hyperdbg / hyperdbg Goto Github PK
View Code? Open in Web Editor NEWState-of-the-art native debugging tool
Home Page: https://hyperdbg.org
License: GNU General Public License v3.0
State-of-the-art native debugging tool
Home Page: https://hyperdbg.org
License: GNU General Public License v3.0
Expect Hyperdbg to support nested virtualization^_^
已启动生成…
1>------ 已启动生成: 项目: symbol-parser, 配置: Debug x64 ------
2>------ 已启动生成: 项目: kdserial, 配置: Debug x64 ------
3>------ 已启动生成: 项目: hyperdbg-test, 配置: Debug x64 ------
3>Assembling asm-test.asm...
1>common-utils.cpp
2>Building 'kdserial' with toolset 'WindowsKernelModeDriver10.0' and the 'Universal' target platform.
2>hardware.c
3>lookup.cpp
2>ioaccess.c
2>uartio.c
2>apm88xxxx.c
2>bcm2835.c
2>msm8974.c
2>msm8x60.c
2>mx6uart.c
2>nvidia.c
2>omap.c
2>pl011.c
2>sam5250.c
2>sdm845.c
2>spimax311.c
2>uart16550.c
2>D:\git\my\fork\HyperDbg\hyperdbg\kdserial\uart16550.c(67,31): warning C4047: “=”:“PUCHAR”与“int”的间接级别不同
2>D:\git\my\fork\HyperDbg\hyperdbg\kdserial\uart16550.c(75,21): warning C4013: “Uart16550PutByte”未定义;假设外部返回 int
2>D:\git\my\fork\HyperDbg\hyperdbg\kdserial\uart16550.c(59,23): warning C4100: “Byte”: 未引用的形参
2>D:\git\my\fork\HyperDbg\hyperdbg\kdserial\uart16550.c(79,14): warning C4189: “RecvByte”: 局部变量已初始化但不引用
2>D:\git\my\fork\HyperDbg\hyperdbg\kdserial\uart16550.c(87,42): warning C4047: “=”:“PUCHAR”与“UINT32”的间接级别不同
2>D:\git\my\fork\HyperDbg\hyperdbg\kdserial\uart16550.c(105,25): warning C4013: “Uart16550GetByte”未定义;假设外部返回 int
2>usif.c
2>D:\git\my\fork\HyperDbg\hyperdbg\kdserial\usif.c(65,18): warning C4013: “DbgBreakPoint”未定义;假设外部返回 int
2>正在生成代码...
2>D:\git\my\fork\HyperDbg\hyperdbg\kdserial\uart16550.c(82): warning C4716: “KdHyperDbgTest”: 必须返回一个值
1>D:\git\my\fork\HyperDbg\hyperdbg\symbol-parser\common-utils.cpp(59,49): warning C4267: “=”: 从“size_t”转换到“unsigned int”,可能丢失数据
2> 正在创建库 D:\git\my\fork\HyperDbg\hyperdbg\build\Debug\kdserial.lib 和对象 D:\git\my\fork\HyperDbg\hyperdbg\build\Debug\kdserial.exp
1>symbol-parser.cpp
2>kdserial.vcxproj -> D:\git\my\fork\HyperDbg\hyperdbg\build\Debug\kdserial.dll
3>D:\git\my\fork\HyperDbg\hyperdbg\hyperdbg-test\lookup.cpp(185,132): warning C4267: “参数”: 从“size_t”转换到“int”,可能丢失数据
3>hyperdbg-test.cpp
2>Driver is 'Universal'.
2>Inf2Cat task was skipped as there were no inf files to process
2>已完成生成项目“kdserial.vcxproj”的操作。
4>------ 已启动生成: 项目: hprdbghv, 配置: Debug x64 ------
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\hprdbghv.vcxproj(47,5): warning MSB4011: 无法再次导入“C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\MSBuild\Microsoft\VC\v160\BuildCustomizations\masm.props”。可能已在“C:\Program Files (x86)\Windows Kits\10\build\WindowsDriver.Shared.props (352,3)”处导入过它。这很可能是生成创作错误。将忽略此后续导入。
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\hprdbghv.vcxproj(203,5): warning MSB4011: 无法再次导入“C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\MSBuild\Microsoft\VC\v160\BuildCustomizations\masm.targets”。可能已在“C:\Program Files (x86)\Windows Kits\10\build\WindowsDriver.common.targets (1878,3)”处导入过它。这很可能是生成创作错误。将忽略此后续导入。
4>Building 'hprdbghv' with toolset 'WindowsKernelModeDriver10.0' and the 'Universal' target platform.
4>Stamping x64\Debug\hprdbghv.inf
4>Stamping [Version] section with DriverVer=09/12/2021,9.48.3.698
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\hprdbghv.inf(5-5): warning 1324: [Version] section should specify PnpLockdown=1.
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\hprdbghv.inf(66-66): warning 2083: Section [hprdbghv_device.nt.coinstallers] not referenced or used.
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\hprdbghv.inf(70-70): warning 2083: Section [hprdbghv_device_coinstaller_addreg] not referenced or used.
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\hprdbghv.inf(74-74): warning 2083: Section [hprdbghv_device_coinstaller_copyfiles] not referenced or used.
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\hprdbghv.inf(78-78): warning 2083: Section [hprdbghv_device.nt.wdf] not referenced or used.
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\hprdbghv.inf(80-80): warning 2083: Section [hprdbghv_wdfsect] not referenced or used.
1>D:\git\my\fork\HyperDbg\hyperdbg\symbol-parser\symbol-parser.cpp(1296,20): warning C4477: “printf”: 格式字符串“%s”需要类型“char *”的参数,但可变参数 1 拥有了类型“std::string”
4>Assembling AsmDebugger.asm...
4>Assembling AsmEpt.asm...
4>Assembling AsmCommon.asm...
4>Assembling AsmKernelSideTests.asm...
4>Assembling AsmSegmentRegs.asm...
3>D:\git\my\fork\HyperDbg\hyperdbg\hyperdbg-test\hyperdbg-test.cpp(63,78): warning C4267: “参数”: 从“size_t”转换到“int”,可能丢失数据
3>D:\git\my\fork\HyperDbg\hyperdbg\hyperdbg-test\hyperdbg-test.cpp(104,82): warning C4267: “参数”: 从“size_t”转换到“int”,可能丢失数据
4>Assembling AsmVmexitHandler.asm...
3>namedpipe.cpp
4>Assembling AsmVmxOperation.asm...
4>Assembling AsmVmxContextState.asm...
4>Apic.c
4>D:\git\my\fork\HyperDbg\hyperdbg\include\Definition.h(431,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(83,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(84,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(112,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(113,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(145,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(146,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(174,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(175,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(207,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(208,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(236,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(237,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(278,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(279,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(299,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(300,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Msr.h(71,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Msr.h(128,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(316,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(370,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(458,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(512,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(600,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(654,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(738,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(823,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(852,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(896,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(922,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(960,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(1025,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(1135,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Events.h(110,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Common.h(32,2): warning C4091: “typedef ”: 没有声明变量时忽略“_SEGMENT_REGISTERS”的左侧
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Common.h(353,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Common.h(354,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Common.h(378,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Common.h(428,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Common.h(449,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\GdbStub.h(151,43): warning C4132: “dbg_int_handlers”: 应初始化常量对象
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Hooks.h(90,25): warning C4200: 使用了非标准扩展: 结构/联合中的零大小数组
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\IdtEmulation.h(32,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\IdtEmulation.h(33,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\IdtEmulation.h(50,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Vmx.h(502,2): warning C4091: “typedef ”: 没有声明变量时忽略“_VMCS_FIELDS”的左侧
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Vmx.h(512,2): warning C4091: “typedef ”: 没有声明变量时忽略“MOV_TO_DEBUG_REG”的左侧
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Vmx.h(607,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Vmx.h(608,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Vmx.h(646,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\IoHandler.h(45,2): warning C4091: “typedef ”: 没有声明变量时忽略“”的左侧
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\IoHandler.h(55,2): warning C4091: “typedef ”: 没有声明变量时忽略“”的左侧
4>D:\git\my\fork\HyperDbg\hyperdbg\include\ScriptEngineCommonDefinitions.h(77,1): warning C4005: “FUNC_END_OF_IF”: 宏重定义
4>D:\git\my\fork\HyperDbg\hyperdbg\include\ScriptEngineCommonDefinitions.h(65): message : 参见“FUNC_END_OF_IF”的前一个定义
4>D:\git\my\fork\HyperDbg\hyperdbg\include\ScriptEngineCommonDefinitions.h(108,1): warning C4005: “FUNC_ED”: 宏重定义
4>D:\git\my\fork\HyperDbg\hyperdbg\include\ScriptEngineCommonDefinitions.h(89): message : 参见“FUNC_ED”的前一个定义
4>D:\git\my\fork\HyperDbg\hyperdbg\include\ScriptEngineCommonDefinitions.h(109,1): warning C4005: “FUNC_EB”: 宏重定义
4>D:\git\my\fork\HyperDbg\hyperdbg\include\ScriptEngineCommonDefinitions.h(90): message : 参见“FUNC_EB”的前一个定义
4>D:\git\my\fork\HyperDbg\hyperdbg\include\ScriptEngineCommonDefinitions.h(110,1): warning C4005: “FUNC_EQ”: 宏重定义
4>D:\git\my\fork\HyperDbg\hyperdbg\include\ScriptEngineCommonDefinitions.h(91): message : 参见“FUNC_EQ”的前一个定义
4>D:\git\my\fork\HyperDbg\hyperdbg\include\ScriptEngineCommonDefinitions.h(111,1): warning C4005: “FUNC_INTERLOCKED_EXCHANGE”: 宏重定义
4>D:\git\my\fork\HyperDbg\hyperdbg\include\ScriptEngineCommonDefinitions.h(92): message : 参见“FUNC_INTERLOCKED_EXCHANGE”的前一个定义
4>D:\git\my\fork\HyperDbg\hyperdbg\include\ScriptEngineCommonDefinitions.h(112,1): warning C4005: “FUNC_INTERLOCKED_EXCHANGE_ADD”: 宏重定义
4>D:\git\my\fork\HyperDbg\hyperdbg\include\ScriptEngineCommonDefinitions.h(93): message : 参见“FUNC_INTERLOCKED_EXCHANGE_ADD”的前一个定义
4>BreakpointCommands.c
1> 正在创建库 D:\git\my\fork\HyperDbg\hyperdbg\build\Debug\symbol-parser.lib 和对象 D:\git\my\fork\HyperDbg\hyperdbg\build\Debug\symbol-parser.exp
4>D:\git\my\fork\HyperDbg\hyperdbg\include\Definition.h(431,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(83,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(84,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(112,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(113,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(145,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(146,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(174,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(175,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(207,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(208,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(236,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(237,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(278,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(279,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(299,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(300,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Msr.h(71,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Msr.h(128,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(316,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(370,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(458,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(512,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(600,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(654,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(738,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(823,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(852,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(896,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(922,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(960,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(1025,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(1135,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Events.h(110,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Common.h(32,2): warning C4091: “typedef ”: 没有声明变量时忽略“_SEGMENT_REGISTERS”的左侧
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Common.h(353,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Common.h(354,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Common.h(378,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Common.h(428,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Common.h(449,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\GdbStub.h(151,43): warning C4132: “dbg_int_handlers”: 应初始化常量对象
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Hooks.h(90,25): warning C4200: 使用了非标准扩展: 结构/联合中的零大小数组
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\IdtEmulation.h(32,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\IdtEmulation.h(33,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\IdtEmulation.h(50,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Vmx.h(502,2): warning C4091: “typedef ”: 没有声明变量时忽略“_VMCS_FIELDS”的左侧
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Vmx.h(512,2): warning C4091: “typedef ”: 没有声明变量时忽略“MOV_TO_DEBUG_REG”的左侧
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Vmx.h(607,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Vmx.h(608,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Vmx.h(646,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\IoHandler.h(45,2): warning C4091: “typedef ”: 没有声明变量时忽略“”的左侧
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\IoHandler.h(55,2): warning C4091: “typedef ”: 没有声明变量时忽略“”的左侧
4>D:\git\my\fork\HyperDbg\hyperdbg\include\ScriptEngineCommonDefinitions.h(77,1): warning C4005: “FUNC_END_OF_IF”: 宏重定义
4>D:\git\my\fork\HyperDbg\hyperdbg\include\ScriptEngineCommonDefinitions.h(65): message : 参见“FUNC_END_OF_IF”的前一个定义
4>D:\git\my\fork\HyperDbg\hyperdbg\include\ScriptEngineCommonDefinitions.h(108,1): warning C4005: “FUNC_ED”: 宏重定义
4>D:\git\my\fork\HyperDbg\hyperdbg\include\ScriptEngineCommonDefinitions.h(89): message : 参见“FUNC_ED”的前一个定义
4>D:\git\my\fork\HyperDbg\hyperdbg\include\ScriptEngineCommonDefinitions.h(109,1): warning C4005: “FUNC_EB”: 宏重定义
4>D:\git\my\fork\HyperDbg\hyperdbg\include\ScriptEngineCommonDefinitions.h(90): message : 参见“FUNC_EB”的前一个定义
4>D:\git\my\fork\HyperDbg\hyperdbg\include\ScriptEngineCommonDefinitions.h(110,1): warning C4005: “FUNC_EQ”: 宏重定义
4>D:\git\my\fork\HyperDbg\hyperdbg\include\ScriptEngineCommonDefinitions.h(91): message : 参见“FUNC_EQ”的前一个定义
4>D:\git\my\fork\HyperDbg\hyperdbg\include\ScriptEngineCommonDefinitions.h(111,1): warning C4005: “FUNC_INTERLOCKED_EXCHANGE”: 宏重定义
4>D:\git\my\fork\HyperDbg\hyperdbg\include\ScriptEngineCommonDefinitions.h(92): message : 参见“FUNC_INTERLOCKED_EXCHANGE”的前一个定义
4>D:\git\my\fork\HyperDbg\hyperdbg\include\ScriptEngineCommonDefinitions.h(112,1): warning C4005: “FUNC_INTERLOCKED_EXCHANGE_ADD”: 宏重定义
4>D:\git\my\fork\HyperDbg\hyperdbg\include\ScriptEngineCommonDefinitions.h(93): message : 参见“FUNC_INTERLOCKED_EXCHANGE_ADD”的前一个定义
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\BreakpointCommands.c(57,75): warning C4022: “DebuggerTriggerEvents”: 指针与实参 3 不匹配
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\BreakpointCommands.c(168,68): warning C4022: “VirtualAddressToPhysicalAddressByProcessCr3”: 指针与实参 1 不匹配
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\BreakpointCommands.c(197,86): warning C4047: “=”:“PVOID”与“UINT64”的间接级别不同
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\BreakpointCommands.c(215,139): warning C4047: “==”:“UINT32”与“HANDLE”的间接级别不同
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\BreakpointCommands.c(216,136): warning C4047: “==”:“UINT32”与“HANDLE”的间接级别不同
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\BreakpointCommands.c(148,1): warning C4047: “初始化”:“UINT64”与“void *”的间接级别不同
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\BreakpointCommands.c(152,1): warning C4047: “初始化”:“BYTE”与“void *”的间接级别不同
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\BreakpointCommands.c(152,38): warning C4189: “InstrByte”: 局部变量已初始化但不引用
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\BreakpointCommands.c(151,38): warning C4189: “LengthOfExitInstr”: 局部变量已初始化但不引用
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\BreakpointCommands.c(345,90): warning C4047: “=”:“PVOID”与“UINT64”的间接级别不同
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\BreakpointCommands.c(302,1): warning C4047: “初始化”:“ULONG64”与“void *”的间接级别不同
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\BreakpointCommands.c(383,1): warning C4047: “初始化”:“BYTE”与“void *”的间接级别不同
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\BreakpointCommands.c(426,1): warning C4047: “初始化”:“BYTE”与“void *”的间接级别不同
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\BreakpointCommands.c(493,50): warning C4047: “函数”:“UINT64”与“PDEBUGGEE_BP_DESCRIPTOR”的间接级别不同
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\BreakpointCommands.c(493,29): warning C4024: “PoolManagerFreePool”: 形参和实参 1 的类型不同
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\BreakpointCommands.c(632,121): warning C4047: “=”:“PDEBUGGEE_BP_DESCRIPTOR”与“UINT64”的间接级别不同
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\BreakpointCommands.c(650,101): warning C4022: “VirtualAddressToPhysicalAddressByProcessCr3”: 指针与实参 1 不匹配
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\BreakpointCommands.c(659,70): warning C4022: “ldisasm”: 指针与实参 1 不匹配
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\BreakpointCommands.c(659,86): warning C4267: “=”: 从“size_t”转换到“UINT16”,可能丢失数据
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\BreakpointCommands.c(743,1): warning C4142: "BreakpointListOrModify": 类型的良性重定义
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\BreakpointCommands.h(18): message : 参见“BreakpointListOrModify”的声明
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\BreakpointCommands.c(830,49): warning C4047: “函数”:“UINT64”与“PDEBUGGEE_BP_DESCRIPTOR”的间接级别不同
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\BreakpointCommands.c(830,29): warning C4024: “PoolManagerFreePool”: 形参和实参 1 的类型不同
4>Broadcast.c
4>D:\git\my\fork\HyperDbg\hyperdbg\include\Definition.h(431,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(83,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(84,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(112,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(113,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(145,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(146,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(174,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(175,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(207,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(208,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(236,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(237,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(278,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(279,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(299,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\MemoryMapper.h(300,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Msr.h(71,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Msr.h(128,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(316,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(370,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(458,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(512,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(600,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(654,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(738,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(823,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(852,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(896,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(922,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(960,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(1025,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Ept.h(1135,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Events.h(110,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Common.h(32,2): warning C4091: “typedef ”: 没有声明变量时忽略“_SEGMENT_REGISTERS”的左侧
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Common.h(353,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Common.h(354,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Common.h(378,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Common.h(428,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Common.h(449,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\GdbStub.h(151,43): warning C4132: “dbg_int_handlers”: 应初始化常量对象
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Hooks.h(90,25): warning C4200: 使用了非标准扩展: 结构/联合中的零大小数组
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\IdtEmulation.h(32,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\IdtEmulation.h(33,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\IdtEmulation.h(50,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Vmx.h(502,2): warning C4091: “typedef ”: 没有声明变量时忽略“_VMCS_FIELDS”的左侧
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Vmx.h(512,2): warning C4091: “typedef ”: 没有声明变量时忽略“MOV_TO_DEBUG_REG”的左侧
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Vmx.h(607,10): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Vmx.h(608,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\Vmx.h(646,6): warning C4201: 使用了非标准扩展: 无名称的结构/联合
4>D:\git\my\fork\HyperDbg\hyperdbg\hprdbghv\IoHandler.h(45,2): warning C4091: “typedef ”: 没有声明变量时忽略“”的左侧
I just took a look at the stepping process and might found an alternative from spamming the step packet.
My idea would be to do a system similar to the ept hook one where messages can be stored in a buffer and be sent afterwards.(This might fix the vmware issue related to speed and unexpected slow down). Brainstormed an alternative aswell that would add a new feature to the debugger also know as tracing that would be able to record instructions a way faster keeping them in a buffer and finally saving in a file. I think this should be a priority for this project as his main goal is debugging and tracing is an important part of it. So whenever possible implement those features, i might start looking for it personally aswell. Forgot to mention: all data saved must not cross the um cli application(causing big slowdowns), but must be directly written from km to file in guest's machine (similar to x64dbg tracing).
In the documentation, I am not found HyperDbg support kernel
Hello All, I Added a Method To The Code To Insure That CR0 and CR4 Registers Not Be Changed During The VMX Operation The IDEA Is Derived From The Intel Manual Here:
And The Code Is From https://revers.engineering/day-2-entering-vmx-operation/ However I made Some Changes To It So I Can Follow The Project Coding Style:
VOID
FixCr4AndCr0Bits()
{
CR_FIXED Cr_Fixed = {0};
CONTROL_REGISTER_4 Cr4 = {0};
CONTROL_REGISTER_0 Cr0 = {0};
Cr_Fixed.All = __readmsr(MSR_IA32_VMX_CR0_FIXED0);
Cr0.Flags = __readcr0();
Cr0.Flags |= Cr_Fixed.Split.Low;
Cr_Fixed.All = __readmsr(MSR_IA32_VMX_CR0_FIXED1);
Cr0.Flags &= Cr_Fixed.Split.Low;
__writecr0(Cr0.Flags);
Cr_Fixed.All = __readmsr(MSR_IA32_VMX_CR4_FIXED0);
Cr4.Flags = __readcr4();
Cr4.Flags |= Cr_Fixed.Split.Low;
Cr_Fixed.All = __readmsr(MSR_IA32_VMX_CR4_FIXED1);
Cr4.Flags &= Cr_Fixed.Split.Low;
__writecr4(Cr4.Flags);
}
The Function Can Be Added After Enabling VMX Operation Here =>
HyperDbg/hyperdbg/hprdbghv/VmxRegions.c
Line 35 in 37a58fc
Structures Can Be Found Here https://gist.github.com/0xastr0/64446c135cddda13cb26d1dd7d0f4502
Thanks I Hope I Can Contribute More I Really Fall In love with the Project Keep The Good Work ❤
Is your feature request related to a problem? Please describe.
Any plans to support kdnet? The serial port requirement for physical host kernel mode debugging is a legacy port that newer machines don't have. Virtualbox nested vt-x doesn't appear to work (unable to load vmm). I'm not paying for a VMWare Workstation license. Supporting kdnet would broaden usability.
Describe the solution you'd like
Kdnet :)
Describe alternatives you've considered
No luck getting debugging to work with either Virtualbox or Hyper-V (Windows 10)
Additional context
Hello, I implemented my "EmulateSyscall/EmulateSysret" function refer to your "SyscallHookEmulateSYSCALL/SyscallHookEmulateSYSRET" function. My EmulateSysret worked well but
EmulateSyscall caused double fault when guest jmped to KiSystemCall64Shadow. I don't know how to solve this issue. Have you encountered this problem? Thank you very much.
BOOLEAN EferHookEmulateSyscall(GuestContext* pGuestContext)
{
ULONG_PTR guestRip = 0;
ULONG insnLen = 0;
FlagRegister guestRflags = { 0 };
__vmx_vmread(GuestRip, &guestRip);
__vmx_vmread(VmExitInstructionLength, &insnLen);
ULONG_PTR lstar = __readmsr(MsrLstar);
pGuestContext->pGuestRegisters->cx = guestRip + insnLen;
UtilVmxWrite(GuestRip, lstar);
__vmx_vmread(GuestRflags, &guestRflags.all);
ULONG_PTR fmask = __readmsr(MsrFmask);
pGuestContext->pGuestRegisters->r11 = guestRflags.all;
//VirtualCpu->Context->Rflags &= ~(MsrValue | X86_FLAGS_RF);
#define X86_FLAGS_RF (1 << 16)
guestRflags.all &= ~fmask;
//guestRflags.fields.rf = FALSE;
UtilVmxWrite(GuestRflags, guestRflags.all);
ULONG_PTR star = __readmsr(MsrStar);
UtilVmxWrite(GuestCsSelector, (USHORT)((star >> 32)&(~3)));
UtilVmxWrite(GuestCsBase, 0);
UtilVmxWrite(GuestCsLimit, 0xffffffff);
UtilVmxWrite(GuestCsAccessRight, 0xa09b); // 1010000010011011
UtilVmxWrite(GuestSsSelector, (USHORT)( ((star >> 32)&(~3))+8) );
UtilVmxWrite(GuestSsBase, 0);
UtilVmxWrite(GuestSsLimit, 0xffffffff);
UtilVmxWrite(GuestSsAccessRight, 0xC093);
return TRUE;
}
BOOLEAN EferHookUDExceptionHandler(GuestContext* pGuestContext)
{
Cr3 orgCr3 = { 0 };
orgCr3.all=__readcr3();
ULONG_PTR pEprocess = PsGetCurrentProcess();
Cr3 * dir_base = pEprocess + sizeof(DISPATCHER_HEADER) + sizeof(LIST_ENTRY);
char insnBytes[3] = { 0 };
if (!pGuestContext->rip)
{
DbgBreakPoint();
return FALSE;
}
Cr4 cr4 = { __readcr4() };
cr4.fields.smap = FALSE;
__writecr4(cr4.all);
if ((dir_base->all&3)!=0)
{
__writecr3(dir_base->all);
memcpy(&insnBytes, pGuestContext->rip, 3);
__writecr3(orgCr3.all);
}
else
{
memcpy(&insnBytes, pGuestContext->rip, 3);
}
cr4.fields.smap = TRUE;
__writecr4(cr4.all);
if (IS_SYSRET_INSTRUCTION(&insnBytes))
{
kprintf("%s sysret %p", PsGetProcessImageFileName(pEprocess), pGuestContext->pGuestRegisters->cx);
return EferHookEmulateSysret(pGuestContext);
}
else if (IS_SYSCALL_INSTRUCTION(&insnBytes))
{
DbgBreakPoint();
kprintf("%s call %d", PsGetProcessImageFileName(pEprocess),pGuestContext->pGuestRegisters->ax);
return EferHookEmulateSyscall(pGuestContext);
}
else
{
return FALSE;
}
}
NtWriteFile/NtCreateFile hook causes a VM Exit for EPT Misconfiguration
Windows version : 2004
Processor: Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz (12 CPUs), ~2.6GHz
I found that IS_SYSCALL_INSTRUCTION in SyscallHookHandleUD did not judge the instruction length, which would cause a blue screen in some cases due to access to invalid memory.
System is bsodding on certain code parts when stepping instructions. any fix for this?
Bugcheck: DRIVER_IRQL_NOT_LESS_OR_EQUAL
on latest release hprdbghv.sys+1b27a
There appears to be a bug, get the value of this function often significantly more than expected in TransparentRandn, which can cause a lot of problems.
can the debugger run on AMD platform?
WIN SDK version: 10.0.22000.194
WDK version: 10.0.22000.194
Hello All I Found Something In The Method Checking For VMX Supportion "HvIsVmxSupported()" The Checks For CPUID.ECX[5] This is Totally Fine The Problem Is When Writing To IA32_FEATURE_CONTROL MSR The lock Bit of this MSR Is not Set to 0 on most computers For Example Its Not Avaliable on My PC Also See This Stackoverflow question Has The Same Problem
Modifying the ia32 feature control register on Asus Z170 board with buggy BIOS
. If The User Enabled VT-X From The BIOS The VMXON Will Be Already Set So Checking Lock Bit and Then Writing to EnableVmxon Again Is Not Meaningful Since Its Already There For EX I made a Simple Driver To Test That and Then Disabled VT-X From The BIOS And Tested Again:
VT-X Enabled:
VT-X Disabled:
Also I Asked My Friend _xeroxz about writing to this msr He told me That He Removed It From His Hypervisor bluepill Since Its Not Available on All Computers.
The Function Can Be Refactored To :
BOOLEAN HvIsVmxSupported()
{
CPUID cpu = {0};
IA32_FEATURE_CONTROL_MSR FeatureControlMsr = {0};
// Gets Processor Info and Feature Bits
__cpuid((int *)&cpu, 1);
// Check For VMX Bit CPUID.ECX[5]
if (!_bittest((const LONG *)&cpu.ecx, 5))
return FALSE; // return false if vmx is not supported
FeatureControlMsr.All = __readmsr(MSR_IA32_FEATURE_CONTROL);
if (FeatureControlMsr.Fields.EnableVmxon == FALSE)
{
LogError("Please Enable VT-X From Your BIOS");
return FALSE;
}
return TRUE;
}
Thank You 😊
I can set a trap on CPUID and on RTDSC but how to read the registers immediately after calling these commands?
I have debugged and passed the xmm code in AsmVmexitHandler.asm, it no longer has a blue screen, the code is as follows:
`
;------------------------------------------------------------------------
AsmVmexitHandler PROC
push 0
pushfq ; 8 Byte
; ------------ Save XMM Registers ------------
;
; ;;;;;;;;;;;; 16 Byte * 16 Byte = 256 + 4 = 260 (0x106 == 0x110 but let's align it to have better performance) ;;;;;;;;;;;;
sub rsp, 0110h
;
movaps xmmword ptr [rsp+000h], xmm0 ; each xmm register 128 bit (16 Byte)
movaps xmmword ptr [rsp+010h], xmm1
movaps xmmword ptr [rsp+020h], xmm2
movaps xmmword ptr [rsp+030h], xmm3
movaps xmmword ptr [rsp+040h], xmm4
movaps xmmword ptr [rsp+050h], xmm5
movaps xmmword ptr [rsp+060h], xmm6
movaps xmmword ptr [rsp+070h], xmm7
movaps xmmword ptr [rsp+080h], xmm8
movaps xmmword ptr [rsp+090h], xmm9
movaps xmmword ptr [rsp+0a0h], xmm10
movaps xmmword ptr [rsp+0b0h], xmm11
movaps xmmword ptr [rsp+0c0h], xmm12
movaps xmmword ptr [rsp+0d0h], xmm13
movaps xmmword ptr [rsp+0e0h], xmm14
movaps xmmword ptr [rsp+0f0h], xmm15
stmxcsr dword ptr [rsp+0100h] ; MxCsr is 4 Byte
;
;---------------------------------------------
; 16 * 8 Byte = 128 = 0x80
push r15
push r14
push r13
push r12
push r11
push r10
push r9
push r8
push rdi
push rsi
push rbp
push rbp ; rsp
push rbx
push rdx
push rcx
push rax
mov rcx, rsp ; Fast call argument to PGUEST_REGS
sub rsp, 28h ; Free some space for Shadow Section
call VmxVmexitHandler
add rsp, 28h ; Restore the state
cmp al, 1
je AsmVmxoffHandler
RestoreState:
pop rax
pop rcx
pop rdx
pop rbx
pop rbp ; rsp
pop rbp
pop rsi
pop rdi
pop r8
pop r9
pop r10
pop r11
pop r12
pop r13
pop r14
pop r15
; ------------ Restor XMM Registers ------------
;
movaps xmm0, xmmword ptr [rsp+000h]
movaps xmm1, xmmword ptr [rsp+010h]
movaps xmm2, xmmword ptr [rsp+020h]
movaps xmm3, xmmword ptr [rsp+030h]
movaps xmm4, xmmword ptr [rsp+040h]
movaps xmm5, xmmword ptr [rsp+050h]
movaps xmm6, xmmword ptr [rsp+060h]
movaps xmm7, xmmword ptr [rsp+070h]
movaps xmm8, xmmword ptr [rsp+080h]
movaps xmm9, xmmword ptr [rsp+090h]
movaps xmm10, xmmword ptr [rsp+0a0h]
movaps xmm11, xmmword ptr [rsp+0b0h]
movaps xmm12, xmmword ptr [rsp+0c0h]
movaps xmm13, xmmword ptr [rsp+0d0h]
movaps xmm14, xmmword ptr [rsp+0e0h]
movaps xmm15, xmmword ptr [rsp+0f0h]
ldmxcsr dword ptr [rsp+0100h]
add rsp, 0110h
; ----------------------------------------------
popfq
sub rsp, 0100h
jmp VmxVmresume
AsmVmexitHandler ENDP
;------------------------------------------------------------------------
AsmVmxoffHandler PROC
sub rsp, 020h ; shadow space
call HvReturnStackPointerForVmxoff
add rsp, 020h ; remove for shadow space
mov [rsp+198h], rax
sub rsp, 020h ; shadow space
call HvReturnInstructionPointerForVmxoff
add rsp, 020h ; remove for shadow space
mov rdx, rsp ; save current rsp
mov rbx, [rsp+198h] ; read rsp again
mov rsp, rbx
push rax
mov rsp, rdx
sub rbx,08h
mov [rsp+198h], rbx
RestoreState:
pop rax
pop rcx
pop rdx
pop rbx
pop rbp ; rsp
pop rbp
pop rsi
pop rdi
pop r8
pop r9
pop r10
pop r11
pop r12
pop r13
pop r14
pop r15
; ------------ Restor XMM Registers ------------
;
movaps xmm0, xmmword ptr [rsp+000h]
movaps xmm1, xmmword ptr [rsp+010h]
movaps xmm2, xmmword ptr [rsp+020h]
movaps xmm3, xmmword ptr [rsp+030h]
movaps xmm4, xmmword ptr [rsp+040h]
movaps xmm5, xmmword ptr [rsp+050h]
movaps xmm6, xmmword ptr [rsp+060h]
movaps xmm7, xmmword ptr [rsp+070h]
movaps xmm8, xmmword ptr [rsp+080h]
movaps xmm9, xmmword ptr [rsp+090h]
movaps xmm10, xmmword ptr [rsp+0a0h]
movaps xmm11, xmmword ptr [rsp+0b0h]
movaps xmm12, xmmword ptr [rsp+0c0h]
movaps xmm13, xmmword ptr [rsp+0d0h]
movaps xmm14, xmmword ptr [rsp+0e0h]
movaps xmm15, xmmword ptr [rsp+0f0h]
ldmxcsr dword ptr [rsp+0100h]
;
add rsp, 0110h
; ----------------------------------------------
popfq
pop rsp ;
ret ; jump back to where we called Vmcall
AsmVmxoffHandler ENDP
;------------------------------------------------------------------------
END
`
Actually, I just read the part of the code,and I think if I set the whole kernel space unread and unwrite,the software may get stuck.
Am i right
I am getting Failed to install or load the driver when .debug prepare serial or .debug local(load vmm)
tested on 1909 and 2004
tested on local and vmware
Is this supposed to work? or cuz it hasn`t been released yet?
How many !epthooks and !epthook2s can I have? Can I add one to all addresses and generate a trace log?
[edit] I browsed code some and it seems 40 !epthook and infinite !epthook2?
How many bytes can I have in the !epthook (code/condition)? !epthook fffff801deadbeef code {90 90 90} condition {90 90 90}
Where does the code in !epthook fffff801deadbeef code {90 90 90}
run? Will it be able to modify/update the thread's context, heap etc?
[edit] Does !epthook work for x86 processes?
When will it be released? I can't figure out how to build it due to hprdbghv.inf -- it says Sample class already exists, but you already know that TODO: edit Class
, so I guess it's to block compilation until it's ready for release? 📦
[edit] Perhaps it means to use Visual Studio 2015 instead :P
Thanks xD
You should add ring0 thread stalking, so you can do stuff without writing in the binary to supplement the EPT hooks!
33: PageEntry = MemoryMapperGetPteVaByCr3(Va, PT, TargetCr3);
34:
35: if (PageEntry->Present) <this
36: {
37: return TRUE;
38: }
39: else
40: {
0: kd> DT PageEntry
Local var @ 0xffffdf80fdabed58 Type _PAGE_ENTRY*
0xffffdb000032f490 +0x000 Flags : 0x22000001
13d6a125
+0x000 Pml4 : _PAGE_MAP_LEVEL_4_ENTRY
+0x000 PdptLarge : _LARGE_PAGE_DIRECTORY_POINTER_TABLE_ENTRY
+0x000 Pdpt : _PAGE_DIRECTORY_POINTER_TABLE_ENTRY
+0x000 PdLarge : _LARGE_PAGE_DIRECTORY_ENTRY
+0x000 Pd : _PAGE_DIRECTORY_ENTRY
+0x000 Pt : _PAGE_TABLE_ENTRY
+0x000 Present : 0y1
+0x000 Write : 0y0
+0x000 Supervisor : 0y1
+0x000 PageLevelWriteThrough : 0y0
+0x000 PageLevelCacheDisable : 0y0
+0x000 Accessed : 0y1
+0x000 Dirty : 0y0
+0x000 LargePage : 0y0
+0x000 Global : 0y1
+0x000 Ignored1 : 0y000
+0x000 PageFrameNumber : 0y000000000000000100010011110101101010 (0x113d6a)
+0x000 Reserved1 : 0y0000
+0x000 Ignored2 : 0y0100000 (0x20)
+0x000 ProtectionKey : 0y0100
+0x000 ExecuteDisable : 0y0
_!
Windows 10 Version 1607
It seems that (GuestCr3.Flags & PCID_MASK) == PCID_NONE has a very strange problem~
严重性 代码 说明 项目 文件 行 禁止显示状态
错误 LNK2019 无法解析的外部符号 __stdio_common_vsprintf,函数 _vsnprintf_l 中引用了该符号 hprdbghv D:\code\HyperDbg\hyperdbg\hprdbghv\Debugger.obj 1
严重性 代码 说明 项目 文件 行 禁止显示状态
错误 LNK2019 无法解析的外部符号 __stdio_common_vsprintf_s,函数 _vsprintf_s_l 中引用了该符号 hprdbghv D:\code\HyperDbg\hyperdbg\hprdbghv\Logging.obj 1
Many functions are not available.Failed to load the kernel module locally.It prompts that the entrance cannot be found.There is no tutorial
hello this debugger is a great thing! This is really a huge work ... There is a question about debugging the kernel on a physical machine ... is it possible to debug kernel functions from VMI-mode, maybe through scripts ...? did not find information in the help...
if (GuestRegs->r10 == 0x48564653 && GuestRegs->r11 == 0x564d43414c4c && GuestRegs->r12 == 0x4e4f485950455256)
Where do these constants come from in this code? I did not find these constants in SYS.
EptHookInstructionMemory BUG
InsertHeadList(&g_EptHook2sDetourListHead, &(DetourHookDetails->OtherHooksList));
//
// Write the absolute jump to our shadow page memory to jump to our hook
//
EptHookWriteAbsoluteJump(&Hook->FakePageContents[OffsetIntoPage], (SIZE_T)HookFunction);
return TRUE;
fix
InsertHeadList(&g_EptHook2sDetourListHead, &(DetourHookDetails->OtherHooksList));
//
// Write the absolute jump to our shadow page memory to jump to our hook
//
EptHookWriteAbsoluteJump2(&Hook->FakePageContents[OffsetIntoPage], (SIZE_T)HookFunction);
return TRUE;
SyscallHookTest() bug
if (EptHook2(ApiLocationFromSSDTOfNtCreateFile, NtCreateFileHook, PsGetCurrentProcessId(), (PVOID *)&NtCreateFileOrig, FALSE, FALSE, TRUE))
{
LogInfo("Hook appkied to address of API Number : 0x%x at %llx\n", ApiNumberOfNtCreateFile, ApiLocationFromSSDTOfNtCreateFile);
}
fix
if (EptHook2(ApiLocationFromSSDTOfNtCreateFile, NtCreateFileHook, PsGetCurrentProcessId(), FALSE, FALSE, TRUE))
There are many calls with too many parameters in your code. After fixing these calls, the blue screen problem appears here. I hope you can fix it.
`
movaps xmm0, xmmword ptr [rsp+000h]
movaps xmm1, xmmword ptr [rsp+010h]
movaps xmm2, xmmword ptr [rsp+020h]
movaps xmm3, xmmword ptr [rsp+030h]
movaps xmm4, xmmword ptr [rsp+040h]
movaps xmm5, xmmword ptr [rsp+050h]
movaps xmm6, xmmword ptr [rsp+060h]
movaps xmm7, xmmword ptr [rsp+070h]
movaps xmm8, xmmword ptr [rsp+080h]
movaps xmm9, xmmword ptr [rsp+090h]
movaps xmm10, xmmword ptr [rsp+0a0h]
movaps xmm11, xmmword ptr [rsp+0b0h]
movaps xmm12, xmmword ptr [rsp+0c0h]
movaps xmm13, xmmword ptr [rsp+0d0h]
movaps xmm14, xmmword ptr [rsp+0e0h]
movaps xmm15, xmmword ptr [rsp+0f0h]
ldmxcsr dword ptr [rsp+0100h] 《-This
add rsp, 0110h
; ----------------------------------------------
popfq
pop rsp ; restore rsp
ret ; jump back to where we called Vmcall
AsmVmxoffHandler ENDP
`
Describe the bug
Debug assertion failed when running command db 3BFAD05C l 10 pid 2624.
To Reproduce
Steps to reproduce the behavior:
Desktop:
Additional context
If I click abort or retry, the console freezes and I can't close it.
Also I get invalid address when I run !monitor on a usermode address.
Hi. Using MyHypervisorApp from part3 tried to intercept the command CPUID using !cpuid pid 9484 script{ printf("return register is : %llx\n", @Rax);} in VMI-mode but "hook" didn't work. What am I doing wrong? Thank you
Your EPT code is copied from my project gbhv directly and modified without respecting gbhv's license: CC 4.0 Attribution License. In addition, your maintainer's name is marked at the top as the author of the code, but the code can be easily matched up 1-to-1 with the original code, with comment styles rewritten or changed.
Here is the code in question:
https://github.com/HyperDbg/HyperDbg/blob/master/hyperdbg/hprdbghv/Ept.c
https://github.com/Gbps/gbhv/blob/master/gbhv/ept.c
In addition, your EPT code is missing a patch that will cause issues on physical systems.
At line 414:
https://github.com/Gbps/gbhv/blob/master/gbhv/ept.c#L414
The memory type parameters must be copied over in the newly split entries or they will be left uninitialized.
Please put proper attribution to any code used from my project under the CC 4.0 AL terms, and please retain the attribution license for any code re-used in this project.
Thank you.
Whenever possible add nt!
resolution in scripting language, same as avoiding crashes when some command is unrecognized showing an error message. would be the best :)
os version:Win10 x64 1903,
Driver signature has been turned off
HyperDbg-cli tip:
err,startservice failure
unable to install driver
failed to install or load the driver
AsmVmxoffHandler PROC
sub rsp, 020h ; shadow space
call HvReturnStackPointerForVmxoff
add rsp, 020h ; remove for shadow space
mov [rsp+198h], rax ; now, rax contains rsp <- this!
calls:
nt!KeBugCheckEx
nt!setjmpex+0x6dc9
nt!setjmpex+0x3f06
hprdbghv!AsmVmxoffHandler+0xd
The error occurs when it stops
Complete Dump please contact [email protected]
thank you!
Error C1083 Unable to open file include: Zycore / Format.h: No such file or directory, hprdbgctrl C: \ Users \ Alexander \ Desktop \ HyperDbg-master \ hyperdbg \ hprdbgctrl \ disassembler.cpp 34
"!epthook 7FF6C81C21A1 pid 37F4 script { @zf = 1; }" wont work
While the Log To State features is being worked on, I was wondering if there's currently a way to log the state of the processor when an event is triggered, perhaps custom code could be executed to create the same effect?
Currently I'm trying to find the state of the cpu when certain code writes to a page of memory (using !monitor), is it possible to log this at all with a local debug session?
We can run 32-bit application on our x64 Windows systems, but 32-bit applications use sysenter to do system call. Is there anyway to hook or monitor sysenter/sysexit in your hypervisor?
Hello, I found a problem about closing the EferHook blue screen.The problem is that the system continues to generate #UD exceptions when SyscallEnable is set to True.
HyperDbg> .connect local
local debuging current system...
HyperDbg> load vmm
try to install and load the VMM driver...
The CPU Vendor is : GenuineIntel
The Processor virtualization technology is VT-x.
VMX Operation is supported by your processor .
Thread Created successfully !!!
Failed to install or load the driver
HyperDbg> (07:04:24.042 - core : 0 - vmx-root? no) [+] Information (DriverEntry:88) | Hyperdbg is Loaded :)
(07:04:24.042 - core : 0 - vmx-root? no) [+] Information (DriverEntry:103) | Setting device major functions
(07:04:24.042 - core : 3 - vmx-root? no) [+] Information (DrvCreate:218) | Hyperdbg's hypervisor Started...
(07:04:24.042 - core : 3 - vmx-root? no) [+] Information (EptCheckFeatures:54) | *** All EPT features are present ***
(07:04:24.042 - core : 3 - vmx-root? no) [+] Information (VmxInitializer:66) | Your processor supports all EPT features
(07:04:24.042 - core : 3 - vmx-root? no) [+] Information (EptBuildMtrrMap:124) | MTRR Range: Base=0x0 End=0x3fffffffff Type=0x6
(07:04:24.042 - core : 3 - vmx-root? no) [+] Information (EptBuildMtrrMap:124) | MTRR Range: Base=0xc0000000 End=0xffffffff Type=0x0
(07:04:24.042 - core : 3 - vmx-root? no) [+] Information (EptBuildMtrrMap:128) | Total MTRR Ranges Committed: 1
(07:04:24.042 - core : 3 - vmx-root? no) [+] Information (VmxInitializer:76) | Mtrr memory map built successfully
(07:04:24.058 - core : 1 - vmx-root? no) [+] Information (VmxDpcBroadcastAllocateVmxonRegions:28) | Allocating Vmx Regions for logical core 1
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxDpcBroadcastAllocateVmxonRegions:28) | Allocating Vmx Regions for logical core 0
(07:04:24.058 - core : 2 - vmx-root? no) [+] Information (VmxDpcBroadcastAllocateVmxonRegions:28) | Allocating Vmx Regions for logical core 2
(07:04:24.058 - core : 1 - vmx-root? no) [+] Information (VmxDpcBroadcastAllocateVmxonRegions:35) | VMX-Operation Enabled Successfully
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxDpcBroadcastAllocateVmxonRegions:35) | VMX-Operation Enabled Successfully
(07:04:24.058 - core : 3 - vmx-root? no) [+] Information (VmxDpcBroadcastAllocateVmxonRegions:28) | Allocating Vmx Regions for logical core 3
(07:04:24.058 - core : 2 - vmx-root? no) [+] Information (VmxDpcBroadcastAllocateVmxonRegions:35) | VMX-Operation Enabled Successfully
(07:04:24.058 - core : 3 - vmx-root? no) [+] Information (VmxDpcBroadcastAllocateVmxonRegions:35) | VMX-Operation Enabled Successfully
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateVmxonRegion:109) | VMXON Region Address : ffffdd81088f6000
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateVmxonRegion:115) | VMXON Region Physical Address : 238ecd000
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateVmxonRegion:121) | Revision Identifier (MSR_IA32_VMX_BASIC - MSR 0x480) : 0x1
(07:04:24.058 - core : 3 - vmx-root? no) [+] Information (VmxAllocateVmxonRegion:109) | VMXON Region Address : ffffdd8108948000
(07:04:24.058 - core : 3 - vmx-root? no) [+] Information (VmxAllocateVmxonRegion:115) | VMXON Region Physical Address : 238eca000
(07:04:24.058 - core : 3 - vmx-root? no) [+] Information (VmxAllocateVmxonRegion:121) | Revision Identifier (MSR_IA32_VMX_BASIC - MSR 0x480) : 0x1
(07:04:24.058 - core : 2 - vmx-root? no) [+] Information (VmxAllocateVmxonRegion:109) | VMXON Region Address : ffffdd810890a000
(07:04:24.058 - core : 2 - vmx-root? no) [+] Information (VmxAllocateVmxonRegion:115) | VMXON Region Physical Address : 238ec7000
(07:04:24.058 - core : 2 - vmx-root? no) [+] Information (VmxAllocateVmxonRegion:121) | Revision Identifier (MSR_IA32_VMX_BASIC - MSR 0x480) : 0x1
(07:04:24.058 - core : 1 - vmx-root? no) [+] Information (VmxAllocateVmxonRegion:109) | VMXON Region Address : ffffdd810844c000
(07:04:24.058 - core : 1 - vmx-root? no) [+] Information (VmxAllocateVmxonRegion:115) | VMXON Region Physical Address : 238ec4000
(07:04:24.058 - core : 1 - vmx-root? no) [+] Information (VmxAllocateVmxonRegion:121) | Revision Identifier (MSR_IA32_VMX_BASIC - MSR 0x480) : 0x1
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateVmcsRegion:187) | VMCS Region Address : ffffdd81089b1000
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateVmcsRegion:190) | VMCS Region Physical Address : 238ec1000
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateVmcsRegion:196) | Revision Identifier (MSR_IA32_VMX_BASIC - MSR 0x480) : 0x1
(07:04:24.058 - core : 3 - vmx-root? no) [+] Information (VmxAllocateVmcsRegion:187) | VMCS Region Address : ffffdd8108951000
(07:04:24.058 - core : 3 - vmx-root? no) [+] Information (VmxAllocateVmcsRegion:190) | VMCS Region Physical Address : 238e9f000
(07:04:24.058 - core : 3 - vmx-root? no) [+] Information (VmxAllocateVmcsRegion:196) | Revision Identifier (MSR_IA32_VMX_BASIC - MSR 0x480) : 0x1
(07:04:24.058 - core : 2 - vmx-root? no) [+] Information (VmxAllocateVmcsRegion:187) | VMCS Region Address : ffffdd8108913000
(07:04:24.058 - core : 2 - vmx-root? no) [+] Information (VmxAllocateVmcsRegion:190) | VMCS Region Physical Address : 238e8f000
(07:04:24.058 - core : 2 - vmx-root? no) [+] Information (VmxAllocateVmcsRegion:196) | Revision Identifier (MSR_IA32_VMX_BASIC - MSR 0x480) : 0x1
(07:04:24.058 - core : 1 - vmx-root? no) [+] Information (VmxAllocateVmcsRegion:187) | VMCS Region Address : ffffdd8108455000
(07:04:24.058 - core : 1 - vmx-root? no) [+] Information (VmxAllocateVmcsRegion:190) | VMCS Region Physical Address : 238e8c000
(07:04:24.058 - core : 1 - vmx-root? no) [+] Information (VmxAllocateVmcsRegion:196) | Revision Identifier (MSR_IA32_VMX_BASIC - MSR 0x480) : 0x1
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateVmmStack:237) | Vmm Stack for logical processor : 0xffffa40606c02000
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateMsrBitmap:265) | Msr Bitmap Virtual Address : 0xffffa405fddfc000
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateMsrBitmap:266) | Msr Bitmap Physical Address : 0x18ca2e000
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateIoBitmaps:294) | I/O Bitmap A Virtual Address : 0xffffa405fddfd000
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateIoBitmaps:295) | I/O Bitmap A Physical Address : 0x18ca2f000
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateIoBitmaps:311) | I/O Bitmap B Virtual Address : 0xffffa405fddfe000
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateIoBitmaps:312) | I/O Bitmap B Physical Address : 0x18ca30000
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateVmmStack:237) | Vmm Stack for logical processor : 0xffffa40606c0a000
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateMsrBitmap:265) | Msr Bitmap Virtual Address : 0xffffa405fddff000
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateMsrBitmap:266) | Msr Bitmap Physical Address : 0x18ca39000
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateIoBitmaps:294) | I/O Bitmap A Virtual Address : 0xffffa40606c12000
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateIoBitmaps:295) | I/O Bitmap A Physical Address : 0x180d3a000
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateIoBitmaps:311) | I/O Bitmap B Virtual Address : 0xffffa40606c13000
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateIoBitmaps:312) | I/O Bitmap B Physical Address : 0x188c3b000
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateVmmStack:237) | Vmm Stack for logical processor : 0xffffa40606c14000
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateMsrBitmap:265) | Msr Bitmap Virtual Address : 0xffffa40606c1c000
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateMsrBitmap:266) | Msr Bitmap Physical Address : 0x18bf44000
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateIoBitmaps:294) | I/O Bitmap A Virtual Address : 0xffffa40606c1d000
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateIoBitmaps:295) | I/O Bitmap A Physical Address : 0x186845000
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateIoBitmaps:311) | I/O Bitmap B Virtual Address : 0xffffa40606c1e000
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateIoBitmaps:312) | I/O Bitmap B Physical Address : 0x188d46000
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateVmmStack:237) | Vmm Stack for logical processor : 0xffffa40606c1f000
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateMsrBitmap:265) | Msr Bitmap Virtual Address : 0xffffa40606c27000
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateMsrBitmap:266) | Msr Bitmap Physical Address : 0x18904f000
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateIoBitmaps:294) | I/O Bitmap A Virtual Address : 0xffffa40606c28000
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateIoBitmaps:295) | I/O Bitmap A Physical Address : 0x189050000
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateIoBitmaps:311) | I/O Bitmap B Virtual Address : 0xffffa40606c29000
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxAllocateIoBitmaps:312) | I/O Bitmap B Physical Address : 0x188d51000
(07:04:24.058 - core : 1 - vmx-root? no) [+] Information (VmxVirtualizeCurrentSystem:151) | Virtualizing Current System (Logical Core : 0x1)
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxVirtualizeCurrentSystem:151) | Virtualizing Current System (Logical Core : 0x0)
(07:04:24.058 - core : 2 - vmx-root? no) [+] Information (VmxVirtualizeCurrentSystem:151) | Virtualizing Current System (Logical Core : 0x2)
(07:04:24.058 - core : 1 - vmx-root? no) [+] Information (VmxClearVmcsState:280) | Vmcs Vmclear Status : 0
(07:04:24.058 - core : 3 - vmx-root? no) [+] Information (VmxVirtualizeCurrentSystem:151) | Virtualizing Current System (Logical Core : 0x3)
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxClearVmcsState:280) | Vmcs Vmclear Status : 0
(07:04:24.058 - core : 2 - vmx-root? no) [+] Information (VmxClearVmcsState:280) | Vmcs Vmclear Status : 0
(07:04:24.058 - core : 1 - vmx-root? no) [+] Information (VmxVirtualizeCurrentSystem:171) | Setting up VMCS for current logical core
(07:04:24.058 - core : 3 - vmx-root? no) [+] Information (VmxClearVmcsState:280) | Vmcs Vmclear Status : 0
(07:04:24.058 - core : 2 - vmx-root? no) [+] Information (VmxVirtualizeCurrentSystem:171) | Setting up VMCS for current logical core
(07:04:24.058 - core : 3 - vmx-root? no) [+] Information (VmxVirtualizeCurrentSystem:171) | Setting up VMCS for current logical core
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxVirtualizeCurrentSystem:171) | Setting up VMCS for current logical core
(07:04:24.058 - core : 1 - vmx-root? no) [+] Information (VmxSetupVmcs:388) | Cpu Based VM Exec Controls (Based on MSR_IA32_VMX_TRUE_PROCBASED_CTLS) : 0x96006172
(07:04:24.058 - core : 2 - vmx-root? no) [+] Information (VmxSetupVmcs:388) | Cpu Based VM Exec Controls (Based on MSR_IA32_VMX_TRUE_PROCBASED_CTLS) : 0x96006172
(07:04:24.058 - core : 1 - vmx-root? no) [+] Information (VmxSetupVmcs:396) | Secondary Proc Based VM Exec Controls (MSR_IA32_VMX_PROCBASED_CTLS2) : 0x10102a
(07:04:24.058 - core : 2 - vmx-root? no) [+] Information (VmxSetupVmcs:396) | Secondary Proc Based VM Exec Controls (MSR_IA32_VMX_PROCBASED_CTLS2) : 0x10102a
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxSetupVmcs:388) | Cpu Based VM Exec Controls (Based on MSR_IA32_VMX_TRUE_PROCBASED_CTLS) : 0x96006172
(07:04:24.058 - core : 3 - vmx-root? no) [+] Information (VmxSetupVmcs:388) | Cpu Based VM Exec Controls (Based on MSR_IA32_VMX_TRUE_PROCBASED_CTLS) : 0x96006172
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxSetupVmcs:396) | Secondary Proc Based VM Exec Controls (MSR_IA32_VMX_PROCBASED_CTLS2) : 0x10102a
(07:04:24.058 - core : 3 - vmx-root? no) [+] Information (VmxSetupVmcs:396) | Secondary Proc Based VM Exec Controls (MSR_IA32_VMX_PROCBASED_CTLS2) : 0x10102a
(07:04:24.058 - core : 1 - vmx-root? no) [+] Information (VmxVirtualizeCurrentSystem:174) | Executing VMLAUNCH on logical core 1
(07:04:24.058 - core : 2 - vmx-root? no) [+] Information (VmxVirtualizeCurrentSystem:174) | Executing VMLAUNCH on logical core 2
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (VmxVirtualizeCurrentSystem:174) | Executing VMLAUNCH on logical core 0
(07:04:24.058 - core : 3 - vmx-root? no) [+] Information (VmxVirtualizeCurrentSystem:174) | Executing VMLAUNCH on logical core 3
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (DrvCreate:244) | Hyperdbg's hypervisor loaded successfully :)
(07:04:24.058 - core : 0 - vmx-root? no) [+] Information (DrvCreate:252) | Hyperdbg's debugger loaded successfully
(07:04:24.058 - core : 0 - vmx-root? yes) [+] Information (VmcallTest:457) | VmcallTest called with @param1 = 0x22 , @Param2 = 0x333 , @param3 = 0x4444
i signed all the build files use EV.
it is in vmware, the system vertion is 19042.
except for the previous one, it looks like the load was successful.
but i used command 'bl',it prompted me 'err, setting breakpoints is not possible when you're not connected to a debuggeer'
is there anyone who can help me?
Removeentrylist() should remove templist instead of hookedentry - > PageHookList.Flink
RemoveEntryList(TempList)
Hey! Tell me what functions does it use hyperdbg to hide its presence in the system? CPUID? rdtsc?
Describe the bug
Not able to attach to system process. Also not able to print out syscalls of pid 4.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
I expected breaking to stop in pid 4 system like mentioned here: "By default, HyperDbg is spinning on vmx-root, and the default process is the system process pid = 4" -- but it is hyperdbg-cli.exe.
This prompted me to try logging syscalls like in #46 .
!syscall pid 4 script { printf("syscall number is : %llx\n", @rax); }
Expected to be able to log syscalls of pid 4, but no sycsalls print.
Syscalls do print if I set pid to hyperdbg-cli.exe as expected.
I've both disabled driver enforcement and attached windbg like mentioned for !syscall in the docs.
Screenshots
Instead here's a pastebin link to the !analyze -v:
https://pastebin.com/uTj7jwjD
Desktop (please complete the following information):
EptHookInstructionMemory
`
for (SizeOfHookedInstructions = 0;
SizeOfHookedInstructions < 18;
SizeOfHookedInstructions += ldisasm(((UINT64)TargetFunctionInSafeMemory + SizeOfHookedInstructions), TRUE))
{
//
// Get the full size of instructions necessary to copy
//
}
`
The ldisasm function has a problem with the code length in the calculation of ObReferenceObjectByHandle, and the calculation result is smaller than the expected result
No file digest algorithm specidied. Please specify the digest algorithm with the /fd flag. Using /fd SHA256 is recommended and more secure than SHA1. Calling signtool with /fd sha1 is equivalent to the previous behavior. In order to select the hash algorithm used in the signing certificate signature, use the /fd certHash option.
I looked in the project properties to select /fd sha256 but couldn't find it. Is there any other way to solve this?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.