CHANGELOG.md

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[0.10.0.0] - 2024-07-22

New release of the HyperDbg Debugger.

Added

• Support using assembly conditions and codes in all events (link)(link)
• Added the assembler command 'a' for virtual memory (link)
• Added the assembler command '!a' for physical memory (link)
• Providing a unified SDK API for reading memory in the VMI Mode and the Debugger Mode
• Export SDK APIs for reading/writing into registers in the Debugger Mode
• Export SDK API for writing memory in the VMI Mode and the Debugger Mode
• Export SDK API for getting kernel base address
• Export SDK API for connecting to the debugger and from debuggee in the Debugger Mode
• Export SDK API for starting a new process
• Add and export SDK API for unsetting message callback
• Event commands are coming with more examples regarding scripts and assembly codes
• Add message callback using shared memory
• Add maximum execution limitation to the script IRs (#435) (link)

Changed

• Fix clearing '!monitor' hooks on a different process or if the process is closed (#409) (link)
• Fix triggering multiple '!monitor' hooks with different contexts (#415) (link)
• Fix the problem of repeating commands once kHyperDbg is disconnected
• Fix step-over hangs if the process terminates/excepts within call instruction (#406) (link)
• Fix crash on editing invalid physical addresses (#424) (link)
• Fix exporting VMM module load and install it in the SDK
• Fix function interpretation issues and update the parser and the code execution (#435) (link)

[0.9.1.0] - 2024-06-30

New release of the HyperDbg Debugger.

Added

• Regular port/pin value read and modification in hwdbg
• Conditional statement evaluation in hwdbg
• Added automatic script buffer packet generator for hwdbg
• Added support for @hw_pinX and @hw_portX registers
• Added hwdbg instance information interpreter
• Added stack buffer in vmx-root (link)
• Exporting functions to support loading drivers with different names
• Exporting function to connect and load HyperDbg drivers
• Exporting function to connect and load HyperDbg drivers
• $date and $time pseudo-registers are added (link)(link)

Changed

• Fix using constant WSTRINGs in the wcsncmp function (link)
• Fix phnt build error with 24H2 SDK
• hprdbgctrl.dll changed to libhyperdbg.dll
• hprdbgkd.sys changed to hyperkd.sys
• hprdbghv.dll changed to hyperhv.dll
• Dividing user/kernel exported headers in the SDK

[0.9.0.0] - 2024-06-09

New release of the HyperDbg Debugger.

Added

• The !monitor command now physical address hooking (link)
• hwdbg is merged to HyperDbg codebase (link)
• strncmp(Str1, Str2, Num), and wcsncmp(WStr1, WStr2, Num) functions in script engine (link)(link)

Changed

• Using a separate HOST IDT in VMCS (not OS IDT) (fix to this VM escape issues)
• Using a dedicated HOST GDT and TSS Stack
• Checking for race-condition of not locked cores before applying instant-events and switching cores
• The error message for invalid address is changed (more information)
• Fix the problem of not locking all cores after running the '.pagein' command

[0.8.4.0] - 2024-05-10

New release of the HyperDbg Debugger.

Changed

• Fixed the signedness overflow of the command parser

[0.8.3.0] - 2024-05-03

New release of the HyperDbg Debugger.

Added

• Added hwdbg headers (link)
• Added support NUMA configuration with multiple count CPU sockets (link)
• Added citation to TRM paper (link)

Changed

• Change release flag of hyperdbg-cli to Multi-threaded Debug (/MTd)
• Fix bitwise extended type, fixed memleaks, remove excess else and cmp int with EOF (link)

[0.8.2.0] - 2024-03-19

New release of the HyperDbg Debugger.

Added

• Add user-defined functions and variable types in script engine thanks to @xmaple555 (link)(link)

Changed

• Fix debuggee crash after running the '.debug close' command on the debugger
• The problem with adding edge MTRR pages is fixed thanks to @Maladiy (link)
• All compiler/linker warnings of kernel-mode modules are fixed
• User/Kernel modules of HyperDbg now compiled with "treat warning as error"
• After downloading new symbols it is automatically loaded
• Fix error messages/comments spelling typos

[0.8.1.0] - 2024-02-01

New release of the HyperDbg Debugger.

Added

• The !monitor command now supports length in parameters (link)

Changed

• Fix the issue of not intercepting memory monitoring on non-contiguous physical memory allocations
• The speed of memory read/write/execution interception is enhanced by avoiding triggering out-of-range events

[0.8.0.0] - 2024-01-28

New release of the HyperDbg Debugger thanks to @mattiwatti.

Added

• The !mode event command is added to detect kernel-to-user and user-to-kernel transitions (link)
• The 'preactivate' command is added to support initializing special functionalities in the Debugger Mode (link)

Changed

• Fix miscalculating MTRRs in 13th gen processors

[0.7.2.0] - 2024-01-23

New release of the HyperDbg Debugger thanks to @mattiwatti and @cutecatsandvirtualmachines.

Changed

• Fix INVEPT invalidation using out of scope descriptor (link)
• Fix MTRR initialization crash (link)

[0.7.1.0] - 2023-12-20

New release of the HyperDbg Debugger.

Changed

• Fix the single core broadcasting events issue (link)
• Evaluate the '.pagin' ranges as expressions (link)
• Add hexadecimal escape sequence as string parameter for string functions (link)
• Add hexadecimal escape sequence as wstring parameter for wstring functions (link)
• Fix breakpoint and the '!epthook' problems in the same address (link)

[0.7.0.0] - 2023-11-22

New release of the HyperDbg Debugger.

Added

• HyperDbg now applies events immediately as implemented in the "instant events" mechanism (link)
• The Event Forwarding mechanism is now supported in the Debugger Mode (link)
• The Event Forwarding mechanism now supports external modules (DLLs) (link)
• event_clear(EventId) function in script engine (link)
• HyperDbg now supports string inputs for strlen and other related functions thanks to @xmaple555 (link)
• New semantic tests for the script engine (50 to 59) is added mainly for testing new string and memory comparison functions (link)
• strlen and wcslen functions now support string and wide-character string as the input (link)(link)
• strcmp(Str1, Str2), wcscmp(WStr1, WStr2) and memcmp(Ptr1, Ptr2, Num) functions in script engine thanks to @xmaple555 (link)(link)(link)
• The debug break interception (#DB) manipulation option is added to the 'test' command (link)
• The '.pagein' command, now supports address ranges (length in bytes) to bring multiple pages into the RAM (link)

Changed

• Fix the problem with the "less than" and the "greater than" operators for signed numbers thanks to @xmaple555 (link)
• Fix the problem checking for alternative names thanks to @xmaple555 (link)
• Fix the crash by turning off the breakpoints while a breakpoint is still active thanks to @xmaple555 (link)
• Fix the crash on reading symbols on remote debuggee thanks to @xmaple555 (link)
• The 'prealloc' command is updated with new instant-event preallocated pools (link)
• Fix wrong removing of EPT Hook (hidden breakpoints)
• The 'event' command, no longer continues debuggee for clearing events, instead just disables the event and removes the effects of the event when debuggee continues (link)
• $id pseudo-register changed to $event_id (link)
• $tag pseudo-register changed to $event_tag (link)
• $stage pseudo-register changed to $event_stage (link)
• Fix adding pseudo-registers with underscore in the script engine (link)
• Fix the boolean expression interpretation in if conditions in the script engine (link)
• HyperDbg now intercepts all debug breaks (#DBs) if it's not explicitly asked not to by using the 'test' command (link)
• Fix '%d' bug in script engine (link)

[0.6.0.0-beta] - 2023-09-25

New release of the HyperDbg Debugger.

Added

• event_inject(InterruptionType, Vector) function in script engine (link)
• event_inject_error_code(InterruptionType, Vector, ErrorCode) function in script engine (link)
• .dump - command is added to the debugger to dump the virtual memory into a file (link)
• !dump - command is added to the debugger to dump the physical memory into a file (link)
• gu - command is added to the debugger to step-out or go up instructions thanks to @xmaple555 (link)

Changed

• HyperDbg now switched to a multiple EPTP memory model, and each core has its own EPT table (link)
• Building mtrr map by adding smrr, fixed ranges, and default memory type is fixed (#255) thanks to @Air14
• The problem of removing multiple EPT hooks on a single address is fixed
• The problem of not intercepting the step-over command 'p' when executed in different cores is fixed
• HyperDbg now checks for the validity of physical addresses based on CPUID.80000008H:EAX[7:0]'s physical address width

[0.5.0.0] - 2023-08-07

New release of the HyperDbg Debugger.

Added

• The event calling stage mechanism (link)
• New pseudo-registers ($stage) in the script engine (link)

Changed

• The disassembler now warns if you mistakenly used the 'u' command over a 32-bit program (link)
• The debuggee won't load the VMM module if the debugger is not listening
• The debugger and the debuggee now perform a version/build check to prevent version mismatch
• Fix the 'eb' command's parsing issue with '0xeb' hex bytes (link)
• Fix the connection problem with serial (checksum error) over two VMs
• Fix the 't' command's indicator of trap flags and simultaneous stepping of multiple threads (link)
• Fix the problem with the '.kill' and '.restart' commands
• Show the stage of the event once the debugger is paused
• Fix sending context, tag, and registers once '!epthook2' wants to halt the debugger

[0.4.0.0] - 2023-07-18

New release of the HyperDbg Debugger.

Added

• The !monitor command now supports 'execution' interception (link)
• .pagein - command is added to the debugger to bring pages in (link)

Changed

• The '.start' command's mechanism for finding the entrypoint is changed to address issues (link)
• The buffer overlap error in hyperlog in multi-core systems is fixed (link)
• The implementation of 'dd' (define dword, 32-bit), and 'dw' (define word, 16-bit) is changed (link)
• The problem with unloading driver (#238) is fixed (link)
• The symbol files for 32-bit modules are now loaded based on SysWOW64, and the issue (#243) is fixed (link)
• New alias names for u, !u as u64, !u64 and for u2, !u2 as u32, !u32 (link)(link)

[0.3.0.0] - 2023-06-08

New release of the HyperDbg Debugger.

Added

• The event short-circuiting mechanism (link)
• New pseudo-registers ($tag, $id) in the script engine (link)
• The breakpoint interception manipulation (#BP) option is added to the 'test' command (link)
• The '!track' command to create the tracking records of function CALLs and RETs along with registers (link)
• disassemble_len(Address) function in script engine (link)
• disassemble_len32(Address) function in script engine (link)
• event_sc(DisableOrEnable) function in script engine (link)

Changed

• The old Length Disassembler Engine is replaced by Zydis (link)

[0.2.2.0] - 2023-06-02

The patch for fixing bugs of HyperDbg Debugger.

Changed

• The problem with the callstack command (k) is fixed (link)

[0.2.1.0] - 2023-05-24

The patch for fixing bugs of the second (2nd) release of HyperDbg Debugger.

Changed

• Fixing bugs!
• The parameters of the '!cpuid' extension command is changed, and a new EAX index parameter is added (link)
• The problem with removing EPT hooks (!monitor and !epthook) is fixed (link)

[0.2.0.0] - 2023-05-03

The second (2nd) release of the HyperDbg Debugger.

Added

• HyperDbg Software Development Kit (SDK) is now available
• flush() function in script engine (link)
• memcpy() function in script engine (link)

Changed

• Global code refactoring and fixing bugs!
• Compiling HyperDbg by using the latest Windows 11 WDK
• enable_event function name changed to event_enable (link)
• disable_event function name changed to event_disable (link)
• The "settings" command now preserves the configurations in the config file
• The communication buffer is now separated from the hyperlogger buffer chunks and the buffer size is increased X10 times (link)
• Zydis submodule is updated to version 4 (link)

Removed

• enable_event script engine function
• disable_event script engine function

[0.1.0.0] - 2022-05-31

This is the first (1st) release of HyperDbg Debugger.

Added

• # (comment in batch scripts)
• ? (evaluate and execute expressions and scripts in debuggee)
• ~ (display and change the current operating core)
• load (load the kernel modules)
• unload (unload the kernel modules)
• status (show the debuggee status)
• events (show and modify active/disabled events)
• p (step-over)
• t (step-in)
• i (instrumentation step-in)
• r (read or modify registers)
• bp (set breakpoint)
• bl (list breakpoints)
• be (enable breakpoints)
• bd (disable breakpoints)
• bc (clear and remove breakpoints)
• g (continue debuggee or processing kernel packets)
• x (examine symbols and find functions and variables address)
• db, dc, dd, dq (read virtual memory)
• eb, ed, eq (edit virtual memory)
• sb, sd, sq (search virtual memory)
• u, u2 (disassemble virtual address)
• k, kd, kq (display stack backtrace)
• dt (display and map virtual memory to structures)
• struct (make structures, enums, data types from symbols)
• sleep (wait for specific time in the .script command)
• pause (break to the debugger and pause processing kernel packets)
• print (evaluate and print expression in debuggee)
• lm (view loaded modules)
• cpu (check cpu supported technologies)
• rdmsr (read model-specific register)
• wrmsr (write model-specific register)
• flush (remove pending kernel buffers and messages)
• prealloc (reserve pre-allocated pools)
• output (create output source for event forwarding)
• test (test functionalities)
• settings (configures different options and preferences)
• exit (exit from the debugger)
• .help (show the help of commands)
• .debug (prepare and connect to debugger)
• .connect (connect to a session)
• .disconnect (disconnect from a session)
• .listen (listen on a port and wait for the debugger to connect)
• .status (show the debugger status)
• .start (start a new process)
• .restart (restart the process)
• .attach (attach to a process)
• .detach (detach from the process)
• .switch (show the list and switch between active debugging processes)
• .kill (terminate the process)
• .process, .process2 (show the current process and switch to another process)
• .thread, .thread2 (show the current thread and switch to another thread)
• .formats (show number formats)
• .script (run batch script commands)
• .sympath (set the symbol server)
• .sym (load pdb symbols)
• .pe (parse PE file)
• .logopen (open log file)
• .logclose (close log file)
• .cls (clear the screen)
• !pte (display page-level address and entries)
• !db, !dc, !dd, !dq (read physical memory)
• !eb, !ed, !eq (edit physical memory)
• !sb, !sd, !sq (search physical memory)
• !u, !u2 (disassemble physical address)
• !dt (display and map physical memory to structures)
• !epthook (hidden hook with EPT - stealth breakpoints)
• !epthook2 (hidden hook with EPT - detours)
• !monitor (monitor read/write to a page)
• !syscall, !syscall2 (hook system-calls)
• !sysret, !sysret2 (hook SYSRET instruction execution)
• !cpuid (hook CPUID instruction execution)
• !msrread (hook RDMSR instruction execution)
• !msrwrite (hook WRMSR instruction execution)
• !tsc (hook RDTSC/RDTSCP instruction execution)
• !pmc (hook RDPMC instruction execution)
• !vmcall (hook hypercalls)
• !exception (hook first 32 entries of IDT)
• !interrupt (hook external device interrupts)
• !dr (hook access to debug registers)
• !ioin (hook IN instruction execution)
• !ioout (hook OUT instruction execution)
• !hide (enable transparent-mode)
• !unhide (disable transparent-mode)
• !measure (measuring and providing details for transparent-mode)
• !va2pa (convert a virtual address to physical address)
• !pa2va (convert physical address to virtual address)