(HyperDbg is NOT in a WORKING STATE - YOU SHOULD NOT USE IT, but you can observe codes, please wait for first release in late June 2021)
We planned for first-release in late June 2021
HyperDbg debugger is an open-source, hypervisor-assisted user-mode, and kernel-mode Windows debugger with a focus on using modern hardware technologies. It is a debugger designed for analyzing, fuzzing and reversing.
Follow HyperDbg on Twitter to get notified about new releases !
HyperDbg is designed with a focus on using modern hardware technologies to provide new features to the reverse engineering world. It operates on top of Windows by virtualizing an already running system using Intel VT-x and Intel PT. This debugger aims not to use any APIs and software debugging mechanisms, but instead, it uses Second Layer Page Table (a.k.a. Extended Page Table or EPT) extensively to monitor both kernel and user executions.
Using TLB-splitting, and having features such as measuring code coverage and monitoring all mov(s) to/from memory by a function, makes HyperDbg a unique debugger.
Although it has novel features, HyperDbg tries to be as stealth as possible. It doesn’t use any debugging APIs to debug Windows or any application, so classic anti-debugging methods won’t detect it. Also, it resists the exploitation of time delta methods (e.g., RDTSC/RDTSCP) to detect the presence of hypervisors, therefore making it much harder for applications, packers, protectors, malware, anti-cheat engines, etc. to discover the debugger.
First Release (v0.1.0.0)
- Classic EPT Hook (Hidden Breakpoint) [link][link]
- Inline EPT Hook (Inline Hook) [link][link]
- Monitor Memory For R/W (Emulating Hardware Debug Registers Without Limitation) [link][link]
- SYSCALL Hook (Disable EFER & Handle #UD) [link][link]
- SYSRET Hook (Disable EFER & Handle #UD) [link][link]
- CPUID Hook & Monitor [link]
- RDMSR Hook & Monitor [link]
- WRMSR Hook & Monitor [link]
- RDTSC/RDTSCP Hook & Monitor [link]
- RDPMC Hook & Monitor [link]
- VMCALL Hook & Monitor [link]
- Debug Registers Hook & Monitor [link]
- I/O Port (In Instruction) Hook & Monitor [link]
- I/O Port (Out Instruction) Hook & Monitor [link]
- MMIO Monitor
- Exception (IDT < 32) Monitor [link][link]
- External-Interrupt (IDT > 32) Monitor [link][link]
- Running Automated Scripts [link]
- Transparent-mode (Anti-debugging and Anti-hypervisor Resistance) [link][link]
- Running Custom Assembly In Both VMX-root, VMX non-root (Kernel & User) [link]
- Checking For Custom Conditions [link][link]
- VMX-root Compatible Message Tracing [link]
- Powerful Kernel Side Scripting Engine [link][link]
- Event Forwarding (#DFIR) [link][link]
- Transparent Breakpoint Handler
- Various Custom Scripts [link]
Second Release (v0.2.0.0)
(not released yet !)
Build & Installation
If you want to build HyperDbg, you should clone HyperDbg with
git clone --recursive https://github.com/HyperDbg/HyperDbg.git
How does it work?
We explained about how HyperDbg internally works and how we designed its features in details, take a look at :
Here's a diagram that shows how HyperDbg works !
The plugin framework is not ready for the current version of HyperDbg. Future versions will support plugins.
Donations to charity
We spent thousands of hours on HyperDbg and it's free and open-source for you, If you want to help to develop HyperDbg, please donate to children in Africa and send a picture of your donation to us, this makes all HyperDbg developers, super happy! Don't hesitate to send us the pictures, this way we know that we're doing something useful.
- Sina Karvandi (@Intel80x86)
- MH Gholamrezaei (@mohoseinam)
- Mohammad Ataei (@mammadataei)
- Saleh Khalaj Monfared (@S4l3hh)
- Alee Amini (@AleeAmini)
Contributing in HyperDbg is super appreciated.
If you want to create a pull request or contribute in HyperDbg please read Contribution Guide.
Dependencies are licensed by their own licenses.
HyperDbg is under GPLv3 LICENSE.