HyperDbg : The Source Code Of HyperDbg Debugger

HyperDbg is designed with a focus on using modern hardware technologies to provide new features to the reverse engineering world. It operates on top of Windows by virtualizing an already running system using Intel VT-x and Intel PT.

This debugger aims not to use any APIs and software debugging mechanisms, but instead, it uses Second Layer Page Table (a.k.a. Extended Page Table or EPT) extensively to monitor both kernel and user executions.

HyperDbg comes with features like hidden hooks, which is as fast as old inline hooks, but also stealth. It mimics hardware debug registers for (read & write) to a specific location, but this time entirely invisible for both Windows kernel and the programs, and of course without any limitation in size or count!

Using TLB-splitting, and having features such as measuring code coverage and monitoring all mov(s) to/from memory by a function, makes HyperDbg a unique debugger.

Although it has novel features, HyperDbg tries to be as stealth as possible. It doesn’t use any debugging APIs to debug Windows or any application, so classic anti-debugging methods won’t detect it. Also, it resists the exploitation of time delta methods (e.g., RDTSC/RDTSCP) to detect the presence of hypervisors, therefore making it much harder for applications, packers, protectors, malware, anti-cheat engines, etc. to discover the debugger.

Unique Features

  • First Release (v0.1.0.0)
    • Classic EPT Hook (Hidden Breakpoint) [link][link]
    • Inline EPT Hook (Inline Hook) [link][link]
    • Monitor Memory For R/W (Emulating Hardware Debug Registers Without Limitation) [link][link]
    • SYSCALL Hook (Disable EFER & Handle #UD) [link][link]
    • SYSRET Hook (Disable EFER & Handle #UD) [link][link]
    • CPUID Hook & Monitor [link]
    • RDMSR Hook & Monitor [link]
    • WRMSR Hook & Monitor [link]
    • RDTSC/RDTSCP Hook & Monitor [link]
    • RDPMC Hook & Monitor [link]
    • VMCALL Hook & Monitor [link]
    • Debug Registers Hook & Monitor [link]
    • I/O Port (In Instruction) Hook & Monitor [link]
    • I/O Port (Out Instruction) Hook & Monitor [link]
    • MMIO Monitor
    • Exception (IDT < 32) Monitor [link][link]
    • External-Interrupt (IDT > 32) Monitor [link][link]
    • Running Automated Scripts [link]
    • Transparent-mode (Anti-debugging and Anti-hypervisor Resistance) [link]
    • Running Custom Assembly In Both VMX-root, VMX non-root (Kernel & User) [link]
    • Checking For Custom Conditions [link][link]
    • Script Engine [link][link][link]
    • VMX-root Compatible Message Tracing [link]
    • Powerful Kernel Side Scripting Engine [link][link]
    • Event Forwarding (#DFIR) [link][link]
    • Transparent Breakpoint Handler
    • Various Custom Scripts [link]

Installation

Please visit Build & Install and Quick Start for a detailed explanation of how to start with HyperDbg. You can also see FAQ for more information.

How does it work?

We explained about how HyperDbg internally works and how we designed its features in details, take a look at :

(https://docs.hyperdbg.com/design)

Here’s a diagram that shows how HyperDbg works !

Plugins

The plugin framework is not ready for the current version of HyperDbg. Future versions will support plugins.

Donations to charity

We spent thousands of hours on HyperDbg and it’s free and open-source for you, If you want to help to develop HyperDbg, please donate to children in Africa and send a picture of your donation to us, this makes all HyperDbg developers, super happy! Don’t hesitate to send us the pictures, this way we know that we’re doing something useful.

(https://www.compassion.com/donate/donate-to-children-in-africa.htm)

R K

Recent Posts

SpyAI : Intelligent Malware With Advanced Capabilities

SpyAI is a sophisticated form of malware that leverages advanced technologies to capture and analyze…

1 day ago

Proxmark3 : The Ultimate Tool For RFID Security And Analysis

The Proxmark3 is a versatile, open-source tool designed for radio-frequency identification (RFID) security analysis, research,…

1 day ago

Awesome Solana Security : Enhancing Program Development

The "Awesome Solana Security" collection is a comprehensive resource designed to help developers build more…

1 day ago

IngressNightmare-POCs : Understanding The Vulnerability Exploitation Flow

The "IngressNightmare" vulnerabilities, disclosed in March 2025, represent a critical set of security issues affecting…

1 day ago

AdaptixC2 : Enhancing Penetration Testing With Advanced Framework Capabilities

AdaptixC2 is an advanced post-exploitation and adversarial emulation framework designed specifically for penetration testers. It…

1 day ago

Bincrypter : Enhancing Linux Binary Security through Runtime Encryption And Obfuscation

Bincrypter is a powerful Linux binary runtime crypter written in BASH. It is designed to…

1 day ago