 fffff804`6144f1d3 win_hv!hv::hypervisor::intel::guest::impl$0::run+0x15f
0c ffffe28e`924ffcf0 fffff804`6144e209 win_hv!hv::hypervisor::host::virtualize_core<hv::hypervisor::intel::Intel>+0x1c3
0d ffffe28e`924fff70 00000000`00000000 win_hv!hv::hypervisor::host::main+0x99
```

`win_hv!run_vmx_guest+0xfb` points to [.VmExit label](https://github.com/staarblitz/hxposed/blob/e4e5a5068c3b7e7aa00b08e8b9e0e3a3b9bc79b0/src/hvcore/src/hypervisor/intel/run_guest.S#L121C1-L121C9) `mov [r15 + registers_rax], rax`. R15 is `1`.

I tried using a custom host IDT through `vmwrite`, but it resulted in same. So I hijacked the existing IDT's #GP handler for each core. But that also resulted in the same problem. I suspect this might be due KVA/KPTI. But I am not very sure. Any of you guys have an idea?

On my tested Intel Core Ultra processor, MaxPhysAddr (physical address width reported by CPUID) is 42 bits (theoretical max physical address space: 4 TB).
On my tested 14th-gen processor, it is 39 bits (theoretical max: 512 GB).

Interesting, which exact model do you have?

It makes sense then

U9-275HX and i7-14700HX