• 01 April 2026 (4 messages)
  • @instw0 #11496 07:18 AM, 01 Apr 2026
    Hi! There is support for remote debugging through Ethernet?)
  • @lastnameradeon #11497 07:31 AM, 01 Apr 2026
    Joined.
  • Ah, sorry I missed this message. It's on the todo list, I'm not personally working on it but there are others developers currently working on it. In Discord there is channel for this, you could see conversations there.
  • It's the matter of implanting an Intel e1000 driver for it, we tried it several times, but still not fully going through it. It's on the todo list but no one actively works on it as far as I know.
  • 02 April 2026 (2 messages)
  • @HyperDbgBot #11500 b o t 08:37 PM, 02 Apr 2026
    [discord] <hydra_dragon_antivirus> hello
  • @hydradragonantivirus #11501 08:38 PM, 02 Apr 2026
    Joined.
  • 03 April 2026 (19 messages)
  • @8113253884 #11502 01:45 AM, 03 Apr 2026
    Joined.
  • @HyperDbgBot #11504 b o t 11:06 AM, 03 Apr 2026
    [discord] <hydra_dragon_antivirus> I was realized there no AMD support which might I should work on
  • @HyperDbgBot #11505 b o t 11:33 AM, 03 Apr 2026
    [discord] <hydra_dragon_antivirus> edit: typo
  • Yes, feel free to work on it or if you have any proposal of how you can do it, you can discuss it here.
  • @HughEverett #11507 11:40 AM, 03 Apr 2026
    Of course the best way of implementing it is using the debugger codes of HyperDbg and only add the AMD hypervisor part on top it.
  • @HughEverett #11508 11:42 AM, 03 Apr 2026
    But as we had a discussion earlier (I believe Artem told us) that it seems some hypervisor functionalities are different or they don't have some functionalities like MTF (Monitor Trap Flag) which HyperDbg uses them a lot. So, maybe some of the functionalities need to be changed.
  • @HyperDbgBot #11509 b o t 11:43 AM, 03 Apr 2026
    [discord] <hydra_dragon_antivirus> yeah it's pretty hard to add
  • 👍
  • @instw0 ↶ Reply to #11499 #11511 12:02 PM, 03 Apr 2026
    So the vmi mode is now also not available?
  • What do you mean by VMI mode? If you mean running HyperDbg in VMI mode over network, yes it is being supported for year.
  • @HyperDbgBot #11513 b o t 04:50 PM, 03 Apr 2026
    [discord] <learath2> On a scale of there is no way to it should be fine, how likely is hyperdbg to work with a com device provided by a usb serial interface on the debugee?
  • Well, a USB serial needs a driver to convert from usb to serial. HyperDbg right now only uses I/O instruction (IN/OUT) for serial communication, so it is not likely to work.
  • @HyperDbgBot #11515 b o t 04:57 PM, 03 Apr 2026
    [discord] <learath2> Another quick question, I had a bit of an issue with having to kill hyperdbg while it was connecting, now I can't start it again because it says "previous instance of service is not fully deleted". How can I fix that?
  • Well, it is weird, because once you load HyperDbg (if you restart your computer), it should remove the previous VMM driver and reload it, so it might be a bug. Could you provide more information?
  • @HyperDbgBot #11517 b o t 05:08 PM, 03 Apr 2026
    [discord] <learath2> I guess restarting did fix it, maybe I accidentally woke it up from hibernation or something. Overall bizarre experience with the usb serial thing, it kinda sorta works but also doesn't work 😄
  • @HyperDbgBot #11518 b o t 05:10 PM, 03 Apr 2026
    [discord] <learath2> The debugee thinks it managed to connect, it even thinks that synchronizing modules worked, but the debugger never really attaches, guess it's that the driver part just can't communicate through this fake serial connection, so it just never connects up
  • @HyperDbgBot #11519 b o t 05:28 PM, 03 Apr 2026
    [discord] <unrustled.jimmies> [reply]: someone posted this earlier, https://www.amazon.com/dp/B07SVV6DV6?ref=ppx_yo2ov_dt_b_fed_asin_title exposes an IO interface which can work with hyperdbg if your motherboard doesnt have a real port or even a header for one. you can just need to change the port from 3f8 to whichever one it resolves to and recompile hyperdbg.
  • Keep in mind that those require manual initialization though. So some code has to be written before going straight to io ports. I.e. it won’t work out of the box.
  • 04 April 2026 (11 messages)
  • @8543932790 #11521 03:49 PM, 04 Apr 2026
    Joined.
  • @mariocy1 #11522 05:19 PM, 04 Apr 2026
    Joined.
  • @mariocy1 #11523 06:19 PM, 04 Apr 2026
    !hide is not worked
  • We disabled it due to antivirus detection for now. You can enable it and recompile it if you wish.
  • @staarblitz #11525 06:27 PM, 04 Apr 2026
    I think you shouldn't disable any feature due to antiviruses. They will always flags things. Trying to make such a project obey them just returns diminishing results
  • Well, I don’t really agree with this. Not having HyperDbg blocked or blacklisted by antivirus programs is a major advantage, and it generally makes it much more convenient for users to work with.
  • @getting458 #11527 08:36 PM, 04 Apr 2026
    jmp dword ptr [eax*4+On the same page]
  • @getting458 #11528 08:36 PM, 04 Apr 2026
    ept hook How to handle reading and navigating to addresses on the same page?
  • @getting458 #11529 08:36 PM, 04 Apr 2026
    @HughEverett
  • @getting458 #11530 08:37 PM, 04 Apr 2026
    I wrote my own command recognizer but it sucks - it keeps failing all the time.
  • @getting458 #11531 08:37 PM, 04 Apr 2026
    Can't seem to get the correct physical address
  • 05 April 2026 (10 messages)
  • I'm not sure if I understand the question 🤔
  • @HughEverett #11533 08:21 AM, 05 Apr 2026
    Could you explain more?
  • @getting458 #11534 10:52 AM, 05 Apr 2026
    It's just the EPT causing the ping-pong effect
  • @getting458 #11535 10:53 AM, 05 Apr 2026
    Because it read the entire 4kb page incorrectly, which caused the page to keep crashing when trying to read itself
  • @getting458 #11536 10:53 AM, 05 Apr 2026
    But I've already added instruction recognition, and I'll manually modify the registers and then exit the exception, but I don't know why I keep getting errors when trying to get the physical address
  • @getting458 #11537 10:55 AM, 05 Apr 2026
    I've perfectly fixed the jmp instruction, but movzx keeps failing to get the physical address and causing an exception because it does movxz first and then jmp
  • @getting458 #11538 10:58 AM, 05 Apr 2026
    ; --- Logic Start ---
    ; Location: Base + 0x1FB22D
    ; Opcode: 0F B6 04 03
    MOVZX EAX, BYTE PTR [EBX+EAX]
    ; [!] Conflict Point 1:
    ; The instruction resides on this page. Execution requires reading
    ; data from page offset 0x260. Under an X-Only view, this read
    ; operation immediately triggers an EPT Read Violation.

    ; Location: Base + 0x1FB234
    ; Opcode: FF 24 85 58 B2 XX XX
    JMP DWORD PTR [Base + 0x1FB258 + EAX*4]
    ; [!] Conflict Point 2:
    ; This is an indirect jump. The Jump Table is located at page
    ; offset 0x258. Similarly, in an X-Only view, reading the jump
    ; table address triggers an EPT Read Violation.

    ; --- Your Hook Point ---
    ; Location: Base + 0x1FB323 (Within the same 4KB page)
    ; Opcode: EB 0C
    JMP Base + 0x1FB331
  • @getting458 #11539 10:58 AM, 05 Apr 2026
    Technical Summary for Experts
    ​Phenomenon: Installing an EPT Hook (Execute-Only) on this page results in extreme Ping-Ponging (millions of Exec and Read violation switches per second).
    ​Core Issue: When MOVZX and JMP [mem] instructions are executed in an Execute-Only view, they attempt to read the Byte Table and Jump Table located within the same 4KB page. This forces the CPU to constantly toggle between the "Execution View" and the "Read/Write View" via VM-Exits.
    ​Driver Bottleneck: The driver-level Instruction Emulator fails to successfully emulate these instructions—specifically the MOVZX with complex SIB addressing—making it impossible to complete the instruction without a permission-based view switch.
  • @getting458 #11540 01:39 PM, 05 Apr 2026
    @HyperDbgBot
  • @getting458 #11541 01:39 PM, 05 Apr 2026
    The robot died?
  • 06 April 2026 (2 messages)
  • If you mean HyperDbg trying to read the memory after putting EPT hook, it's not the case. HyperDbg accesses the memory from the VMX root-mode (not non-root). So, it doesn't create EPT Violations (and doesn't trigger event within the debugger).
  • No worries. I've already taken care of it. We'll need to create specific instructions for recognition
  • 08 April 2026 (6 messages)
  • @7242493127 #11546 01:24 PM, 08 Apr 2026
    Joined.
  • @stbleet #11547 03:27 PM, 08 Apr 2026
    Joined.
  • @will_fix_it #11548 03:38 PM, 08 Apr 2026
    Joined.
  • @getting458 #11551 04:58 PM, 08 Apr 2026
  • @getting458 #11552 04:58 PM, 08 Apr 2026
    Who has a good AMD Hyper framework
  • noirvisor
  • 09 April 2026 (3 messages)
  • @getting458 #11554 07:34 PM, 09 Apr 2026
    Do you know that the mitigation flags in dwm.exe can't be modified from ring3?
  • U need 0 ring access to modify them, If of course you asked about it
  • The dwm.exe in Windows 11 is a bit special, so you're right.
  • 10 April 2026 (2 messages)
  • @instw0 ↶ Reply to #11512 #11558 12:22 PM, 10 Apr 2026
    The user-mode debugger is still in the beta version and not stable. We decided to exclude it from this release and release it in future versions. If you want to test the user-mode debugger in VMI Mode, you should build HyperDbg with special instructions. Please follow the instruction here.

    In contrast with the kernel debugger, the user debugger is still very basic and needs a lot of tests and improvements. We highly recommend not to run the user debugger in your bare metal system. Instead, run it on a supported virtual machine to won't end up with a Blue Screen of Death (BSOD) in your primary device. Please keep reporting the issues to improve the user debugger.
    Is VMI mode no longer available on your local computer?
    Build & Install | HyperDbg Documentation

    This document helps you to build and install HyperDbg

  • @getting458 #11559 03:36 PM, 10 Apr 2026
    Why have some Windows 11 systems turned off VBS, but it turns back on automatically when I restart my computer?
  • 11 April 2026 (5 messages)
  • It is available. VMI Mode was active from the very first start of HyperDbg and it is still active.
  • Is it a new thing? I noticed that on Windows 11 25h2 the way that we need to disable VBS is different (HyperDbg docs is now updated with that), but I didn't see that it enables itself after restart.
  • @HughEverett #11562 09:13 AM, 11 Apr 2026
    Maybe they added this new re-enabling mechanism (just like Windows Defender that automatically re-enables itself). I don't have any idea.
  • @getting458 #11563 04:24 PM, 11 Apr 2026
    @HughEverett Is there anything we can do right now?
  • I don't have any solution for this. There might be some registry keys to help but that I'm not aware of.
  • 12 April 2026 (6 messages)
  • @NioraSo #11565 04:07 AM, 12 Apr 2026
    Joined.
  • @instw0 ↶ Reply to #11560 #11566 04:08 AM, 12 Apr 2026
    And remote debugging of a physical machine via uart/ethernet is not yet available?
  • no not yet. It supports debugging a remote machine in VMI mode (not Debugger Mode) over ethernet.
  • @instw0 ↶ Reply to #11567 #11568 12:18 PM, 12 Apr 2026
    Did I understand correctly that it is possible to work with vmi mode via Ethernet(remote physical machine)?
  • yes it works. you need to use the '.connect' command with an IP address.
  • @HughEverett #11570 12:22 PM, 12 Apr 2026
    But again, it works as VMI Mode (not Debugger Mode).
  • 13 April 2026 (2 messages)
  • @7242493127 #11571 04:24 PM, 13 Apr 2026
    Are there any recent issues with HyperDbg? I’m planning to study it, so I’d appreciate it if you could share any information.
  • Hi,
    What kind of issue?
  • 14 April 2026 (17 messages)
  • @instw0 ↶ Reply to #11569 #11573 10:32 AM, 14 Apr 2026
    0: kHyperDbg> .start path C:\Windows\notepad.exe
    debuggee is running...
    (13:27:43.880 - core : 0 - vmx-root? no) [+] Information (ExecTrapInitialize:388) | Your processor doesn't support Mode-Based Execution Controls (MBEC), which is a needed feature for this functionality :(
    MBEC is available on processors starting from the 7th generation (Kaby Lake) and onwards
    err, the user debugger cannot be initialized (c0000055)

    Are there any other ways to track the launch of a specific process/driver? )
  • @HyperDbgBot #11574 b o t 12:32 PM, 14 Apr 2026
    [discord] <fexsped> are MSRs different for each core on a cpu?
  • It depends on the msr. Volume 4 of Intel sdm explicitly mentions which msr is shared at thread, core or package level.
  • @HyperDbgBot #11576 b o t 12:36 PM, 14 Apr 2026
    [discord] <fexsped> [reply]: I didnt know this, thanks a ton
  • @HyperDbgBot #11577 b o t 12:36 PM, 14 Apr 2026
    [discord] <fexsped> do other vendors like amd and even arm have a 5k page manual?
  • @honorary_bot #11578 12:37 PM, 14 Apr 2026
    Yes, it is normal :)
  • @honorary_bot #11579 12:37 PM, 14 Apr 2026
    50+ years of technology is packed into a document
  • @HyperDbgBot #11580 b o t 12:42 PM, 14 Apr 2026
    [discord] <fexsped> is the intel manual relevant? why do they keep calling it IA-32/64? Isnt that their failed old architecture?
  • @honorary_bot #11581 12:45 PM, 14 Apr 2026
    Of course it is. And it’s being constantly updated. There are many names for the architecture and I can’t remember which exact term Intel uses in the manual. The only catch is IA64 - this is actually Itanium.
  • @HyperDbgBot #11582 b o t 12:48 PM, 14 Apr 2026
    [discord] <fexsped> so ia-32 is x86_64?
  • @honorary_bot #11583 12:52 PM, 14 Apr 2026
    I’d say x86 (32 bit) is sometimes referred as IA32.
  • @honorary_bot #11584 12:52 PM, 14 Apr 2026
    x64 may be x86_64, AMD64, IA32e
  • @HyperDbgBot #11585 b o t 01:26 PM, 14 Apr 2026
    [discord] <fexsped> confusing asl ngl
  • Couldn't you use '.process pid <XXX>' to switch to the memory layout of the process instead?
  • @instw0 ↶ Reply to #11586 #11587 02:28 PM, 14 Apr 2026
    Of course, I just want to track the process from the very launch. And while the process is not running, I don't know its pid. Someone seemed to suggest a solution through epthook...
  • something similar to this might help:

    !syscall script {
    if (strcmp($pname, "Test.exe") == 0) {
    //
    // Some scripts
    //
    pause();
    }
    }
  • @HughEverett #11589 02:31 PM, 14 Apr 2026
    or with the !epthook, you can check it this way
  • 15 April 2026 (6 messages)
  • @HyperDbgBot #11590 b o t 08:44 AM, 15 Apr 2026
    [discord] <janlittle> I'd like to ask if it's normal that after I remotely connect to a VMware virtual machine, my terminal gets stuck and unresponsive, and I can't type anything, even `CTRL+C` doesn't work? here is some information in two terminal
    host:
    ```
    HyperDbg> .debug remote namedpipe \\.\pipe\HyperDbgDebug
    waiting for debuggee to connect...
    connected to debuggee Windows 10 Home - Client 24H2 (OS Build 26100)
    getting symbol details...
    fffff805`b8a86140 0F 01 F8 swapgs

    ```
    client:
    ```
    HyperDbg> .debug prepare serial 115200 com1
    the service (driver) already exists
    trying to remove the old instance of the driver first
    warning, failed to stop the driver. Possible reasons include the driver not currently running or an unsuccessful unload from a previous run. This is not an error, HyperDbg tries to remove the previous driver and load it again (426)
    the old instance of the driver is removed successfully
    installing the driver again
    current processor vendor is : GenuineIntel
    virtualization technology is vt-x
    vmx operation is supported by your processor
    vmm module is running...
    synchronizing modules' symbol details
    ```
  • @HyperDbgBot #11591 b o t 09:57 AM, 15 Apr 2026
    [discord] <janlittle> well, it looks like it will work fine after just one rerun😂
  • Arm has conveniently named arm (archtiecture reference manual). 15k pages, impossible to read
  • Ia64 refers to itanium, not x86_64. X86_64 is amd64
  • @staarblitz #11594 11:55 AM, 15 Apr 2026
    Ia32-e refers to x86_64 as well
  • @Peter_LongX #11595 07:47 PM, 15 Apr 2026
    Joined.
  • 16 April 2026 (11 messages)
  • @getting458 #11596 12:24 PM, 16 Apr 2026
    Are you guys using DR or EPT with AMD CPUs right now, or is there something new?
  • @getting458 #11597 12:25 PM, 16 Apr 2026
    Because AMD doesn't allow setting read-only exceptions
  • @HyperDbgBot #11598 b o t 07:45 PM, 16 Apr 2026
    [discord] <fexsped> Is AMD less open than Intel?
  • @HyperDbgBot #11599 b o t 07:47 PM, 16 Apr 2026
    [discord] <fexsped> why is hyperdbg only on Intel?
  • @HyperDbgBot #11600 b o t 10:59 PM, 16 Apr 2026
    [discord] <hydra_dragon_antivirus> [reply]: look reddbg
  • @HyperDbgBot #11601 b o t 10:59 PM, 16 Apr 2026
    [discord] <hydra_dragon_antivirus> also I forked reddbg
  • They both have their quirks
  • @staarblitz #11603 11:08 PM, 16 Apr 2026
    Depends on "what" you mean by open
  • Amd svm and intel vtx are fundamentally different
  • @staarblitz #11605 11:08 PM, 16 Apr 2026
    And I heard Sina saying about lack of monitor trap flag
  • @staarblitz #11606 11:09 PM, 16 Apr 2026
    However it can be emulated with other trickery i guess
  • 17 April 2026 (11 messages)
  • @HyperDbgBot #11607 b o t 09:09 AM, 17 Apr 2026
    [discord] <fexsped> [reply]: By open I mean which one has more documentation I guess
  • @HyperDbgBot #11608 b o t 09:10 AM, 17 Apr 2026
    [discord] <fexsped> is it a lot harder to do whats being done on intel but on amd?
  • Amd has more i guess. I like their manuals
  • No. They both support same things one way or another. Implementation may change though
  • It releases bios and kernel developer's guides for its processors, which provides nice reads
  • @HyperDbgBot #11612 b o t 09:36 AM, 17 Apr 2026
    [discord] <fexsped> [reply]: then why was intel chosen? are there any advantages?
  • @staarblitz #11613 11:54 AM, 17 Apr 2026
    There are more sources and projects around VT-x
  • @staarblitz #11614 11:54 AM, 17 Apr 2026
    Also monitor trap flag
  • @staarblitz #11615 11:54 AM, 17 Apr 2026
    Even though intel is more annoying than amd at first
  • @staarblitz #11616 11:54 AM, 17 Apr 2026
    You get used to it
  • @HyperDbgBot #11617 b o t 01:25 PM, 17 Apr 2026
    [discord] <hydra_dragon_antivirus> [reply]: reactos, linux etc. have already intel related codes
  • 18 April 2026 (4 messages)
  • @HyperDbgBot #11618 b o t 07:23 AM, 18 Apr 2026
    [discord] <fexsped> what is this monitor trap flag?
  • @HyperDbgBot #11619 b o t 07:27 AM, 18 Apr 2026
    [discord] <fexsped> > The MTF is a bit in the VMCS that triggers Monitor Trap Flag VMEXITs on certain instruction boundaries while in a guest.
  • @HyperDbgBot #11620 b o t 07:27 AM, 18 Apr 2026
    [discord] <fexsped> so the mtf is a vmcs bit that triggers mtf
  • Yes, the behavior of it is similar to rflags' trap flag but in VMCS.
  • 19 April 2026 (4 messages)
  • @el_chiringuito1 #11622 11:39 PM, 19 Apr 2026
    Hi guys
  • @el_chiringuito1 #11623 11:40 PM, 19 Apr 2026
    I've just started learning about VMX and I'd like to eventually contribute to hyperdbg
  • @el_chiringuito1 #11624 11:40 PM, 19 Apr 2026
    Can you give me any advice or resources ?
  • @el_chiringuito1 #11625 11:41 PM, 19 Apr 2026
    I'm currently going through this tutorial series https://rayanfam.com/topics/hypervisor-from-scratch-part-1/
    Hypervisor From Scratch - Part 1: Basic Concepts & Configure Testing Environment

    We write about Windows Internals, Hypervisors, Linux, and Networks.

  • 20 April 2026 (18 messages)
  • @8734829868 #11626 01:36 PM, 20 Apr 2026
    Joined.
  • Hey, I think the best resource for learning HyperDbg is reading "Hypervisor From Scratch," since HyperDbg is the extended project of "Hypervisor From Scratch."
  • @el_chiringuito1 #11628 02:35 PM, 20 Apr 2026
    Thank you. Already reached the 3rd part. Good stuff.
  • and then you can also see HyperDbg tutorial from OpenSecurityTrainings to see how you can use HyperDbg and how it being used.
  • sure thing.
  • @el_chiringuito1 #11631 02:35 PM, 20 Apr 2026
    Hopefully, I'll be able to contribute to the project in the next few months
  • @el_chiringuito1 #11632 02:35 PM, 20 Apr 2026
    Thanks
  • 👍
  • @getting458 #11634 03:57 PM, 20 Apr 2026
    Does anyone know why installing the EPT hook on Win11 causes the computer to freeze, but doesn't crash it - just freezes everything up?
  • @getting458 #11635 03:57 PM, 20 Apr 2026
    This issue only happens on my Win11 system. Intel CPU
  • There was a small error with EPT hooks in HyperDbg v0.18 which is fixed in v0.18.1. Are you using the latest version?
  • @getting458 #11637 06:54 PM, 20 Apr 2026
    Could you explain how you fixed it? I'm making my own hyper
  • Did updating solve the problem?
  • @HughEverett #11639 07:58 PM, 20 Apr 2026
    I think someone from the group fixed it, it was about a problem they were encountering on a specifc type CPU, which later I noticed that I had the same problem and that update fixed the problem.
  • @HughEverett #11640 07:59 PM, 20 Apr 2026
    Let me see if I could find his/her message.
  • Yes, I think the PR from @clauvio fixed this problem.
  • fix by change to tracking VA when split pages · HyperDbg/HyperDbg@bff7f7b

    State-of-the-art native debugging tools. Contribute to HyperDbg/HyperDbg development by creating an account on GitHub.

  • @HyperDbgBot #11643 b o t 10:17 PM, 20 Apr 2026
    [discord] <hydra_dragon_antivirus> [reply]: https://github.com/tandasat/SimpleSvm also you can look this if you don't like reddbg
    GitHub - tandasat/SimpleSvm: A minimalistic educational hypervisor for Windows on AMD processors.

    A minimalistic educational hypervisor for Windows on AMD processors. - tandasat/SimpleSvm

  • 21 April 2026 (12 messages)
  • @8734829868 #11644 10:09 AM, 21 Apr 2026
    Why mine! Can't use the hide command? Do you want to compile it yourself??
  • @8734829868 #11645 10:54 AM, 21 Apr 2026
    😭
  • @8734829868 #11646 10:56 AM, 21 Apr 2026
    HyperDbg seems to have been detected. Is there any working version of !hide available?
  • @HyperDbgBot #11647 b o t 03:41 PM, 21 Apr 2026
    [discord] <fexsped> [reply]: isnt reddbg dead?
  • Yes, it's not continued AFAIK.
  • You need to build HyperDbg with custom flags (pragmas) to enable the '!hide' command.
  • @HyperDbgBot #11651 b o t 06:48 PM, 21 Apr 2026
    [discord] <fexsped> [reply]: why was it even a separate project? cant you establish a common base and then have most of the code work for both?
  • So, the idea was to first make a separate project with same capabilities and then merge it with HyperDbg (e.g., using the same routines for the script engine or anything that is within the hyperkd project).
  • @HyperDbgBot #11653 b o t 06:50 PM, 21 Apr 2026
    [discord] <fexsped> yeah and I can see it failed, thats why I was wondering if amd really is less open
  • @HyperDbgBot #11654 b o t 06:51 PM, 21 Apr 2026
    [discord] <fexsped> or was it just no maintainer support
  • @HughEverett #11655 06:51 PM, 21 Apr 2026
    In the end, for an AMD based debugger, we just need to manipulate hyperhv project and the hyperkd project should remain untouched or with least modifications.
  • Well, I think we need to spend more time on it. At least for me, I have never had an AMD CPU to work with it. Right now, there are plans to support Linux in the future (hopefully), and AMD support has lower priority.
  • 22 April 2026 (17 messages)
  • @8022459998 #11657 03:10 AM, 22 Apr 2026
    Joined.
  • @huixing678 #11658 09:23 AM, 22 Apr 2026
    Joined.
  • @HyperDbgBot #11659 b o t 10:28 AM, 22 Apr 2026
    [discord] <hydra_dragon_antivirus> [reply]: Yeah
  • @instw0 ↶ Reply to #11588 #11660 10:36 AM, 22 Apr 2026
    I used:
    !epthook 00007FFC7ADDE8C0 script{
    if (strcmp($pname, "Wubx64.exe") == 0) {
    printf("Process name: %s\n", $pname);
    printf("PID proccess: %d\n", $pid);
    printf("TID proccess: %d\n", $tid);
    pause();
    }
    }

    then I tried to catch all the cpuid process events:
    !cpuid pid 7648 <-- $pid

    but nothing came... 😔 pause is it working too long?
  • @HyperDbgBot #11661 b o t 01:33 PM, 22 Apr 2026
    [discord] <hanzohattori91> guys one question about https://rayanfam.com/topics/hypervisor-from-scratch-part-3/ since I guess hyperdbg was built on it so I think it's related
    Hypervisor From Scratch – Part 3: Setting up Our First Virtual Machine

    We write about Windows Internals, Hypervisors, Linux, and Networks.

  • @HyperDbgBot #11662 b o t 01:34 PM, 22 Apr 2026
    [discord] <hanzohattori91> in the article, the number of logical cores was calculated through this
    ```c
    KAFFINITY AffinityMask;
    for (size_t i = 0; i < KeQueryActiveProcessors(); i++)
    {
    AffinityMask = MathPower(2, i);
    KeSetSystemAffinityThread(AffinityMask);

    DbgPrint("=====================================================");
    DbgPrint("Current thread is executing in %d th logical processor.", i);

    // run code here
    }
    ```
  • @HyperDbgBot #11663 b o t 01:34 PM, 22 Apr 2026
    [discord] <hanzohattori91> but KeQueryActiveProcessors() returns a bitmask not a counter
  • There was a small problem with the '!cpuid' command which is now fixed in the 'dev' branch. You can 'git pull' and use it but in general if the hook is not triggered, it means that it is basically never called/executed. For CPUID, as long as there is no CPUID instruction in the target process, there won't be any triggering event.
  • @instw0 ↶ Reply to #11664 #11665 04:31 PM, 22 Apr 2026
    If I use !cpuid stage post script (@rax=0..
    will it have time to replace the register value?
  • Yes, actually it is not a very efficient way of handling the core affinity as it's a 32-bit mask. So, technically it couldn't handle more than 32 cores. But if you look at HyperDbg's code there are broadcasting functions (just search for functions that start with 'Broadcast') and that is the correct way of handling core broadcasting (with the help of DPCs).
  • I think it is even fixed (and explained in the later parts of hypervisor from scratch, maybe part 7 or 8) but i'm not sure
  • Well, just a few hours ago I updated the docs.hyperdbg.org for the '!cpuid' command for the exact same reason. It is interesting that you also came across this problem just now. 😅
  • And the answer is 'Yes'. At the !cpuid post stage, the 'RAX' is already modified by HyperDbg's emulation and it is changed as the result of the emulation, so it couldn't be used as EAX index since it is changed.
  • @HughEverett #11670 04:35 PM, 22 Apr 2026
    Instead you need to use the '$context' pseudo-register which remains the same regardless of any change in the EAX register.
  • This was a note that I added to the docs:
  • @instw0 ↶ Reply to #11668 #11672 05:44 PM, 22 Apr 2026
    Very obfuscated code repeatedly calls rdtsc. The hypervisor starts to catch it and hangs on it ... can it be fixed somehow? ;)
  • @HyperDbgBot #11673 b o t 05:48 PM, 22 Apr 2026
    [discord] <hanzohattori91> [reply]: What confuses me even more is that it worked on my vm 😅 I gave it two cores so the affinity should be 11 and thus that loop should run 3 times but it runs only two times i.e. dbgPrint doesn't print more than twice.
  • 26 April 2026 (9 messages)
  • This type of VM-exit is really hard to handle. In my experience, handling rdtsc/p vm-exits makes the system super unstable.
  • 😅😅
  • @HughEverett #11676 08:10 PM, 26 Apr 2026
    Hi everyone,

    Right now, we are working on adding support for the Intel Last Branch Record (LBR) to HyperDbg, but I came across something I'm not sure about. If anyone knows the answer to this question, I would appreciate it.

    There are bits in IA32_DEBUGCTL to configure the LBR (first picture), and there is also IA32_LBR_SELECT, which we could use to filter LBR branches.
  • @HughEverett #11678 08:10 PM, 26 Apr 2026
    Now, there is IA32_LBR_CTL that is described in Intel SDM for limiting LBRs to VMX non-root mode.
  • @HughEverett #11679 08:11 PM, 26 Apr 2026
    IA32_LBR_CTL has an LBREn bit which enables the LBR.
  • and it also has a set of filtering bit similar to IA32_LBR_SELECT.
  • @HughEverett #11681 08:13 PM, 26 Apr 2026
    Now the question is, what is the difference between (IA32_DEBUGCTL + IA32_LBR_SELECT) with (IA32_LBR_CTL)? 🤔
  • To me, they just seem the same (AI also said one is legacy while the other is the newer version). This article also seems to have a quote about it, but I'm not sure if that is the case, nor which one is better to use.
  • 27 April 2026 (3 messages)
  • @HyperDbgBot #11683 b o t 01:50 AM, 27 Apr 2026
    [discord] <unrustled.jimmies> IA32_LBR_CTL is the architectural LBR meaning its support is stabilized/guaranteed by the arch. The older one is kind of a model specific lbr (although it didn't vary per model that much but it could if intel wanted to change something).

    VT-x also supports IA32_LBR_CTL virtualization so its managed for the guest automatically without a vmexit as you saw. Not sure the older one has that.

    I guess the question is what is the min cpu hyperdbg supports. If you want to support the older version you might need to implement both and switch impl via cpuid.
  • I think the older one (legacy) also works on newer processors, doesn't it? Also, the legacy one has the same effects as the architectural one when it comes to limiting LBR samples from VMX root-mode.
  • @HyperDbgBot #11686 b o t 11:29 AM, 27 Apr 2026
    [discord] <fexsped> how the hell does this discord bot work?
  • 28 April 2026 (6 messages)
  • @baojianguo #11687 06:52 AM, 28 Apr 2026
    Joined.
  • you are right, it seems newer processors (I checked on an Intel core ultra 2xx) doesn't support the legacy LBR configuration.
  • @HyperDbgBot #11689 b o t 10:40 PM, 28 Apr 2026
    [discord] <hanzo in vmxon region> guys when populating the guest registers in vmcs ( https://rayanfam.com/topics/hypervisor-from-scratch-part-5/#configuring-vmcs ) why did we ignore LDT selectors

    ```c
    if (Selector & 0x4)
    {
    return FALSE;
    }
    ```
    Hypervisor From Scratch – Part 5: Setting up VMCS & Running Guest Code

    We write about Windows Internals, Hypervisors, Linux, and Networks.

  • @HyperDbgBot #11690 b o t 10:41 PM, 28 Apr 2026
    [discord] <hanzo in vmxon region> is it something specific to windows ?
  • @staarblitz #11691 11:11 PM, 28 Apr 2026
    LDT is largely unused. No major OS makes use of it
  • @HyperDbgBot #11692 b o t 11:44 PM, 28 Apr 2026
    [discord] <hanzo in vmxon region> thanks
  • 29 April 2026 (6 messages)
  • @panghu_boss #11693 01:19 AM, 29 Apr 2026
    Joined.
  • @2017003655 #11694 10:12 AM, 29 Apr 2026
    Joined.
  • @hyperdbg_io #11695 02:35 PM, 29 Apr 2026
    Major milestone forward for HyperDbg supporting #Linux.

    We've made a major progress on porting HyperDbg to Linux (still a long road ahead). Now the HyperDbg SDK can be compiled with GCC for both user/kernel modes on Linux.

    More updates coming soon...👀

    https://github.com/HyperDbg/HyperDbg/tree/dev/hyperdbg/linux
    HyperDbg/hyperdbg/linux at dev · HyperDbg/HyperDbg

    State-of-the-art native debugging tools. Contribute to HyperDbg/HyperDbg development by creating an account on GitHub.

  • @sshi1337 #11696 05:29 PM, 29 Apr 2026
    Nice
  • @HyperDbgBot #11697 b o t 06:51 PM, 29 Apr 2026
    [discord] <unrustled.jimmies> [reply]: I'll have to check my CPUs (285k and 265h) to see what they support but only ArchLBR support def seems like the goal going forward.
  • @QuantumChips #11698 11:13 PM, 29 Apr 2026
    Joined.
  • 30 April 2026 (9 messages)
  • @Chan_Kongsang #11699 03:45 AM, 30 Apr 2026
    Joined.
  • @getting458 #11700 04:55 PM, 30 Apr 2026
    Can we talk about ways to bypass the detection here?
  • @getting458 #11701 04:55 PM, 30 Apr 2026
    Because I found out the game checks for hyperdbg installation ept hook
  • what game is that
  • 👍
  • Please feel free to discuss the technical details of detection mechanisms and potential features we could add to HyperDbg to make it more transparent specially for the HyperEvade project. However, please do not discuss specific game or vendor anti-cheats. It's not that we generally dislike anti-cheats, but talking about bypassing specific things usually creates legal problems. Even if when it's not a legal issue, it often causes headaches based on past experiences. So, if we just discuss methods without mentioning a specific product, we all should be safe.
  • @QuantumChips #11706 08:10 PM, 30 Apr 2026
    hello guys I'm new to reverse engineering I don't know if I should be asking this here but I would appreciate some tips and links to some resources and such and just some help in general thank you all
  • Joined.