All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
New release of the HyperDbg Debugger.
- Script engine now supports writing libraries using the '#include' keyword thanks to @xmaple555 (link)(link)(link)
- Initial codes for the hypertrace project by using Intel Last Branch Record (LBR) and Branch Trace Store (BTS) thanks to @harimishal1 (link)
- The hypertrace project is now linked to the hyperkd
- Initial efforts to port HyperDbg to Linux have started thanks to @Alish14 (link)
- Fix bugs for interpreting 'db_pa, 'dd_pa', 'eb_pa', and 'ed_pa' keywords in the script engine (link)(link)
- Fix variable types in the script engine (link)
- Fix and update array index for boolean expressions in the script engine (link)
- Fix and update array index for boolean expressions in the script engine (link)
- Fix compilation error in Zydis with the new Windows WDK (link)
New release of the HyperDbg Debugger. All credit for this release goes to @xmaple555.
- Added 1D and 2D arrays (multidimensional arrays) in the script engine (link)(link)
- Added compound assignments in the script engine (link)(link)
- Added multiple assignments in the script engine (link)(link)
- Fix bugs for interpreting 'db_pa, 'dd_pa', 'eb_pa', and 'ed_pa' keywords in the script engine (link)(link)
- Fix variable types in the script engine (link)
- Fix and update array index for boolean expressions in the script engine (link)
New release of the HyperDbg Debugger.
- The !xsetbv event command was added for handling the execution of the XSETBV instruction, thanks to HyperDbg group members (link)
- Display of the number of blocked context switches in the '.switch' command (link)
- Added support for step-in (the 't' command) in the user debugger (link)
- Added support for step-over (the 'p' command) in the user debugger (link)
- Added support to show all registers or a specific register in the user debugger (link)
- Exported SDK API for running scripts in either the kernel debugger or the user debugger
- Added support to modify registers or a specific register in the user debugger (link)
- Added support to evaluate (run) scripts on the target thread in the user debugger (link)
- Added an indication of a thread's running or paused state to the HyperDbg signature in the user debugger (link)
- Added support for the '.formats' command in the user debugger (link)
- Added support for interpreting parameters based on script engine expressions in the user debugger
- Exported SDK API for evaluating expressions based on the context of the kernel debugger or the user debugger
- Added a new mechanism for showing the 'printf' and the 'print' function messages in the user debugger (link)(link)
- Non-volatile XMM registers are no longer saved/restored on VM-exit handler (link)
- Fix grammar and spelling errors throughout HyperDbg codebase (link)
- Relocate extension command files into their corresponding VS directory
- Fix infinite VM-exit bug for the '!monitor x' command thanks to @unlockable (link)
New release of the HyperDbg Debugger.
- Added the '!smi' command for performing operations related to System Management Interrupt (SMI) (link)
- Export the SDK functions for SMI operations (link)
- Check for Intel CET IBT (indirect branch tracking) support
- Check for Intel CET shadow stack support
- Added support to Intel CET for SYSCALL/SYSRET emulation (link)(link)
- The 'hyperhv' project now has build optimizations enabled
- Reformat VMXOFF restoring routines to restore general-purpose and XMM registers correctly before moving to the previous stack
- Fix unloading (VMXOFF) crash when restoring XMM registers
- Fix the problem with restoring XMM registers (#468) (link)
- Enhanced the '.pe' command to support PE Rich Headers thanks to @Alish14 (link)
- Updated ia32-doc to fix VMCS PL3 SSP fields (link)
- Fix the terminating process issue of the '!syscall/!sysret' commands on 11 generation (Rocket Lake/Tiger Lake) and newer Intel processors (link)
- Reenable the support for the '.start' command in the Debugger mode (link)
- The '!mode' event command is now compatible with different EPT hook commands (e.g., !epthook, !epthook2, !monitor, .start, and .restart) (link)
- The '!mode' command doesn't need allocating extra EPTPs (link)
New release of the HyperDbg Debugger.
- Restored the previous optimization on the release builds
- Fixed the issue of not properly restoring registers after the 'CPUID' instruction
- Fixed the building issues of the user debugger with the 'bp' and the '.start' commands
New release of the HyperDbg Debugger.
- microsleep(microseconds) function in the script engine (link)
- rdtsc() and rdtscp() functions in the script engine (link)(link)
- Added functions to get system-call number from the running system (link)
- Added the support for the '.start' command in the VMI mode (link)
- Added a new mechanism for finding the system-call number based on the running system (link)
- Added hyperevade transparency project (link)
- Added support to the '.attach' and '.detach' in the debugger mode (link)(link)
- Added support to the '.start' command in the VMI mode for the user debugger (link)
- Added support to setting the breakpoint using the 'bp' command in the VMI mode (link)
- Added EPT page table support for MMIO addresses above 512 GB
- Redesigned the '!mode' extension command without extra EPTP (link)
- The user mode debugger now uses MBEC for preventing user-mode code execution (link)
- Apply transparent-mode based on dynamic system-calls (link)
- Breakpoint initialization is changed from kernel debugger to the regular debugger (link)
- Fixed the build issue on new Windows SDK for Token structures (link)
- Fixed retrieving valid watching process IDs for the execution trap and user-mode execution prevention
- Fixed crashing the driver if the hyperlog memory was not properly allocated
- The target runner image for deploying HyperDbg (CI/CD) changed from Windows Server 2019 to 2022
- Restored the pid and the process name parameters of the '!hide' command (link)
- Fixed crashing Windows when using 'TPAUSE' instruction on bare metal Windows 11 24h2
- Check to avoid putting EPT hooks on physical addresses greater than 512 GB
New release of the HyperDbg Debugger.
- Intercepting system-call return results using the TRAP flag for the transparent-mode
- Added optional parameters and context for the transparent-mode system-call return interceptions
- Set variable length (stack frames) for showing the callstack (link)
- Fixed VMCS layout corruption due to NMI injection (VMRESUME 0x7 error) in nested-virtualization on Meteor Lake processors
- Restore RDMSR handler for VM-exits
New release of the HyperDbg Debugger.
- Added new transparency methods for hiding nested virtualization environments thanks to @CokeTree3 (link)
- Fix '.thread' command crash (link)
- Update .clang-format format file based on the new version of LLVM
- Update the list of required contributions
New release of the HyperDbg Debugger.
- Added mitigation for the anti-hypervisor method in handling the trap flag for emulated instructions (link)
- Export the SDK functions for enabling and disabling transparent mode (link)(link)
- New description of changing script engine constants (link)
- Added the command for interpreting PCI CAM (PCI configuration space) fields (link)
- Added the command for dumping PCI CAM (PCI configuration space) memory (link)
- Checking for and unloading the older version of the driver (if it exists) (link)
- memcpy_pa() function in the script engine (link)
- poi_pa, hi_pa, low_pa, db_pa, dd_pa, dw_pa, and dq_pa keywords in the script engine (link)
- eb_pa, ed_pa, and eq_pa functions in the script engine (link)
- Fix the 'lm' command issue of not showing kernel module addresses (KASLR leak mitigation) introduced in Windows 11 24h2 (link)
- Deprecated TSC mitigation for the transparent mode (link)
- Changed the parameters of the '!hide' command (link)
- Changed the parameters of the '!unhide' command (link)
- Fix containing backslash escape character in script strings (link)
- Fix reading/writing into devices' physical memory (MMIO region) in VMI Mode (link)
- All test cases for command parsing are now passed (link)
- The '.sympath' command now requires the symbol server path to be within quotes, although it is not mandatory (link)
New release of the HyperDbg Debugger.
- Added the PCI tree command (link)
- Added the proper handling for the xsetbv VM exits thanks to @Shtan7 (link)
- Added the IDT command for interpreting Interrupt Descriptor Table (IDT) (link)
- Export SDK APIs for getting Interrupt Descriptor Table (IDT) entries
- Fix buffer overflow in the symbols path converter thanks to @binophism (link)
- Fix script engine's "printf" function to improve safety thanks to @Reodus (link)
New release of the HyperDbg Debugger.
- Added the local APIC command (xAPIC and x2APIC modes) (link)
- Added the I/O APIC command (link)
- The new link is added to help increase the number of EPT hook breakpoints in a single page (link)
- Export SDK APIs for Local APIC and X2APIC
- The link for changing the communication buffer size is updated (link)
- Update Microsoft's DIA SDK and symsrv
New release of the HyperDbg Debugger.
- Automated test case parsing and test case compilation (generation) for the hwdbg debugger
- Export hwdbg testing functions
- Automated test case interpretation and emulation of hwdbg hardware scripts
- Create JSON representation of hwdbg configs
- Fix main command parser bugs according to test cases
- Improvements in symbol structure, token structure, and stack buffer in the script engine
- Fix compatibility mode program crash when terminating 32-bit process (#479) (link)
- Extensive refactor of chip instance info interpretation codes of hwdbg debugger
- Separating functions of hwdbg interpreter and script manager
- Fix synthesize inconsistencies between Icarus iVerilog and Xilinx ISim
- Fix runtime error for deallocating memory from separate DLLs
- Exporting standard functions (import/export) for the script engine
- Exporting standard functions (import/export) for the symbol parser
- Avoid passing signals once the stage is not configured
New release of the HyperDbg Debugger.
- Added feature to pause the debuggee immediately upon connection
- The '.debug' command now supports pausing the debuggee at startup (link)
- Export SDK API for assembling instructions
- The 'struct' command now supports a path as output (link)
- Export SDK API closing connection to the remote debuggee
- Automated tests for the main command parser
- Export SDK APIs for stepping and tracing instructions
- Export SDK APIs for tracking execution
- HyperDbg command-line comment sign is changed from '#' to C-like comments ('//' and '/**/')
- Integrating a new command parser for the regular HyperDbg commands
- Fix showing a list of active outputs using the 'output' command (link)
- Fix the issue of passing arguments to the '.start' command (link)
- Fix the problem with parsing multiple spaces within the events (#420) (link)
- Fix the problem with escaping '{' in the command parser (#421) (link)
- Fix nested brackets issues in the main command parser
- Fix script engine bugs on order of passing arguments to functions (#453) (link)
- Fix the script test case for factorial computation (link)
- Fix the script test case for computation iterative Fibonacci (link)
- Fix miscomputation of physical address width for physical address validity checks (#469) (link)
New release of the HyperDbg Debugger.
- Support using assembly conditions and codes in all events (link)(link)
- Added support for forwarding events to binary (DLL) modules (link)(link)(link)
- Added the assembler command 'a' for virtual memory (link)
- Added the assembler command '!a' for physical memory (link)
- Providing a unified SDK API for reading memory in the VMI Mode and the Debugger Mode
- Export SDK APIs for reading/writing into registers in the Debugger Mode
- Export SDK API for writing memory in the VMI Mode and the Debugger Mode
- Export SDK API for getting kernel base address
- Export SDK API for connecting to the debugger and from debuggee in the Debugger Mode
- Export SDK API for starting a new process
- Add and export SDK API for unsetting message callback
- Event commands are coming with more examples regarding scripts and assembly codes
- Add message callback using shared memory
- Add maximum execution limitation to the script IRs (#435) (link)
- Fix clearing '!monitor' hooks on a different process or if the process is closed (#409) (link)
- Fix triggering multiple '!monitor' hooks with different contexts (#415) (link)
- Fix the problem of repeating commands once kHyperDbg is disconnected
- Fix step-over hangs if the process terminates/excepts within call instruction (#406) (link)
- Fix crash on editing invalid physical addresses (#424) (link)
- Fix exporting VMM module load and install it in the SDK
- Fix function interpretation issues and update the parser and the code execution (#435) (link)
New release of the HyperDbg Debugger.
- Regular port/pin value read and modification in hwdbg
- Conditional statement evaluation in hwdbg
- Added automatic script buffer packet generator for hwdbg
- Added support for @hw_pinX and @hw_portX registers
- Added hwdbg instance information interpreter
- Added stack buffer in vmx-root (link)
- Exporting functions to support loading drivers with different names
- Exporting function to connect and load HyperDbg drivers
- Exporting function to connect and load HyperDbg drivers
- $date and $time pseudo-registers are added (link)(link)
- Fix using constant WSTRINGs in the wcsncmp function (link)
- Fix
phntbuild error with 24H2 SDK hprdbgctrl.dllchanged tolibhyperdbg.dllhprdbgkd.syschanged tohyperkd.syshprdbghv.dllchanged tohyperhv.dll- Dividing user/kernel exported headers in the SDK
New release of the HyperDbg Debugger.
- The !monitor command now physical address hooking (link)
- hwdbg is merged to HyperDbg codebase (link)
- strncmp(Str1, Str2, Num), and wcsncmp(WStr1, WStr2, Num) functions in script engine (link)(link)
- Using a separate HOST IDT in VMCS (not OS IDT) (fix to this VM escape issues)
- Using a dedicated HOST GDT and TSS Stack
- Checking for race-condition of not locked cores before applying instant-events and switching cores
- The error message for invalid address is changed (more information)
- Fix the problem of not locking all cores after running the '.pagein' command
New release of the HyperDbg Debugger.
- Fixed the signedness overflow of the command parser
New release of the HyperDbg Debugger.
- Added hwdbg headers (link)
- Added support NUMA configuration with multiple count CPU sockets (link)
- Added citation to TRM paper (link)
- Change release flag of hyperdbg-cli to Multi-threaded Debug (/MTd)
- Fix bitwise extended type, fixed memleaks, remove excess else and cmp int with EOF (link)
New release of the HyperDbg Debugger.
- Add user-defined functions and variable types in script engine thanks to @xmaple555 (link)(link)
- Fix debuggee crash after running the '.debug close' command on the debugger
- The problem with adding edge MTRR pages is fixed thanks to @Maladiy (link)
- All compiler/linker warnings of kernel-mode modules are fixed
- User/Kernel modules of HyperDbg now compiled with "treat warning as error"
- After downloading new symbols it is automatically loaded
- Fix error messages/comments spelling typos
New release of the HyperDbg Debugger.
- The !monitor command now supports length in parameters (link)
- Fix the issue of not intercepting memory monitoring on non-contiguous physical memory allocations
- The speed of memory read/write/execution interception is enhanced by avoiding triggering out-of-range events
New release of the HyperDbg Debugger thanks to @mattiwatti.
- The !mode event command is added to detect kernel-to-user and user-to-kernel transitions (link)
- The 'preactivate' command is added to support initializing special functionalities in the Debugger Mode (link)
- Fix miscalculating MTRRs in 13th gen processors
New release of the HyperDbg Debugger thanks to @mattiwatti and @cutecatsandvirtualmachines.
New release of the HyperDbg Debugger.
- Fix the single core broadcasting events issue (link)
- Evaluate the '.pagin' ranges as expressions (link)
- Add hexadecimal escape sequence as string parameter for string functions (link)
- Add hexadecimal escape sequence as wstring parameter for wstring functions (link)
- Fix breakpoint and the '!epthook' problems in the same address (link)
New release of the HyperDbg Debugger.
- HyperDbg now applies events immediately as implemented in the "instant events" mechanism (link)
- The Event Forwarding mechanism is now supported in the Debugger Mode (link)
- The Event Forwarding mechanism now supports external modules (DLLs) (link)
- event_clear(EventId) function in script engine (link)
- HyperDbg now supports string inputs for strlen and other related functions thanks to @xmaple555 (link)
- New semantic tests for the script engine (50 to 59) is added mainly for testing new string and memory comparison functions (link)
- strlen and wcslen functions now support string and wide-character string as the input (link)(link)
- strcmp(Str1, Str2), wcscmp(WStr1, WStr2) and memcmp(Ptr1, Ptr2, Num) functions in script engine thanks to @xmaple555 (link)(link)(link)
- The debug break interception (#DB) manipulation option is added to the 'test' command (link)
- The '.pagein' command, now supports address ranges (length in bytes) to bring multiple pages into the RAM (link)
- Fix the problem with the "less than" and the "greater than" operators for signed numbers thanks to @xmaple555 (link)
- Fix the problem checking for alternative names thanks to @xmaple555 (link)
- Fix the crash by turning off the breakpoints while a breakpoint is still active thanks to @xmaple555 (link)
- Fix the crash on reading symbols on remote debuggee thanks to @xmaple555 (link)
- The 'prealloc' command is updated with new instant-event preallocated pools (link)
- Fix wrong removing of EPT Hook (hidden breakpoints)
- The 'event' command, no longer continues debuggee for clearing events, instead just disables the event and removes the effects of the event when debuggee continues (link)
- $id pseudo-register changed to $event_id (link)
- $tag pseudo-register changed to $event_tag (link)
- $stage pseudo-register changed to $event_stage (link)
- Fix adding pseudo-registers with underscore in the script engine (link)
- Fix the boolean expression interpretation in if conditions in the script engine (link)
- HyperDbg now intercepts all debug breaks (#DBs) if it's not explicitly asked not to by using the 'test' command (link)
- Fix '%d' bug in script engine (link)
New release of the HyperDbg Debugger.
- event_inject(InterruptionType, Vector) function in script engine (link)
- event_inject_error_code(InterruptionType, Vector, ErrorCode) function in script engine (link)
- .dump - command is added to the debugger to dump the virtual memory into a file (link)
- !dump - command is added to the debugger to dump the physical memory into a file (link)
- gu - command is added to the debugger to step-out or go up instructions thanks to @xmaple555 (link)
- HyperDbg now switched to a multiple EPTP memory model, and each core has its own EPT table (link)
- Building mtrr map by adding smrr, fixed ranges, and default memory type is fixed (#255) thanks to @Air14
- The problem of removing multiple EPT hooks on a single address is fixed
- The problem of not intercepting the step-over command 'p' when executed in different cores is fixed
- HyperDbg now checks for the validity of physical addresses based on CPUID.80000008H:EAX[7:0]'s physical address width
New release of the HyperDbg Debugger.
- The disassembler now warns if you mistakenly used the 'u' command over a 32-bit program (link)
- The debuggee won't load the VMM module if the debugger is not listening
- The debugger and the debuggee now perform a version/build check to prevent version mismatch
- Fix the 'eb' command's parsing issue with '0xeb' hex bytes (link)
- Fix the connection problem with serial (checksum error) over two VMs
- Fix the 't' command's indicator of trap flags and simultaneous stepping of multiple threads (link)
- Fix the problem with the '.kill' and '.restart' commands
- Show the stage of the event once the debugger is paused
- Fix sending context, tag, and registers once '!epthook2' wants to halt the debugger
New release of the HyperDbg Debugger.
- The !monitor command now supports 'execution' interception (link)
- .pagein - command is added to the debugger to bring pages in (link)
- The '.start' command's mechanism for finding the entrypoint is changed to address issues (link)
- The buffer overlap error in hyperlog in multi-core systems is fixed (link)
- The implementation of 'dd' (define dword, 32-bit), and 'dw' (define word, 16-bit) is changed (link)
- The problem with unloading driver (#238) is fixed (link)
- The symbol files for 32-bit modules are now loaded based on SysWOW64, and the issue (#243) is fixed (link)
- New alias names for u, !u as u64, !u64 and for u2, !u2 as u32, !u32 (link)(link)
New release of the HyperDbg Debugger.
- The event short-circuiting mechanism (link)
- New pseudo-registers ($tag, $id) in the script engine (link)
- The breakpoint interception manipulation (#BP) option is added to the 'test' command (link)
- The '!track' command to create the tracking records of function CALLs and RETs along with registers (link)
- disassemble_len(Address) function in script engine (link)
- disassemble_len32(Address) function in script engine (link)
- event_sc(DisableOrEnable) function in script engine (link)
- The old Length Disassembler Engine is replaced by Zydis (link)
The patch for fixing bugs of HyperDbg Debugger.
- The problem with the callstack command (k) is fixed (link)
The patch for fixing bugs of the second (2nd) release of HyperDbg Debugger.
- Fixing bugs!
- The parameters of the '!cpuid' extension command is changed, and a new EAX index parameter is added (link)
- The problem with removing EPT hooks (!monitor and !epthook) is fixed (link)
The second (2nd) release of the HyperDbg Debugger.
- HyperDbg Software Development Kit (SDK) is now available
- flush() function in script engine (link)
- memcpy() function in script engine (link)
- Global code refactoring and fixing bugs!
- Compiling HyperDbg by using the latest Windows 11 WDK
- enable_event function name changed to event_enable (link)
- disable_event function name changed to event_disable (link)
- The "settings" command now preserves the configurations in the config file
- The communication buffer is now separated from the hyperlogger buffer chunks and the buffer size is increased X10 times (link)
- Zydis submodule is updated to version 4 (link)
- enable_event script engine function
- disable_event script engine function
This is the first (1st) release of HyperDbg Debugger.
- # (comment in batch scripts)
- ? (evaluate and execute expressions and scripts in debuggee)
- ~ (display and change the current operating core)
- load (load the kernel modules)
- unload (unload the kernel modules)
- status (show the debuggee status)
- events (show and modify active/disabled events)
- p (step-over)
- t (step-in)
- i (instrumentation step-in)
- r (read or modify registers)
- bp (set breakpoint)
- bl (list breakpoints)
- be (enable breakpoints)
- bd (disable breakpoints)
- bc (clear and remove breakpoints)
- g (continue debuggee or processing kernel packets)
- x (examine symbols and find functions and variables address)
- db, dc, dd, dq (read virtual memory)
- eb, ed, eq (edit virtual memory)
- sb, sd, sq (search virtual memory)
- u, u2 (disassemble virtual address)
- k, kd, kq (display stack backtrace)
- dt (display and map virtual memory to structures)
- struct (make structures, enums, data types from symbols)
- sleep (wait for specific time in the .script command)
- pause (break to the debugger and pause processing kernel packets)
- print (evaluate and print expression in debuggee)
- lm (view loaded modules)
- cpu (check cpu supported technologies)
- rdmsr (read model-specific register)
- wrmsr (write model-specific register)
- flush (remove pending kernel buffers and messages)
- prealloc (reserve pre-allocated pools)
- output (create output source for event forwarding)
- test (test functionalities)
- settings (configures different options and preferences)
- exit (exit from the debugger)
- .help (show the help of commands)
- .debug (prepare and connect to debugger)
- .connect (connect to a session)
- .disconnect (disconnect from a session)
- .listen (listen on a port and wait for the debugger to connect)
- .status (show the debugger status)
- .start (start a new process)
- .restart (restart the process)
- .attach (attach to a process)
- .detach (detach from the process)
- .switch (show the list and switch between active debugging processes)
- .kill (terminate the process)
- .process, .process2 (show the current process and switch to another process)
- .thread, .thread2 (show the current thread and switch to another thread)
- .formats (show number formats)
- .script (run batch script commands)
- .sympath (set the symbol server)
- .sym (load pdb symbols)
- .pe (parse PE file)
- .logopen (open log file)
- .logclose (close log file)
- .cls (clear the screen)
- !pte (display page-level address and entries)
- !db, !dc, !dd, !dq (read physical memory)
- !eb, !ed, !eq (edit physical memory)
- !sb, !sd, !sq (search physical memory)
- !u, !u2 (disassemble physical address)
- !dt (display and map physical memory to structures)
- !epthook (hidden hook with EPT - stealth breakpoints)
- !epthook2 (hidden hook with EPT - detours)
- !monitor (monitor read/write to a page)
- !syscall, !syscall2 (hook system-calls)
- !sysret, !sysret2 (hook SYSRET instruction execution)
- !cpuid (hook CPUID instruction execution)
- !msrread (hook RDMSR instruction execution)
- !msrwrite (hook WRMSR instruction execution)
- !tsc (hook RDTSC/RDTSCP instruction execution)
- !pmc (hook RDPMC instruction execution)
- !vmcall (hook hypercalls)
- !exception (hook first 32 entries of IDT)
- !interrupt (hook external device interrupts)
- !dr (hook access to debug registers)
- !ioin (hook IN instruction execution)
- !ioout (hook OUT instruction execution)
- !hide (enable transparent-mode)
- !unhide (disable transparent-mode)
- !measure (measuring and providing details for transparent-mode)
- !va2pa (convert a virtual address to physical address)
- !pa2va (convert physical address to virtual address)