All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
New release of the HyperDbg Debugger.
- The !monitor command now physical address hooking (link)
- hwdbg is merged to HyperDbg codebase (link)
- strncmp(Str1, Str2, Num), and wcsncmp(WStr1, WStr2, Num) functions in script engine (link)(link)
- Using a separate HOST IDT in VMCS (not OS IDT) (fix to this VM escape issues)
- Using a dedicated HOST GDT and TSS Stack
- Checking for race-condition of not locked cores before applying instant-events and switching cores
- The error message for invalid address is changed (more information)
- Fix the problem of not locking all cores after running the '.pagein' command
New release of the HyperDbg Debugger.
- Fixed the signedness overflow of the command parser
New release of the HyperDbg Debugger.
- Added hwdbg headers (link)
- Added support NUMA configuration with multiple count CPU sockets (link)
- Added citation to TRM paper (link)
- Change release flag of hyperdbg-cli to Multi-threaded Debug (/MTd)
- Fix bitwise extended type, fixed memleaks, remove excess else and cmp int with EOF (link)
New release of the HyperDbg Debugger.
- Add user-defined functions and variable types in script engine thanks to @xmaple555 (link)(link)
- Fix debuggee crash after running the '.debug close' command on the debugger
- The problem with adding edge MTRR pages is fixed thanks to @Maladiy (link)
- All compiler/linker warnings of kernel-mode modules are fixed
- User/Kernel modules of HyperDbg now compiled with "treat warning as error"
- After downloading new symbols it is automatically loaded
- Fix error messages/comments spelling typos
New release of the HyperDbg Debugger.
- The !monitor command now supports length in parameters (link)
- Fix the issue of not intercepting memory monitoring on non-contiguous physical memory allocations
- The speed of memory read/write/execution interception is enhanced by avoiding triggering out-of-range events
New release of the HyperDbg Debugger thanks to @mattiwatti.
- The !mode event command is added to detect kernel-to-user and user-to-kernel transitions (link)
- The 'preactivate' command is added to support initializing special functionalities in the Debugger Mode (link)
- Fix miscalculating MTRRs in 13th gen processors
New release of the HyperDbg Debugger thanks to @mattiwatti and @cutecatsandvirtualmachines.
New release of the HyperDbg Debugger.
- Fix the single core broadcasting events issue (link)
- Evaluate the '.pagin' ranges as expressions (link)
- Add hexadecimal escape sequence as string parameter for string functions (link)
- Add hexadecimal escape sequence as wstring parameter for wstring functions (link)
- Fix breakpoint and the '!epthook' problems in the same address (link)
New release of the HyperDbg Debugger.
- HyperDbg now applies events immediately as implemented in the "instant events" mechanism (link)
- The Event Forwarding mechanism is now supported in the Debugger Mode (link)
- The Event Forwarding mechanism now supports external modules (DLLs) (link)
- event_clear(EventId) function in script engine (link)
- HyperDbg now supports string inputs for strlen and other related functions thanks to @xmaple555 (link)
- New semantic tests for the script engine (50 to 59) is added mainly for testing new string and memory comparison functions (link)
- strlen and wcslen functions now support string and wide-character string as the input (link)(link)
- strcmp(Str1, Str2), wcscmp(WStr1, WStr2) and memcmp(Ptr1, Ptr2, Num) functions in script engine thanks to @xmaple555 (link)(link)(link)
- The debug break interception (#DB) manipulation option is added to the 'test' command (link)
- The '.pagein' command, now supports address ranges (length in bytes) to bring multiple pages into the RAM (link)
- Fix the problem with the "less than" and the "greater than" operators for signed numbers thanks to @xmaple555 (link)
- Fix the problem checking for alternative names thanks to @xmaple555 (link)
- Fix the crash by turning off the breakpoints while a breakpoint is still active thanks to @xmaple555 (link)
- Fix the crash on reading symbols on remote debuggee thanks to @xmaple555 (link)
- The 'prealloc' command is updated with new instant-event preallocated pools (link)
- Fix wrong removing of EPT Hook (hidden breakpoints)
- The 'event' command, no longer continues debuggee for clearing events, instead just disables the event and removes the effects of the event when debuggee continues (link)
- $id pseudo-register changed to $event_id (link)
- $tag pseudo-register changed to $event_tag (link)
- $stage pseudo-register changed to $event_stage (link)
- Fix adding pseudo-registers with underscore in the script engine (link)
- Fix the boolean expression interpretation in if conditions in the script engine (link)
- HyperDbg now intercepts all debug breaks (#DBs) if it's not explicitly asked not to by using the 'test' command (link)
- Fix '%d' bug in script engine (link)
New release of the HyperDbg Debugger.
- event_inject(InterruptionType, Vector) function in script engine (link)
- event_inject_error_code(InterruptionType, Vector, ErrorCode) function in script engine (link)
- .dump - command is added to the debugger to dump the virtual memory into a file (link)
- !dump - command is added to the debugger to dump the physical memory into a file (link)
- gu - command is added to the debugger to step-out or go up instructions thanks to @xmaple555 (link)
- HyperDbg now switched to a multiple EPTP memory model, and each core has its own EPT table (link)
- Building mtrr map by adding smrr, fixed ranges, and default memory type is fixed (#255) thanks to @Air14
- The problem of removing multiple EPT hooks on a single address is fixed
- The problem of not intercepting the step-over command 'p' when executed in different cores is fixed
- HyperDbg now checks for the validity of physical addresses based on CPUID.80000008H:EAX[7:0]'s physical address width
New release of the HyperDbg Debugger.
- The disassembler now warns if you mistakenly used the 'u' command over a 32-bit program (link)
- The debuggee won't load the VMM module if the debugger is not listening
- The debugger and the debuggee now perform a version/build check to prevent version mismatch
- Fix the 'eb' command's parsing issue with '0xeb' hex bytes (link)
- Fix the connection problem with serial (checksum error) over two VMs
- Fix the 't' command's indicator of trap flags and simultaneous stepping of multiple threads (link)
- Fix the problem with the '.kill' and '.restart' commands
- Show the stage of the event once the debugger is paused
- Fix sending context, tag, and registers once '!epthook2' wants to halt the debugger
New release of the HyperDbg Debugger.
- The !monitor command now supports 'execution' interception (link)
- .pagein - command is added to the debugger to bring pages in (link)
- The '.start' command's mechanism for finding the entrypoint is changed to address issues (link)
- The buffer overlap error in hyperlog in multi-core systems is fixed (link)
- The implementation of 'dd' (define dword, 32-bit), and 'dw' (define word, 16-bit) is changed (link)
- The problem with unloading driver (#238) is fixed (link)
- The symbol files for 32-bit modules are now loaded based on SysWOW64, and the issue (#243) is fixed (link)
- New alias names for u, !u as u64, !u64 and for u2, !u2 as u32, !u32 (link)(link)
New release of the HyperDbg Debugger.
- The event short-circuiting mechanism (link)
- New pseudo-registers ($tag, $id) in the script engine (link)
- The breakpoint interception manipulation (#BP) option is added to the 'test' command (link)
- The '!track' command to create the tracking records of function CALLs and RETs along with registers (link)
- disassemble_len(Address) function in script engine (link)
- disassemble_len32(Address) function in script engine (link)
- event_sc(DisableOrEnable) function in script engine (link)
- The old Length Disassembler Engine is replaced by Zydis (link)
The patch for fixing bugs of HyperDbg Debugger.
- The problem with the callstack command (k) is fixed (link)
The patch for fixing bugs of the second (2nd) release of HyperDbg Debugger.
- Fixing bugs!
- The parameters of the '!cpuid' extension command is changed, and a new EAX index parameter is added (link)
- The problem with removing EPT hooks (!monitor and !epthook) is fixed (link)
The second (2nd) release of the HyperDbg Debugger.
- HyperDbg Software Development Kit (SDK) is now available
- flush() function in script engine (link)
- memcpy() function in script engine (link)
- Global code refactoring and fixing bugs!
- Compiling HyperDbg by using the latest Windows 11 WDK
- enable_event function name changed to event_enable (link)
- disable_event function name changed to event_disable (link)
- The "settings" command now preserves the configurations in the config file
- The communication buffer is now separated from the hyperlogger buffer chunks and the buffer size is increased X10 times (link)
- Zydis submodule is updated to version 4 (link)
- enable_event script engine function
- disable_event script engine function
This is the first (1st) release of HyperDbg Debugger.
- # (comment in batch scripts)
- ? (evaluate and execute expressions and scripts in debuggee)
- ~ (display and change the current operating core)
- load (load the kernel modules)
- unload (unload the kernel modules)
- status (show the debuggee status)
- events (show and modify active/disabled events)
- p (step-over)
- t (step-in)
- i (instrumentation step-in)
- r (read or modify registers)
- bp (set breakpoint)
- bl (list breakpoints)
- be (enable breakpoints)
- bd (disable breakpoints)
- bc (clear and remove breakpoints)
- g (continue debuggee or processing kernel packets)
- x (examine symbols and find functions and variables address)
- db, dc, dd, dq (read virtual memory)
- eb, ed, eq (edit virtual memory)
- sb, sd, sq (search virtual memory)
- u, u2 (disassemble virtual address)
- k, kd, kq (display stack backtrace)
- dt (display and map virtual memory to structures)
- struct (make structures, enums, data types from symbols)
- sleep (wait for specific time in the .script command)
- pause (break to the debugger and pause processing kernel packets)
- print (evaluate and print expression in debuggee)
- lm (view loaded modules)
- cpu (check cpu supported technologies)
- rdmsr (read model-specific register)
- wrmsr (write model-specific register)
- flush (remove pending kernel buffers and messages)
- prealloc (reserve pre-allocated pools)
- output (create output source for event forwarding)
- test (test functionalities)
- settings (configures different options and preferences)
- exit (exit from the debugger)
- .help (show the help of commands)
- .debug (prepare and connect to debugger)
- .connect (connect to a session)
- .disconnect (disconnect from a session)
- .listen (listen on a port and wait for the debugger to connect)
- .status (show the debugger status)
- .start (start a new process)
- .restart (restart the process)
- .attach (attach to a process)
- .detach (detach from the process)
- .switch (show the list and switch between active debugging processes)
- .kill (terminate the process)
- .process, .process2 (show the current process and switch to another process)
- .thread, .thread2 (show the current thread and switch to another thread)
- .formats (show number formats)
- .script (run batch script commands)
- .sympath (set the symbol server)
- .sym (load pdb symbols)
- .pe (parse PE file)
- .logopen (open log file)
- .logclose (close log file)
- .cls (clear the screen)
- !pte (display page-level address and entries)
- !db, !dc, !dd, !dq (read physical memory)
- !eb, !ed, !eq (edit physical memory)
- !sb, !sd, !sq (search physical memory)
- !u, !u2 (disassemble physical address)
- !dt (display and map physical memory to structures)
- !epthook (hidden hook with EPT - stealth breakpoints)
- !epthook2 (hidden hook with EPT - detours)
- !monitor (monitor read/write to a page)
- !syscall, !syscall2 (hook system-calls)
- !sysret, !sysret2 (hook SYSRET instruction execution)
- !cpuid (hook CPUID instruction execution)
- !msrread (hook RDMSR instruction execution)
- !msrwrite (hook WRMSR instruction execution)
- !tsc (hook RDTSC/RDTSCP instruction execution)
- !pmc (hook RDPMC instruction execution)
- !vmcall (hook hypercalls)
- !exception (hook first 32 entries of IDT)
- !interrupt (hook external device interrupts)
- !dr (hook access to debug registers)
- !ioin (hook IN instruction execution)
- !ioout (hook OUT instruction execution)
- !hide (enable transparent-mode)
- !unhide (disable transparent-mode)
- !measure (measuring and providing details for transparent-mode)
- !va2pa (convert a virtual address to physical address)
- !pa2va (convert physical address to virtual address)