HyperDbg debugger is an open-source, hypervisor-assisted user-mode, and kernel-mode Windows debugger 🐞

Overview

Website Documentation Doxygen License Twitter

HyperDbg Debugger

HyperDbg Debugger

(HyperDbg is NOT in a WORKING STATE - YOU SHOULD NOT USE IT, but you can observe codes, please wait for first release in late June 2021)

We planned for first-release in late June 2021

HyperDbg debugger is an open-source, hypervisor-assisted user-mode, and kernel-mode Windows debugger with a focus on using modern hardware technologies. It is a debugger designed for analyzing, fuzzing and reversing.

Follow HyperDbg on Twitter to get notified about new releases !

(https://twitter.com/HyperDbg)

Description

HyperDbg is designed with a focus on using modern hardware technologies to provide new features to the reverse engineering world. It operates on top of Windows by virtualizing an already running system using Intel VT-x and Intel PT. This debugger aims not to use any APIs and software debugging mechanisms, but instead, it uses Second Layer Page Table (a.k.a. Extended Page Table or EPT) extensively to monitor both kernel and user executions.

HyperDbg Debugger

HyperDbg comes with features like hidden hooks, which is as fast as old inline hooks, but also stealth. It mimics hardware debug registers for (read & write) to a specific location, but this time entirely invisible for both Windows kernel and the programs, and of course without any limitation in size or count!

Using TLB-splitting, and having features such as measuring code coverage and monitoring all mov(s) to/from memory by a function, makes HyperDbg a unique debugger.

Although it has novel features, HyperDbg tries to be as stealth as possible. It doesn’t use any debugging APIs to debug Windows or any application, so classic anti-debugging methods won’t detect it. Also, it resists the exploitation of time delta methods (e.g., RDTSC/RDTSCP) to detect the presence of hypervisors, therefore making it much harder for applications, packers, protectors, malware, anti-cheat engines, etc. to discover the debugger.

Unique Features

First Release (v0.1.0.0)

  • Classic EPT Hook (Hidden Breakpoint) [link][link]
  • Inline EPT Hook (Inline Hook) [link][link]
  • Monitor Memory For R/W (Emulating Hardware Debug Registers Without Limitation) [link][link]
  • SYSCALL Hook (Disable EFER & Handle #UD) [link][link]
  • SYSRET Hook (Disable EFER & Handle #UD) [link][link]
  • CPUID Hook & Monitor [link]
  • RDMSR Hook & Monitor [link]
  • WRMSR Hook & Monitor [link]
  • RDTSC/RDTSCP Hook & Monitor [link]
  • RDPMC Hook & Monitor [link]
  • VMCALL Hook & Monitor [link]
  • Debug Registers Hook & Monitor [link]
  • I/O Port (In Instruction) Hook & Monitor [link]
  • I/O Port (Out Instruction) Hook & Monitor [link]
  • MMIO Monitor
  • Exception (IDT < 32) Monitor [link][link]
  • External-Interrupt (IDT > 32) Monitor [link][link]
  • Running Automated Scripts [link]
  • Transparent-mode (Anti-debugging and Anti-hypervisor Resistance) [link][link]
  • Running Custom Assembly In Both VMX-root, VMX non-root (Kernel & User) [link]
  • Checking For Custom Conditions [link][link]
  • VMX-root Compatible Message Tracing [link]
  • Powerful Kernel Side Scripting Engine [link][link]
  • Event Forwarding (#DFIR) [link][link]
  • Transparent Breakpoint Handler
  • Various Custom Scripts [link]

Second Release (v0.2.0.0)

(not released yet !)

Build & Installation

If you want to build HyperDbg, you should clone HyperDbg with --recursive flag.

git clone --recursive https://github.com/HyperDbg/HyperDbg.git

Please visit Build & Install and Quick Start for a detailed explanation of how to start with HyperDbg. You can also see FAQ for more information.

How does it work?

We explained about how HyperDbg internally works and how we designed its features in details, take a look at :

(https://docs.hyperdbg.com/design)

Here's a diagram that shows how HyperDbg works !

HyperDbg Design


Plugins

The plugin framework is not ready for the current version of HyperDbg. Future versions will support plugins.

Donations to charity

We spent thousands of hours on HyperDbg and it's free and open-source for you, If you want to help to develop HyperDbg, please donate to children in Africa and send a picture of your donation to us, this makes all HyperDbg developers, super happy! Don't hesitate to send us the pictures, this way we know that we're doing something useful.

(https://www.compassion.com/donate/donate-to-children-in-africa.htm)

Credits

Contributing

Contributing in HyperDbg is super appreciated.

If you want to create a pull request or contribute in HyperDbg please read Contribution Guide.

License

Dependencies are licensed by their own licenses.

HyperDbg is under GPLv3 LICENSE.

Issues
  • Bsod

    Bsod

    System is bsodding on certain code parts when stepping instructions. any fix for this?

    Bugcheck: DRIVER_IRQL_NOT_LESS_OR_EQUAL on latest release hprdbghv.sys+1b27a

    opened by m853ax 65
  • NtWriteFile hook implementation

    NtWriteFile hook implementation

    NtWriteFile/NtCreateFile hook causes a VM Exit for EPT Misconfiguration

    Windows version : 2004 Processor: Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz (12 CPUs), ~2.6GHz

    opened by Souhardya 32
  • SyscallHookHandleUD of SyscallHookHandleUD will blue screen in some versions of the system

    SyscallHookHandleUD of SyscallHookHandleUD will blue screen in some versions of the system

    I found that IS_SYSCALL_INSTRUCTION in SyscallHookHandleUD did not judge the instruction length, which would cause a blue screen in some cases due to access to invalid memory.

    bug 
    opened by wuhao13 26
  • .debug command error

    .debug command error

    os version:Win10 x64 1903,

    Driver signature has been turned off

    HyperDbg-cli tip: err,startservice failure unable to install driver failed to install or load the driver

    opened by botao1995 18
  • remote debugger (Wmare 16 pro)

    remote debugger (Wmare 16 pro)

    for your manual, i connected with wmvare... Снимок Снимок2 but none of the commands work ... Снимок3 Снимок4 Снимок5 ssdt hooks causes BSOD Снимок6

    question 
    opened by xSanx 17
  • BUG TransparentRandn

    BUG TransparentRandn

    There appears to be a bug, get the value of this function often significantly more than expected in TransparentRandn, which can cause a lot of problems.

    bug invalid 
    opened by wuhao13 17
  • Failed to install or load the driver

    Failed to install or load the driver

    I am getting Failed to install or load the driver when .debug prepare serial or .debug local(load vmm) tested on 1909 and 2004 tested on local and vmware

    Is this supposed to work? or cuz it hasn`t been released yet?

    opened by Chrys4lisfag 12
  • vs2019 community build error

    vs2019 community build error

    严重性 代码 说明 项目 文件 行 禁止显示状态 错误 LNK2019 无法解析的外部符号 __stdio_common_vsprintf,函数 _vsnprintf_l 中引用了该符号 hprdbghv D:\code\HyperDbg\hyperdbg\hprdbghv\Debugger.obj 1 严重性 代码 说明 项目 文件 行 禁止显示状态 错误 LNK2019 无法解析的外部符号 __stdio_common_vsprintf_s,函数 _vsprintf_s_l 中引用了该符号 hprdbghv D:\code\HyperDbg\hyperdbg\hprdbghv\Logging.obj 1

    opened by botao1995 11
  • windows 11 build error.

    windows 11 build error.

    OS: WIndows 11 IED: VS2019 WIN SDK version: 10.0.22000.194 WDK version: 10.0.22000.194

    image

    bug 
    opened by pxps 11
  • fix lnk 2019

    fix lnk 2019

    opened by botao1995 10
  • VMWare Fusion 12.2.0 not supported?

    VMWare Fusion 12.2.0 not supported?

    I'm trying the following Setup

    • Host OSX Big Sur (11.6)
    • VMWare Fusion 12.2.0
    • Client Windosw 10 (10.0.18363)

    VMWare settings according the documentation [https://docs.hyperdbg.org/using-hyperdbg/examples/connecting-to-hyperdbg] It seems to work:

    HyperDbg> .connect local
    local debugging (vmi-mode)
    
    HyperDbg> load vmm
    loading the vmm driver
    current processor vendor is : GenuineIntel
    virtualization technology is vt-x
    vmx operation is supported by your processor
    vmm module is running...
    please configure the symbol path (use '.help .sympath' for more information)
    

    As soon as it hits a hook such as:

    !epthook nt!NtOpenFile pid 1A4 script {
            printf("%ws\n", dq(poi(r8 + 10) + 0x8));
    }
    

    I get a blue screen of the Windows 10 client ...

    Anybody experiences with Fusion ... should that work?

    bug 
    opened by Myonium 5
  • There is a bug in the EPT HOOK code.

    There is a bug in the EPT HOOK code.

    EptHookInstructionMemory

    `

    for (SizeOfHookedInstructions = 0;
         SizeOfHookedInstructions < 18;
         SizeOfHookedInstructions += ldisasm(((UINT64)TargetFunctionInSafeMemory + SizeOfHookedInstructions), TRUE))
    {
        //
        // Get the full size of instructions necessary to copy
        //
    }
    

    `

    The ldisasm function has a problem with the code length in the calculation of ObReferenceObjectByHandle, and the calculation result is smaller than the expected result

    enhancement 
    opened by wuhao13 7
  •  Feature/Bug Solution To Stepping Speed Related Issue (kernel only tracing)

    Feature/Bug Solution To Stepping Speed Related Issue (kernel only tracing)

    I just took a look at the stepping process and might found an alternative from spamming the step packet. My idea would be to do a system similar to the ept hook one where messages can be stored in a buffer and be sent afterwards.(This might fix the vmware issue related to speed and unexpected slow down). Brainstormed an alternative aswell that would add a new feature to the debugger also know as tracing that would be able to record instructions a way faster keeping them in a buffer and finally saving in a file. I think this should be a priority for this project as his main goal is debugging and tracing is an important part of it. So whenever possible implement those features, i might start looking for it personally aswell. Forgot to mention: all data saved must not cross the um cli application(causing big slowdowns), but must be directly written from km to file in guest's machine (similar to x64dbg tracing).

    bug help wanted 
    opened by m853ax 28
Owner
HyperDbg
I'm a Schrödinger's cat working as a Windows kernel-mode debugger which is called HyperDbg with a focus on using modern hardware technologies.
HyperDbg
Hypervisor based anti anti debug plugin for x64dbg

HyperHide Table of Contents Description Compilation Support Usage Information Examples Features 1. Process Environment Block (PEB) 2. Heap Flags 3. Pr

Air 396 Dec 2, 2021
Palanteer is a set of high performance visual profiler, debugger, tests enabler for C++ and Python

Palanteer is a set of lean and efficient tools to improve the general software quality, for C++ and Python programs.

Damien Feneyrou 1.7k Nov 30, 2021
With xshellex you can paste any kind of c-shellcode strings in x64dbg, ollydbg & immunity debugger

With xshellex you can paste any kind of c-shellcode strings in x64dbg, ollydbg & immunity debugger. Also you can convert the "binary-copied-clipboard" to c-shellcode string.

David Reguera Garcia aka Dreg 25 Nov 26, 2021
A Garry's Mod module that creates a Remote DeBugger server

gm_rdb A Garry's Mod module that creates a Remote DeBugger server. Provides Lua debugging (using LRDB) and access to the Source engine console. Compil

Daniel 10 Sep 17, 2021
heaptrace is a ptrace-based debugger for tracking glibc heap operations in ELF64 (x86_64) binaries

heaptrace is a ptrace-based debugger for tracking glibc heap operations in ELF64 (x86_64) binaries. Its purpose is to help visualize heap operations when debugging binaries or doing heap pwn.

Aaron Esau 156 Nov 30, 2021
Windows-only Remote Access Tool (RAT) with anti-debugging and anti-sandbox checks

RATwurst Windows-only Remote Access Tool (RAT) with anti-debugging and anti-sandbox checks. For educational purposes only. The reason behind this proj

AccidentalRebel 19 Nov 28, 2021
A modern, C++-native, header-only, test framework for unit-tests, TDD and BDD - using C++11, C++14, C++17 and later (or C++03 on the Catch1.x branch)

Catch2 v3 is being developed! You are on the devel branch, where the next major version, v3, of Catch2 is being developed. As it is a significant rewo

Catch Org 14.3k Dec 1, 2021
A modern, C++-native, header-only, test framework for unit-tests, TDD and BDD - using C++11, C++14, C++17 and later (or C++03 on the Catch1.x branch)

Catch2 v3 is being developed! You are on the devel branch, where the next major version, v3, of Catch2 is being developed. As it is a significant rewo

Catch Org 14.3k Dec 6, 2021
DotX64Dbg aims to provide a seamless way to write and test plugins for X64Dbg using .Net 5.0 and C#.

DotX64Dbg (EARLY ALPHA) Plugins and Scripting with C# for x64Dbg. Create Plugins for X64Dbg with ease DotX64Dbg aims to provide a seamless way to writ

ζeh Matt 6 Nov 22, 2021
CppUTest unit testing and mocking framework for C/C++

CppUTest CppUTest unit testing and mocking framework for C/C++ More information on the project page Slack channel: Join if link not expired Getting St

CppUTest 981 Dec 2, 2021
Googletest - Google Testing and Mocking Framework

GoogleTest OSS Builds Status Announcements Release 1.10.x Release 1.10.x is now available. Coming Soon Post 1.10.x googletest will follow Abseil Live

Google 24.3k Dec 5, 2021
A simple C++ 03/11/etc timer class for ~microsecond-precision cross-platform benchmarking. The implementation is as limited and as simple as possible to create the lowest amount of overhead.

plf_nanotimer A simple C++ 03/11/etc timer class for ~microsecond-precision cross-platform benchmarking. The implementation is as limited and simple a

Matt Bentley 68 Nov 5, 2021
🧪 single header unit testing framework for C and C++

?? utest.h A simple one header solution to unit testing for C/C++. Usage Just #include "utest.h" in your code! The current supported platforms are Lin

Neil Henning 398 Dec 3, 2021
Anti-Debug and Anti-Memory Dump for Android

AntiDebugandMemoryDump Anti-Debug and Anti-Memory Dump for Android Some known techniques for anti-debug and anti-memory dump have been used in this pr

Darvin 126 Dec 6, 2021
An efficient OpenFST-based tool for calculating WER and aligning two transcript sequences.

fstalign Overview Installation Dependencies Build Docker Quickstart WER Subcommand Align Subcommand Inputs Outputs Overview fstalign is a tool for cre

Rev 93 Nov 24, 2021
🍦IceCream-Cpp is a little (single header) library to help with the print debugging on C++11 and forward.

??IceCream-Cpp is a little (single header) library to help with the print debugging on C++11 and forward.

Renato Garcia 325 Nov 28, 2021
Watch for file changes and auto restart an application using fork checkpoints to continue the process (for quick live development)

Forkmon Watch for file changes and auto restart an application using fork checkpoints to continue. Intended for quick live development. This works onl

Eduardo Bart 6 Oct 26, 2021
Hibizcus is a collection of tools - Font proofing and debugging tools

Hibizcus Font proofing and debugging tools. Written by: Muthu Nedumaran Hibizcus is a collection of tools written to proof and debug in-house develope

Muthu Nedumaran 17 Nov 28, 2021
x64Dbg plugin that enables C# plugins with hot-loading support and scripting.

DotX64Dbg (EARLY ALPHA) Plugins and Scripting with C# for x64Dbg. Create Plugins for X64Dbg with ease DotX64Dbg aims to provide a seamless way to writ

x64dbg 66 Nov 25, 2021