HyperDbg : The Source Code Of HyperDbg Debugger

HyperDbg is designed with a focus on using modern hardware technologies to provide new features to the reverse engineering world. It operates on top of Windows by virtualizing an already running system using Intel VT-x and Intel PT.

This debugger aims not to use any APIs and software debugging mechanisms, but instead, it uses Second Layer Page Table (a.k.a. Extended Page Table or EPT) extensively to monitor both kernel and user executions.

HyperDbg comes with features like hidden hooks, which is as fast as old inline hooks, but also stealth. It mimics hardware debug registers for (read & write) to a specific location, but this time entirely invisible for both Windows kernel and the programs, and of course without any limitation in size or count!

Using TLB-splitting, and having features such as measuring code coverage and monitoring all mov(s) to/from memory by a function, makes HyperDbg a unique debugger.

Although it has novel features, HyperDbg tries to be as stealth as possible. It doesn’t use any debugging APIs to debug Windows or any application, so classic anti-debugging methods won’t detect it. Also, it resists the exploitation of time delta methods (e.g., RDTSC/RDTSCP) to detect the presence of hypervisors, therefore making it much harder for applications, packers, protectors, malware, anti-cheat engines, etc. to discover the debugger.

Unique Features

  • First Release (v0.1.0.0)
    • Classic EPT Hook (Hidden Breakpoint) [link][link]
    • Inline EPT Hook (Inline Hook) [link][link]
    • Monitor Memory For R/W (Emulating Hardware Debug Registers Without Limitation) [link][link]
    • SYSCALL Hook (Disable EFER & Handle #UD) [link][link]
    • SYSRET Hook (Disable EFER & Handle #UD) [link][link]
    • CPUID Hook & Monitor [link]
    • RDMSR Hook & Monitor [link]
    • WRMSR Hook & Monitor [link]
    • RDTSC/RDTSCP Hook & Monitor [link]
    • RDPMC Hook & Monitor [link]
    • VMCALL Hook & Monitor [link]
    • Debug Registers Hook & Monitor [link]
    • I/O Port (In Instruction) Hook & Monitor [link]
    • I/O Port (Out Instruction) Hook & Monitor [link]
    • MMIO Monitor
    • Exception (IDT < 32) Monitor [link][link]
    • External-Interrupt (IDT > 32) Monitor [link][link]
    • Running Automated Scripts [link]
    • Transparent-mode (Anti-debugging and Anti-hypervisor Resistance) [link]
    • Running Custom Assembly In Both VMX-root, VMX non-root (Kernel & User) [link]
    • Checking For Custom Conditions [link][link]
    • Script Engine [link][link][link]
    • VMX-root Compatible Message Tracing [link]
    • Powerful Kernel Side Scripting Engine [link][link]
    • Event Forwarding (#DFIR) [link][link]
    • Transparent Breakpoint Handler
    • Various Custom Scripts [link]

Installation

Please visit Build & Install and Quick Start for a detailed explanation of how to start with HyperDbg. You can also see FAQ for more information.

How does it work?

We explained about how HyperDbg internally works and how we designed its features in details, take a look at :

(https://docs.hyperdbg.com/design)

Here’s a diagram that shows how HyperDbg works !

Plugins

The plugin framework is not ready for the current version of HyperDbg. Future versions will support plugins.

Donations to charity

We spent thousands of hours on HyperDbg and it’s free and open-source for you, If you want to help to develop HyperDbg, please donate to children in Africa and send a picture of your donation to us, this makes all HyperDbg developers, super happy! Don’t hesitate to send us the pictures, this way we know that we’re doing something useful.

(https://www.compassion.com/donate/donate-to-children-in-africa.htm)

R K

Recent Posts

Pystinger : Bypass Firewall For Traffic Forwarding Using Webshell

Pystinger is a Python-based tool that enables SOCKS4 proxying and port mapping through webshells. It…

6 days ago

CVE-Search : A Tool To Perform Local Searches For Known Vulnerabilities

Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…

6 days ago

CVE-Search : A Tool To Perform Local Searches For Known Vulnerabilities

Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…

6 days ago

How to Bash Append to File: A Simple Guide for Beginners

If you are working with Linux or writing bash scripts, one of the most common…

6 days ago

Mastering the Bash Case Statement with Simple Examples

What is a bash case statement? A bash case statement is a way to control…

6 days ago

How to Check if a File Exists in Bash – Simply Explained

Why Do We Check Files in Bash? When writing a Bash script, you often work…

1 week ago