System is bsodding on certain code parts when stepping instructions. any fix for this?

Bugcheck: DRIVER_IRQL_NOT_LESS_OR_EQUAL on latest release hprdbghv.sys+1b27a

NtWriteFile/NtCreateFile hook causes a VM Exit for EPT Misconfiguration

Windows version : 2004 Processor: Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz (12 CPUs), ~2.6GHz

I found that IS_SYSCALL_INSTRUCTION in SyscallHookHandleUD did not judge the instruction length, which would cause a blue screen in some cases due to access to invalid memory.

os version:Win10 x64 1903,

Driver signature has been turned off

HyperDbg-cli tip： err,startservice failure unable to install driver failed to install or load the driver

There appears to be a bug, get the value of this function often significantly more than expected in TransparentRandn, which can cause a lot of problems.

I am getting Failed to install or load the driver when .debug prepare serial or .debug local(load vmm) tested on 1909 and 2004 tested on local and vmware

Is this supposed to work? or cuz it hasn`t been released yet?

严重性 代码 说明 项目 文件 行 禁止显示状态 错误 LNK2019 无法解析的外部符号 __stdio_common_vsprintf，函数 _vsnprintf_l 中引用了该符号 hprdbghv D:\code\HyperDbg\hyperdbg\hprdbghv\Debugger.obj 1 严重性 代码 说明 项目 文件 行 禁止显示状态 错误 LNK2019 无法解析的外部符号 __stdio_common_vsprintf_s，函数 _vsprintf_s_l 中引用了该符号 hprdbghv D:\code\HyperDbg\hyperdbg\hprdbghv\Logging.obj 1

Hello, I found a problem about closing the EferHook blue screen.The problem is that the system continues to generate #UD exceptions when SyscallEnable is set to True.

Describe the bug Crashed inside hyper-v's guest machine when load vmm Vritualize Platform: Hyper-v with Nested Virtualization Host OS: 19041 Guest OS: 17763 or 19041

To Reproduce Steps to reproduce the behavior:

1. Install Hyper-V Manager in your host OS
2. Install guest OS by Hyper-V
3. Enable Nested Virtualization 'Set-VMProcessor -VMName $yourvmname -ExposeVirtualizationExtensions $true'
4. Run hyperdbg-cli.exe inside guest os and load vmm by local mode
5. See error

Expected behavior Guest OS will crash

Screenshots VM crashed

Desktop (please complete the following information):

• Host OS: 19041
• Guest OS: 17763 or 19041
• Processor [Intel i9-12900K]
• Version [hyperdbg master]
• Environment [Hyper-v with Nested Virtualization]

Hello Sina

Crashing occured to me without VMWARE (running it in native Win10) when running: !epthook nt!NtOpenFile pid 12249 script { printf("%ws\n", dq(poi(r8 + 10) + 0x8)); } This doesnt crash imediately ,it takes few tens of seconds, while printing various filenames.

I have 11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80GHz 2.80 GHz Windows 10 Pro 20H2 19042.1348

No minidumps were created , just a huge c:\windows\memory.dmp , you can download it from: https://mega.nz/file/uh82na7K#JkUIvQylBOFC4gccvkF7TKLKf6WmO53rQAW9cvUOW9s

Running !epthook nt!NtOpenFile script { printf("%llx\n", @r8); } didn't trigger any crash so far.

There is a difference in output compared to your screenshot in docs.Your prntsc displays only filenames, on my system it displays rows containing filenames and rows displaying numbers.

EDIT: "!epthook nt!NtOpenFile pid 12249" -> I noticed now that I specified process pid in decimal. Is this wrong, should I put it in hex? Either way , HyperDbg shouldnt produce a BSOD.

Thanks

Originally posted by @DarkerSquirrel in https://github.com/HyperDbg/HyperDbg/issues/66#issuecomment-986815059

I'm trying the following Setup

• Host OSX Big Sur (11.6)
• VMWare Fusion 12.2.0
• Client Windosw 10 (10.0.18363)

VMWare settings according the documentation [https://docs.hyperdbg.org/using-hyperdbg/examples/connecting-to-hyperdbg] It seems to work:

HyperDbg> .connect local
local debugging (vmi-mode)

HyperDbg> load vmm
loading the vmm driver
current processor vendor is : GenuineIntel
virtualization technology is vt-x
vmx operation is supported by your processor
vmm module is running...
please configure the symbol path (use '.help .sympath' for more information)

As soon as it hits a hook such as:

!epthook nt!NtOpenFile pid 1A4 script {
        printf("%ws\n", dq(poi(r8 + 10) + 0x8));
}

I get a blue screen of the Windows 10 client ...

Anybody experiences with Fusion ... should that work?

I am currently trying to debug something and am trying to set a breakpoint on a function. But I get this error: "err, edit memory request has invalid address based on current process layout, the address might be valid but not present in the ram." When I try to set an epthook on the same function, i get an invalid address error.

May I know what are the possible problems that may cause this error?

Hi, I have been trying out the examples provided in the HyperDbg documentation. But when i was doing the example on the !epthook, HyprDbg on my debugger machine seems to hang and becomes unresponsive. My target machine also remains in 'break' mode.

Steps to reproduce the behavior:

1. Follow the instructions to attach to a remote machine in HyperDbg Documentation. https://docs.hyperdbg.org/getting-started/attach-to-hyperdbg/debug
2. Follow the example on the !epthook example. https://docs.hyperdbg.org/commands/extension-commands/epthook
3. At the step where they set the epthook on the nt!NtOpenFile. HyperDbg hangs.

I am using a VMware VM to debug another VMware VM. Both VMs' OS is win10 21h2, intel i7-9700.

Here's a bug report I received from one of the HyperDbg users on Twitter.

I found a bug in the expression parser for left/right shift.

Here's example output from HyperDbg: 1: kHyperDbg> print (0xaa) aa // correct 1: kHyperDbg> print (0xaa << 8) aa00 // correct 1: kHyperDbg> print (0xaa << 16) 2a800000 // incorrect 1: kHyperDbg> print (0xaa0000 >> 16) 2 // incorrect

I am expecting that (0xaa << 16) should return "aa0000", but not in the case. Similarly, expression (0xaa0000 >> 16) where it should return "aa" but HyperDbg returns incorrect result here.

Evaluating similar expression in Python shows correct value:

hex(0xaa) '0xaa' hex(0xaa << 8) '0xaa00' hex(0xaa << 16) '0xaa0000' hex(0xaa0000 >> 16) '0xaa'

From my checking in the src code, left/right shift are handled by ScriptEngineExecute (switch FUNC_ASL and FUNC_ASR), but I couldn't figure out what's wrong (the code looks just fine).

Is your feature request related to a problem? Please describe. na

Describe the solution you'd like I want to keep track of all executed instructions within a process,

Describe alternatives you've considered Like ultimap function of cheatengine

Additional context

This is a bug I received by email.

Sometimes when I use .debug close, it makes the guest BSOD, I generate a kernel crash dump and it seems that there is problem with the HV Pool Manager: In the file hprdbghv\code\memory\PoolManager.c in the PoolManagerUninitialize function the following call to ExFreePoolWithTag crashed because the buffer was already freed (double free) m

// Free the allocated buffer (if not already changed)
if (!PoolTable->AlreadyFreed)
{
  ExFreePoolWithTag(PoolTable->Address, POOLTAG);
}

I didn't have time to figure out where the buffer was previously freed but I can try to take time to figure it out if it can help.

This is a bug I received by email.

In the HyperDbg documentation, you say that we can use !epthook on two or more addresses on the same page. If I use !epthook on both nt!NtFsControlFile and nt!NtTerminateProcess, it makes the VM guest freeze. Both functions addresses are on the same page :

0: kHyperDbg> !pte nt!NtTerminateProcess
VA 7ffee30cd2e0
PML4E (PXE) at ffffd3e9f4fa77f8 contains 0a0000016960f867
PDPT (PPE) at ffffd3e9f4efffd8 contains 0a000001b6412867
PDE at ffffd3e9dfffb8c0 contains 0a000001b8913867
PTE at ffffd3bfff718668 contains 060000020115e025

0: kHyperDbg> !pte nt!NtFsControlFile
VA 7ffee30cd480
PML4E (PXE) at ffffd3e9f4fa77f8 contains 0a0000016960f867
PDPT (PPE) at ffffd3e9f4efffd8 contains 0a000001b6412867
PDE at ffffd3e9dfffb8c0 contains 0a000001b8913867
PTE at ffffd3bfff718668 contains 060000020115e02

I don't have that issue when I use !epthook on addresses that don't belong to the same page.