- 01 April 2026 (4 messages)
-
-
Joined. -
Ah, sorry I missed this message. It's on the todo list, I'm not personally working on it but there are others developers currently working on it. In Discord there is channel for this, you could see conversations there. -
It's the matter of implanting an Intel e1000 driver for it, we tried it several times, but still not fully going through it. It's on the todo list but no one actively works on it as far as I know. - 02 April 2026 (2 messages)
-
[discord] <hydra_dragon_antivirus> hello -
Joined.
- 03 April 2026 (19 messages)
-
Joined. -
Hi -
[discord] <hydra_dragon_antivirus> I was realized there no AMD support which might I should work on -
[discord] <hydra_dragon_antivirus> edit: typo -
Yes, feel free to work on it or if you have any proposal of how you can do it, you can discuss it here. -
Of course the best way of implementing it is using the debugger codes of HyperDbg and only add the AMD hypervisor part on top it. -
But as we had a discussion earlier (I believe Artem told us) that it seems some hypervisor functionalities are different or they don't have some functionalities like MTF (Monitor Trap Flag) which HyperDbg uses them a lot. So, maybe some of the functionalities need to be changed. -
[discord] <hydra_dragon_antivirus> yeah it's pretty hard to add -
👍 -
So the vmi mode is now also not available?
-
What do you mean by VMI mode? If you mean running HyperDbg in VMI mode over network, yes it is being supported for year. -
[discord] <learath2> On a scale of there is no way to it should be fine, how likely is hyperdbg to work with a com device provided by a usb serial interface on the debugee? -
Well, a USB serial needs a driver to convert from usb to serial. HyperDbg right now only uses I/O instruction (IN/OUT) for serial communication, so it is not likely to work. -
[discord] <learath2> Another quick question, I had a bit of an issue with having to kill hyperdbg while it was connecting, now I can't start it again because it says "previous instance of service is not fully deleted". How can I fix that? -
Well, it is weird, because once you load HyperDbg (if you restart your computer), it should remove the previous VMM driver and reload it, so it might be a bug. Could you provide more information? -
[discord] <learath2> I guess restarting did fix it, maybe I accidentally woke it up from hibernation or something. Overall bizarre experience with the usb serial thing, it kinda sorta works but also doesn't work 😄 -
[discord] <learath2> The debugee thinks it managed to connect, it even thinks that synchronizing modules worked, but the debugger never really attaches, guess it's that the driver part just can't communicate through this fake serial connection, so it just never connects up -
[discord] <unrustled.jimmies> [reply]: someone posted this earlier, https://www.amazon.com/dp/B07SVV6DV6?ref=ppx_yo2ov_dt_b_fed_asin_title exposes an IO interface which can work with hyperdbg if your motherboard doesnt have a real port or even a header for one. you can just need to change the port from 3f8 to whichever one it resolves to and recompile hyperdbg. -
Keep in mind that those require manual initialization though. So some code has to be written before going straight to io ports. I.e. it won’t work out of the box. - 04 April 2026 (11 messages)
-
Joined.
-
-
-
We disabled it due to antivirus detection for now. You can enable it and recompile it if you wish. -
I think you shouldn't disable any feature due to antiviruses. They will always flags things. Trying to make such a project obey them just returns diminishing results -
Well, I don’t really agree with this. Not having HyperDbg blocked or blacklisted by antivirus programs is a major advantage, and it generally makes it much more convenient for users to work with. -
jmp dword ptr [eax*4+On the same page]
-
ept hook How to handle reading and navigating to addresses on the same page?
-
@HughEverett
-
I wrote my own command recognizer but it sucks - it keeps failing all the time.
-
Can't seem to get the correct physical address
- 05 April 2026 (10 messages)
-
I'm not sure if I understand the question 🤔 -
Could you explain more? -
It's just the EPT causing the ping-pong effect
-
Because it read the entire 4kb page incorrectly, which caused the page to keep crashing when trying to read itself
-
But I've already added instruction recognition, and I'll manually modify the registers and then exit the exception, but I don't know why I keep getting errors when trying to get the physical address
-
I've perfectly fixed the jmp instruction, but movzx keeps failing to get the physical address and causing an exception because it does movxz first and then jmp
-
; --- Logic Start ---
; Location: Base + 0x1FB22D
; Opcode: 0F B6 04 03
MOVZX EAX, BYTE PTR [EBX+EAX]
; [!] Conflict Point 1:
; The instruction resides on this page. Execution requires reading
; data from page offset 0x260. Under an X-Only view, this read
; operation immediately triggers an EPT Read Violation.
; Location: Base + 0x1FB234
; Opcode: FF 24 85 58 B2 XX XX
JMP DWORD PTR [Base + 0x1FB258 + EAX*4]
; [!] Conflict Point 2:
; This is an indirect jump. The Jump Table is located at page
; offset 0x258. Similarly, in an X-Only view, reading the jump
; table address triggers an EPT Read Violation.
; --- Your Hook Point ---
; Location: Base + 0x1FB323 (Within the same 4KB page)
; Opcode: EB 0C
JMP Base + 0x1FB331 -
Technical Summary for Experts
Phenomenon: Installing an EPT Hook (Execute-Only) on this page results in extreme Ping-Ponging (millions of Exec and Read violation switches per second).
Core Issue: When MOVZX and JMP [mem] instructions are executed in an Execute-Only view, they attempt to read the Byte Table and Jump Table located within the same 4KB page. This forces the CPU to constantly toggle between the "Execution View" and the "Read/Write View" via VM-Exits.
Driver Bottleneck: The driver-level Instruction Emulator fails to successfully emulate these instructions—specifically the MOVZX with complex SIB addressing—making it impossible to complete the instruction without a permission-based view switch. -
@HyperDbgBot
-
The robot died?
- 06 April 2026 (2 messages)
-
If you mean HyperDbg trying to read the memory after putting EPT hook, it's not the case. HyperDbg accesses the memory from the VMX root-mode (not non-root). So, it doesn't create EPT Violations (and doesn't trigger event within the debugger). -
No worries. I've already taken care of it. We'll need to create specific instructions for recognition
- 08 April 2026 (6 messages)
-
Joined. -
-
Joined. -
?
-
Who has a good AMD Hyper framework
-
noirvisor - 09 April 2026 (3 messages)
-
Do you know that the mitigation flags in dwm.exe can't be modified from ring3?
-
U need 0 ring access to modify them, If of course you asked about it -
The dwm.exe in Windows 11 is a bit special, so you're right.
- 10 April 2026 (2 messages)
-
The user-mode debugger is still in the beta version and not stable. We decided to exclude it from this release and release it in future versions. If you want to test the user-mode debugger in VMI Mode, you should build HyperDbg with special instructions. Please follow the instruction here.
In contrast with the kernel debugger, the user debugger is still very basic and needs a lot of tests and improvements. We highly recommend not to run the user debugger in your bare metal system. Instead, run it on a supported virtual machine to won't end up with a Blue Screen of Death (BSOD) in your primary device. Please keep reporting the issues to improve the user debugger.
Is VMI mode no longer available on your local computer?Build & Install | HyperDbg DocumentationThis document helps you to build and install HyperDbg
-
Why have some Windows 11 systems turned off VBS, but it turns back on automatically when I restart my computer?
- 11 April 2026 (5 messages)
-
It is available. VMI Mode was active from the very first start of HyperDbg and it is still active. -
Is it a new thing? I noticed that on Windows 11 25h2 the way that we need to disable VBS is different (HyperDbg docs is now updated with that), but I didn't see that it enables itself after restart. -
Maybe they added this new re-enabling mechanism (just like Windows Defender that automatically re-enables itself). I don't have any idea. -
@HughEverett Is there anything we can do right now?
-
I don't have any solution for this. There might be some registry keys to help but that I'm not aware of. - 12 April 2026 (6 messages)
-
-
And remote debugging of a physical machine via uart/ethernet is not yet available?
-
no not yet. It supports debugging a remote machine in VMI mode (not Debugger Mode) over ethernet. -
Did I understand correctly that it is possible to work with vmi mode via Ethernet(remote physical machine)?
-
yes it works. you need to use the '.connect' command with an IP address. -
But again, it works as VMI Mode (not Debugger Mode). - 13 April 2026 (2 messages)
-
Are there any recent issues with HyperDbg? I’m planning to study it, so I’d appreciate it if you could share any information. -
Hi,
What kind of issue? - 14 April 2026 (17 messages)
-
0: kHyperDbg> .start path C:\Windows\notepad.exe
debuggee is running...
(13:27:43.880 - core : 0 - vmx-root? no) [+] Information (ExecTrapInitialize:388) | Your processor doesn't support Mode-Based Execution Controls (MBEC), which is a needed feature for this functionality :(
MBEC is available on processors starting from the 7th generation (Kaby Lake) and onwards
err, the user debugger cannot be initialized (c0000055)
Are there any other ways to track the launch of a specific process/driver? ) -
[discord] <fexsped> are MSRs different for each core on a cpu? -
It depends on the msr. Volume 4 of Intel sdm explicitly mentions which msr is shared at thread, core or package level. -
[discord] <fexsped> [reply]: I didnt know this, thanks a ton -
[discord] <fexsped> do other vendors like amd and even arm have a 5k page manual? -
Yes, it is normal :) -
50+ years of technology is packed into a document -
[discord] <fexsped> is the intel manual relevant? why do they keep calling it IA-32/64? Isnt that their failed old architecture? -
Of course it is. And it’s being constantly updated. There are many names for the architecture and I can’t remember which exact term Intel uses in the manual. The only catch is IA64 - this is actually Itanium. -
[discord] <fexsped> so ia-32 is x86_64? -
I’d say x86 (32 bit) is sometimes referred as IA32. -
x64 may be x86_64, AMD64, IA32e -
[discord] <fexsped> confusing asl ngl -
Couldn't you use '.process pid <XXX>' to switch to the memory layout of the process instead? -
Of course, I just want to track the process from the very launch. And while the process is not running, I don't know its pid. Someone seemed to suggest a solution through epthook...
-
something similar to this might help:
!syscall script {
if (strcmp($pname, "Test.exe") == 0) {
//
// Some scripts
//
pause();
}
} -
or with the !epthook, you can check it this way - 15 April 2026 (6 messages)
-
[discord] <janlittle> I'd like to ask if it's normal that after I remotely connect to a VMware virtual machine, my terminal gets stuck and unresponsive, and I can't type anything, even `CTRL+C` doesn't work? here is some information in two terminal
host:
```
HyperDbg> .debug remote namedpipe \\.\pipe\HyperDbgDebug
waiting for debuggee to connect...
connected to debuggee Windows 10 Home - Client 24H2 (OS Build 26100)
getting symbol details...
fffff805`b8a86140 0F 01 F8 swapgs
```
client:
```
HyperDbg> .debug prepare serial 115200 com1
the service (driver) already exists
trying to remove the old instance of the driver first
warning, failed to stop the driver. Possible reasons include the driver not currently running or an unsuccessful unload from a previous run. This is not an error, HyperDbg tries to remove the previous driver and load it again (426)
the old instance of the driver is removed successfully
installing the driver again
current processor vendor is : GenuineIntel
virtualization technology is vt-x
vmx operation is supported by your processor
vmm module is running...
synchronizing modules' symbol details
``` -
[discord] <janlittle> well, it looks like it will work fine after just one rerun😂 -
Arm has conveniently named arm (archtiecture reference manual). 15k pages, impossible to read -
Ia64 refers to itanium, not x86_64. X86_64 is amd64 -
Ia32-e refers to x86_64 as well -
Joined. - 16 April 2026 (11 messages)
-
Are you guys using DR or EPT with AMD CPUs right now, or is there something new?
-
Because AMD doesn't allow setting read-only exceptions
-
[discord] <fexsped> Is AMD less open than Intel? -
[discord] <fexsped> why is hyperdbg only on Intel? -
[discord] <hydra_dragon_antivirus> [reply]: look reddbg -
[discord] <hydra_dragon_antivirus> also I forked reddbg -
They both have their quirks -
Depends on "what" you mean by open -
Amd svm and intel vtx are fundamentally different -
And I heard Sina saying about lack of monitor trap flag -
However it can be emulated with other trickery i guess - 17 April 2026 (11 messages)
-
[discord] <fexsped> [reply]: By open I mean which one has more documentation I guess -
[discord] <fexsped> is it a lot harder to do whats being done on intel but on amd? -
Amd has more i guess. I like their manuals -
No. They both support same things one way or another. Implementation may change though -
It releases bios and kernel developer's guides for its processors, which provides nice reads -
[discord] <fexsped> [reply]: then why was intel chosen? are there any advantages? -
There are more sources and projects around VT-x -
Also monitor trap flag -
Even though intel is more annoying than amd at first -
You get used to it -
[discord] <hydra_dragon_antivirus> [reply]: reactos, linux etc. have already intel related codes - 18 April 2026 (4 messages)
-
[discord] <fexsped> what is this monitor trap flag? -
[discord] <fexsped> > The MTF is a bit in the VMCS that triggers Monitor Trap Flag VMEXITs on certain instruction boundaries while in a guest. -
[discord] <fexsped> so the mtf is a vmcs bit that triggers mtf -
Yes, the behavior of it is similar to rflags' trap flag but in VMCS. - 19 April 2026 (4 messages)
-
Hi guys
-
I've just started learning about VMX and I'd like to eventually contribute to hyperdbg
-
Can you give me any advice or resources ?
-
I'm currently going through this tutorial series https://rayanfam.com/topics/hypervisor-from-scratch-part-1/Hypervisor From Scratch - Part 1: Basic Concepts & Configure Testing Environment
We write about Windows Internals, Hypervisors, Linux, and Networks.
- 20 April 2026 (18 messages)
-
Joined.
-
Hey, I think the best resource for learning HyperDbg is reading "Hypervisor From Scratch," since HyperDbg is the extended project of "Hypervisor From Scratch." -
Thank you. Already reached the 3rd part. Good stuff.
-
and then you can also see HyperDbg tutorial from OpenSecurityTrainings to see how you can use HyperDbg and how it being used. -
sure thing. -
Hopefully, I'll be able to contribute to the project in the next few months
-
Thanks
-
👍 -
Does anyone know why installing the EPT hook on Win11 causes the computer to freeze, but doesn't crash it - just freezes everything up?
-
This issue only happens on my Win11 system. Intel CPU
-
There was a small error with EPT hooks in HyperDbg v0.18 which is fixed in v0.18.1. Are you using the latest version? -
Could you explain how you fixed it? I'm making my own hyper
-
Did updating solve the problem? -
I think someone from the group fixed it, it was about a problem they were encountering on a specifc type CPU, which later I noticed that I had the same problem and that update fixed the problem. -
Let me see if I could find his/her message. -
Yes, I think the PR from @clauvio fixed this problem. -
fix by change to tracking VA when split pages · HyperDbg/HyperDbg@bff7f7bState-of-the-art native debugging tools. Contribute to HyperDbg/HyperDbg development by creating an account on GitHub.
-
[discord] <hydra_dragon_antivirus> [reply]: https://github.com/tandasat/SimpleSvm also you can look this if you don't like reddbgGitHub - tandasat/SimpleSvm: A minimalistic educational hypervisor for Windows on AMD processors.A minimalistic educational hypervisor for Windows on AMD processors. - tandasat/SimpleSvm
- 21 April 2026 (12 messages)
-
Why mine! Can't use the hide command? Do you want to compile it yourself??
-
😭
-
HyperDbg seems to have been detected. Is there any working version of !hide available?
-
[discord] <fexsped> [reply]: isnt reddbg dead? -
Yes, it's not continued AFAIK. -
You need to build HyperDbg with custom flags (pragmas) to enable the '!hide' command. -
[discord] <fexsped> [reply]: why was it even a separate project? cant you establish a common base and then have most of the code work for both? -
So, the idea was to first make a separate project with same capabilities and then merge it with HyperDbg (e.g., using the same routines for the script engine or anything that is within the hyperkd project). -
[discord] <fexsped> yeah and I can see it failed, thats why I was wondering if amd really is less open -
[discord] <fexsped> or was it just no maintainer support -
In the end, for an AMD based debugger, we just need to manipulate hyperhv project and the hyperkd project should remain untouched or with least modifications. -
Well, I think we need to spend more time on it. At least for me, I have never had an AMD CPU to work with it. Right now, there are plans to support Linux in the future (hopefully), and AMD support has lower priority. - 22 April 2026 (17 messages)
-
Joined. -
Joined.
-
[discord] <hydra_dragon_antivirus> [reply]: Yeah -
I used:
!epthook 00007FFC7ADDE8C0 script{
if (strcmp($pname, "Wubx64.exe") == 0) {
printf("Process name: %s\n", $pname);
printf("PID proccess: %d\n", $pid);
printf("TID proccess: %d\n", $tid);
pause();
}
}
then I tried to catch all the cpuid process events:
!cpuid pid 7648 <-- $pid
but nothing came... 😔 pause is it working too long? -
[discord] <hanzohattori91> guys one question about https://rayanfam.com/topics/hypervisor-from-scratch-part-3/ since I guess hyperdbg was built on it so I think it's relatedHypervisor From Scratch – Part 3: Setting up Our First Virtual MachineWe write about Windows Internals, Hypervisors, Linux, and Networks.
-
[discord] <hanzohattori91> in the article, the number of logical cores was calculated through this
```c
KAFFINITY AffinityMask;
for (size_t i = 0; i < KeQueryActiveProcessors(); i++)
{
AffinityMask = MathPower(2, i);
KeSetSystemAffinityThread(AffinityMask);
DbgPrint("=====================================================");
DbgPrint("Current thread is executing in %d th logical processor.", i);
// run code here
}
``` -
[discord] <hanzohattori91> but KeQueryActiveProcessors() returns a bitmask not a counter -
There was a small problem with the '!cpuid' command which is now fixed in the 'dev' branch. You can 'git pull' and use it but in general if the hook is not triggered, it means that it is basically never called/executed. For CPUID, as long as there is no CPUID instruction in the target process, there won't be any triggering event. -
If I use !cpuid stage post script (@rax=0..
will it have time to replace the register value? -
Yes, actually it is not a very efficient way of handling the core affinity as it's a 32-bit mask. So, technically it couldn't handle more than 32 cores. But if you look at HyperDbg's code there are broadcasting functions (just search for functions that start with 'Broadcast') and that is the correct way of handling core broadcasting (with the help of DPCs). -
I think it is even fixed (and explained in the later parts of hypervisor from scratch, maybe part 7 or 8) but i'm not sure -
Well, just a few hours ago I updated the docs.hyperdbg.org for the '!cpuid' command for the exact same reason. It is interesting that you also came across this problem just now. 😅 -
And the answer is 'Yes'. At the !cpuid post stage, the 'RAX' is already modified by HyperDbg's emulation and it is changed as the result of the emulation, so it couldn't be used as EAX index since it is changed. -
Instead you need to use the '$context' pseudo-register which remains the same regardless of any change in the EAX register. -
This was a note that I added to the docs: -
Very obfuscated code repeatedly calls rdtsc. The hypervisor starts to catch it and hangs on it ... can it be fixed somehow? ;)
-
[discord] <hanzohattori91> [reply]: What confuses me even more is that it worked on my vm 😅 I gave it two cores so the affinity should be 11 and thus that loop should run 3 times but it runs only two times i.e. dbgPrint doesn't print more than twice. - 26 April 2026 (9 messages)
-
This type of VM-exit is really hard to handle. In my experience, handling rdtsc/p vm-exits makes the system super unstable. -
😅😅 -
Hi everyone,
Right now, we are working on adding support for the Intel Last Branch Record (LBR) to HyperDbg, but I came across something I'm not sure about. If anyone knows the answer to this question, I would appreciate it.
There are bits in IA32_DEBUGCTL to configure the LBR (first picture), and there is also IA32_LBR_SELECT, which we could use to filter LBR branches. -
-
Now, there is IA32_LBR_CTL that is described in Intel SDM for limiting LBRs to VMX non-root mode. -
IA32_LBR_CTL has an LBREn bit which enables the LBR. -
and it also has a set of filtering bit similar to IA32_LBR_SELECT. -
Now the question is, what is the difference between (IA32_DEBUGCTL + IA32_LBR_SELECT) with (IA32_LBR_CTL)? 🤔 -
To me, they just seem the same (AI also said one is legacy while the other is the newer version). This article also seems to have a quote about it, but I'm not sure if that is the case, nor which one is better to use. - 27 April 2026 (3 messages)
-
[discord] <unrustled.jimmies> IA32_LBR_CTL is the architectural LBR meaning its support is stabilized/guaranteed by the arch. The older one is kind of a model specific lbr (although it didn't vary per model that much but it could if intel wanted to change something).
VT-x also supports IA32_LBR_CTL virtualization so its managed for the guest automatically without a vmexit as you saw. Not sure the older one has that.
I guess the question is what is the min cpu hyperdbg supports. If you want to support the older version you might need to implement both and switch impl via cpuid. -
I think the older one (legacy) also works on newer processors, doesn't it? Also, the legacy one has the same effects as the architectural one when it comes to limiting LBR samples from VMX root-mode. -
[discord] <fexsped> how the hell does this discord bot work? - 28 April 2026 (6 messages)
-
Joined. -
you are right, it seems newer processors (I checked on an Intel core ultra 2xx) doesn't support the legacy LBR configuration. -
[discord] <hanzo in vmxon region> guys when populating the guest registers in vmcs ( https://rayanfam.com/topics/hypervisor-from-scratch-part-5/#configuring-vmcs ) why did we ignore LDT selectors
```c
if (Selector & 0x4)
{
return FALSE;
}
```Hypervisor From Scratch – Part 5: Setting up VMCS & Running Guest CodeWe write about Windows Internals, Hypervisors, Linux, and Networks.
-
[discord] <hanzo in vmxon region> is it something specific to windows ? -
LDT is largely unused. No major OS makes use of it -
[discord] <hanzo in vmxon region> thanks - 29 April 2026 (6 messages)
-
Joined.
-
Joined.
-
Major milestone forward for HyperDbg supporting #Linux.
We've made a major progress on porting HyperDbg to Linux (still a long road ahead). Now the HyperDbg SDK can be compiled with GCC for both user/kernel modes on Linux.
More updates coming soon...👀
https://github.com/HyperDbg/HyperDbg/tree/dev/hyperdbg/linuxHyperDbg/hyperdbg/linux at dev · HyperDbg/HyperDbgState-of-the-art native debugging tools. Contribute to HyperDbg/HyperDbg development by creating an account on GitHub.
-
-
[discord] <unrustled.jimmies> [reply]: I'll have to check my CPUs (285k and 265h) to see what they support but only ArchLBR support def seems like the goal going forward. -
Joined. - 30 April 2026 (9 messages)
-
Joined. -
Can we talk about ways to bypass the detection here?
-
Because I found out the game checks for hyperdbg installation ept hook
-
what game is that -
👍 -
Please feel free to discuss the technical details of detection mechanisms and potential features we could add to HyperDbg to make it more transparent specially for the HyperEvade project. However, please do not discuss specific game or vendor anti-cheats. It's not that we generally dislike anti-cheats, but talking about bypassing specific things usually creates legal problems. Even if when it's not a legal issue, it often causes headaches based on past experiences. So, if we just discuss methods without mentioning a specific product, we all should be safe. -
+ -
hello guys I'm new to reverse engineering I don't know if I should be asking this here but I would appreciate some tips and links to some resources and such and just some help in general thank you all -
Joined.