HyperDbg Debugger
Loading...
Searching...
No Matches
Functions
help.h File Reference

help of commands header More...

Go to the source code of this file.

Functions

VOID CommandHelpHelp ()
 help of the help command :)
 
VOID CommandReadMemoryAndDisassemblerHelp ()
 help of u* d* !u* !d* commands
 
VOID CommandConnectHelp ()
 help of the .connect command
 
VOID CommandDisconnectHelp ()
 help of the .disconnect command
 
VOID CommandExitHelp ()
 help of the exit command
 
VOID CommandCpuHelp ()
 help of the cpu command
 
VOID CommandUnloadHelp ()
 help of the unload command
 
VOID CommandLoadHelp ()
 help of the load command
 
VOID CommandScriptHelp ()
 help of the .script command
 
VOID CommandFormatsHelp ()
 help of the help command :)
 
VOID CommandRdmsrHelp ()
 help of the rdmsr command
 
VOID CommandWrmsrHelp ()
 help of the wrmsr command
 
VOID CommandPteHelp ()
 help of the !pte command
 
VOID CommandMonitorHelp ()
 help of the !monitor command
 
VOID CommandSyscallHelp ()
 help of the !syscall command
 
VOID CommandSysretHelp ()
 help of the !sysret command
 
VOID CommandEptHookHelp ()
 help of the !epthook command
 
VOID CommandEptHook2Help ()
 help of the !epthook2 command
 
VOID CommandCpuidHelp ()
 help of the !cpuid command
 
VOID CommandMsrreadHelp ()
 help of the !msrread command
 
VOID CommandMsrwriteHelp ()
 help of the !msrwrite command
 
VOID CommandTscHelp ()
 help of the !tsc command
 
VOID CommandPmcHelp ()
 help of the !pmc command
 
VOID CommandExceptionHelp ()
 help of the !exception command
 
VOID CommandCrwriteHelp ()
 help of the !crwrite command
 
VOID CommandDrHelp ()
 help of the !dr command
 
VOID CommandInterruptHelp ()
 help of the !interrupt command
 
VOID CommandIooutHelp ()
 help of the !ioout command
 
VOID CommandIoinHelp ()
 help of the !ioin command
 
VOID CommandVmcallHelp ()
 help of the !vmcall command
 
VOID CommandModeHelp ()
 help of the !mode command
 
VOID CommandTraceHelp ()
 help of the !trace command
 
VOID CommandHideHelp ()
 help of the !hide command
 
VOID CommandUnhideHelp ()
 help of the !unhide command
 
VOID CommandTestHelp ()
 help of the test command
 
VOID CommandLogopenHelp ()
 help of the .logopen command
 
VOID CommandLogcloseHelp ()
 help .logclose command
 
VOID CommandVa2paHelp ()
 help of the !va2pa command
 
VOID CommandPa2vaHelp ()
 help of the !pa2va command
 
VOID CommandEventsHelp ()
 help of the events command
 
VOID CommandGHelp ()
 help of the g command
 
VOID CommandClearScreenHelp ()
 help of the .cls command
 
VOID CommandSleepHelp ()
 help of the sleep command
 
VOID CommandEditMemoryHelp ()
 help of !e* and e* commands
 
VOID CommandSearchMemoryHelp ()
 help of !s* s* commands
 
VOID CommandMeasureHelp ()
 help of the !measure command
 
VOID CommandLmHelp ()
 help of the lm command
 
VOID CommandSettingsHelp ()
 help of the settings command
 
VOID CommandFlushHelp ()
 help of the flush command
 
VOID CommandPauseHelp ()
 help of the pause command
 
VOID CommandListenHelp ()
 help of the listen command
 
VOID CommandStatusHelp ()
 help of the .status command
 
VOID CommandAttachHelp ()
 help of the .attach command
 
VOID CommandDetachHelp ()
 help of the .detach command
 
VOID CommandStartHelp ()
 help of the .start command
 
VOID CommandRestartHelp ()
 help of the .restart command
 
VOID CommandSwitchHelp ()
 help of the .switch command
 
VOID CommandKillHelp ()
 help of the .kill command
 
VOID CommandTHelp ()
 help of the t command
 
VOID CommandIHelp ()
 help of the i command
 
VOID CommandPrintHelp ()
 help of the print command
 
VOID CommandOutputHelp ()
 help of the output command
 
VOID CommandDebugHelp ()
 help of the .debug command
 
VOID CommandPHelp ()
 help of the p command
 
VOID CommandCoreHelp ()
 help of the ~ command
 
VOID CommandProcessHelp ()
 help of the .process command
 
VOID CommandThreadHelp ()
 help of the .thread command
 
VOID CommandEvalHelp ()
 help of the ? command
 
VOID CommandRHelp ()
 help of the r command
 
VOID CommandBpHelp ()
 help of the bp command
 
VOID CommandBlHelp ()
 help of the bl command
 
VOID CommandBeHelp ()
 help of the be command
 
VOID CommandBdHelp ()
 help of the bd command
 
VOID CommandBcHelp ()
 help of the bc command
 
VOID CommandSympathHelp ()
 help of the .sympath command
 
VOID CommandSymHelp ()
 help of the .sym command
 
VOID CommandXHelp ()
 help of the x command
 
VOID CommandPreallocHelp ()
 help of the prealloc command
 
VOID CommandPreactivateHelp ()
 help of the preactivate command
 
VOID CommandDtHelp ()
 help of the dt command
 
VOID CommandStructHelp ()
 help of the struct command
 
VOID CommandKHelp ()
 help of the k command
 
VOID CommandPeHelp ()
 help of the .pe command
 
VOID CommandRevHelp ()
 help of the !rev command
 
VOID CommandTrackHelp ()
 help of the !track command
 
VOID CommandPageinHelp ()
 help of the .pagein command
 
VOID CommandDumpHelp ()
 help of the .dump command
 
VOID CommandGuHelp ()
 help of the gu command
 
VOID CommandAssembleHelp ()
 help of a and !a command
 
VOID CommandHwClkHelp ()
 help of the !hw_clk command
 

Detailed Description

help of commands header

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2020-05-27
Copyright
This project is released under the GNU Public License v3.

Function Documentation

◆ CommandAssembleHelp()

VOID CommandAssembleHelp ( )

help of a and !a command

Returns
VOID
44{
45 ShowMessages("a !a : assembles snippet at specific address. symbols are supported.\n");
46 ShowMessages("\nIf you want to assemble to physical (address) memory then add '!' "
47 "at the start of the command\n");
48
49 ShowMessages("syntax : \ta [Address (hex)] [asm {AsmCmd1; AsmCmd2}] [pid ProcessId (hex)]\n");
50 ShowMessages("syntax : \t!a [Address (hex)] [asm {AsmCmd1; AsmCmd2}]\n");
51
52 ShowMessages("\n");
53 ShowMessages("\t\te.g : a fffff8077356f010 {nop; nop; nop} \n");
54 ShowMessages("\t\te.g : a nt!ExAllocatePoolWithTag+10+@rcx {jmp <nt!ExAllocatePoolWithTag+10>} \n");
55 ShowMessages("\t\te.g : a nt!ExAllocatePoolWithTag {add DWORD PTR [<nt!ExAllocatePoolWithTag+10+@rax>], 99} \n");
56 ShowMessages("\t\t note that within assembly snippet, symbols must be enclosed by \" <> \"\n");
57 ShowMessages("\t\t note that type specifier must be capital\n");
58
59 ShowMessages("\n");
60 ShowMessages("\tto merely view the byte code of an assembly snippet:\n");
61 ShowMessages("\t\ta {jmp <nt!ExAllocatePoolWithTag+10>} [StartAddress]\n");
62 ShowMessages("\t\t\"StartAddress\" is useful when dealing with relative instructions like \" jmp \" ");
63}
ShowMessages
VOID ShowMessages(const char *Fmt,...)
Show messages.
Definition libhyperdbg.cpp:96

◆ CommandAttachHelp()

VOID CommandAttachHelp ( )

help of the .attach command

Returns
VOID
27{
28 ShowMessages(".attach : attaches to debug a thread in VMI Mode.\n\n");
29
30 ShowMessages("syntax : \t.attach [pid ProcessId (hex)]\n");
31
32 ShowMessages("\n");
33 ShowMessages("\t\te.g : .attach pid b60 \n");
34}

◆ CommandBcHelp()

VOID CommandBcHelp ( )

help of the bc command

Returns
VOID
26{
27 ShowMessages("bc : clears a breakpoint using breakpoint id.\n\n");
28
29 ShowMessages("syntax : \tbc [BreakpointId (hex)]\n");
30
31 ShowMessages("\n");
32 ShowMessages("\t\te.g : bc 0\n");
33 ShowMessages("\t\te.g : bc 2\n");
34}

◆ CommandBdHelp()

VOID CommandBdHelp ( )

help of the bd command

Returns
VOID
26{
27 ShowMessages("bd : disables a breakpoint using breakpoint id.\n\n");
28
29 ShowMessages("syntax : \tbd [BreakpointId (hex)]\n");
30
31 ShowMessages("\n");
32 ShowMessages("\t\te.g : bd 0\n");
33 ShowMessages("\t\te.g : bd 2\n");
34}

◆ CommandBeHelp()

VOID CommandBeHelp ( )

help of the be command

Returns
VOID
26{
27 ShowMessages("be : enables a breakpoint using breakpoint id.\n\n");
28
29 ShowMessages("syntax : \tbe [BreakpointId (hex)]\n");
30
31 ShowMessages("\n");
32 ShowMessages("\t\te.g : be 0\n");
33 ShowMessages("\t\te.g : be 2\n");
34}

◆ CommandBlHelp()

VOID CommandBlHelp ( )

help of the bl command

Returns
VOID
26{
27 ShowMessages("bl : lists all the enabled and disabled breakpoints.\n\n");
28
29 ShowMessages("syntax : \tbl\n");
30}

◆ CommandBpHelp()

VOID CommandBpHelp ( )

help of the bp command

Returns
VOID
26{
27 ShowMessages("bp : puts a breakpoint (0xcc).\n");
28
29 ShowMessages(
30 "Note : 'bp' is not an event, if you want to use an event version "
31 "of breakpoints use !epthook or !epthook2 instead. See "
32 "documentation for more information.\n\n");
33
34 ShowMessages("syntax : \tbp [Address (hex)] [pid ProcessId (hex)] [tid ThreadId (hex)] [core CoreId (hex)]\n");
35
36 ShowMessages("\n");
37 ShowMessages("\t\te.g : bp nt!ExAllocatePoolWithTag\n");
38 ShowMessages("\t\te.g : bp nt!ExAllocatePoolWithTag+5\n");
39 ShowMessages("\t\te.g : bp nt!ExAllocatePoolWithTag+@rcx+rbx\n");
40 ShowMessages("\t\te.g : bp fffff8077356f010\n");
41 ShowMessages("\t\te.g : bp fffff8077356f010 pid 0x4\n");
42 ShowMessages("\t\te.g : bp fffff8077356f010 tid 0x1000\n");
43 ShowMessages("\t\te.g : bp fffff8077356f010 pid 0x4 core 2\n");
44}

◆ CommandClearScreenHelp()

VOID CommandClearScreenHelp ( )

help of the .cls command

Returns
VOID
21{
22 ShowMessages(".cls : clears the screen.\n\n");
23
24 ShowMessages("syntax : \t.cls\n");
25}

◆ CommandConnectHelp()

VOID CommandConnectHelp ( )

help of the .connect command

Returns
VOID
32{
33 ShowMessages(".connect : connects to a remote or local machine to start "
34 "debugging.\n\n");
35
36 ShowMessages("syntax : \t.connect [local]\n");
37 ShowMessages("syntax : \t.connect [Ip (string)] [Port (decimal)]\n");
38
39 ShowMessages("\n");
40 ShowMessages("\t\te.g : .connect local\n");
41 ShowMessages("\t\te.g : .connect 192.168.1.5 50000\n");
42}

◆ CommandCoreHelp()

VOID CommandCoreHelp ( )

help of the ~ command

Returns
VOID
27{
28 ShowMessages("~ : shows and changes the operating processor.\n\n");
29
30 ShowMessages("syntax : \t~\n");
31 ShowMessages("syntax : \t~ [CoreNumber (hex)]\n");
32
33 ShowMessages("\n");
34 ShowMessages("\t\te.g : ~ \n");
35 ShowMessages("\t\te.g : ~ 2 \n");
36}

◆ CommandCpuHelp()

VOID CommandCpuHelp ( )

help of the cpu command

Returns
VOID
21{
22 ShowMessages("cpu : collects a report from cpu features.\n\n");
23
24 ShowMessages("syntax : \tcpu \n");
25}

◆ CommandCpuidHelp()

VOID CommandCpuidHelp ( )

help of the !cpuid command

Returns
VOID
21{
22 ShowMessages("!cpuid : monitors execution of a special cpuid index or all "
23 "cpuids instructions.\n\n");
24
25 ShowMessages("syntax : \t!cpuid [Eax (hex)] [pid ProcessId (hex)] [core CoreId (hex)] "
26 "[imm IsImmediate (yesno)] [sc EnableShortCircuiting (onoff)] [stage CallingStage (prepostall)] "
27 "[buffer PreAllocatedBuffer (hex)] [script { Script (string) }] [asm condition { Condition (assembly/hex) }] "
28 "[asm code { Code (assembly/hex) }] [output {OutputName (string)}]\n");
29
30 ShowMessages("\n");
31 ShowMessages("\t\te.g : !cpuid\n");
32 ShowMessages("\t\te.g : !cpuid 1\n");
33 ShowMessages("\t\te.g : !cpuid pid 400\n");
34 ShowMessages("\t\te.g : !cpuid core 2 pid 400\n");
35 ShowMessages("\t\te.g : !cpuid script { printf(\"CPUID instruction is executed with the 'eax' register equal to: %%llx\\n\", @eax); }\n");
36 ShowMessages("\t\te.g : !cpuid asm code { nop; nop; nop }\n");
37}

◆ CommandCrwriteHelp()

VOID CommandCrwriteHelp ( )

help of the !crwrite command

Returns
VOID
21{
22 ShowMessages("!crwrite : monitors modification of control registers (CR0 / CR4).\n\n");
23
24 ShowMessages("syntax : \t!crwrite [Cr (hex)] [mask Mask (hex)] [pid ProcessId (hex)] "
25 "[core CoreId (hex)] [imm IsImmediate (yesno)] [sc EnableShortCircuiting (onoff)] "
26 "[stage CallingStage (prepostall)] [buffer PreAllocatedBuffer (hex)] [script { Script (string) }] "
27 "[asm condition { Condition (assembly/hex) }] [asm code { Code (assembly/hex) }] [output {OutputName (string)}]\n");
28
29 ShowMessages("\n");
30 ShowMessages("\t\te.g : !crwrite 0\n");
31 ShowMessages("\t\te.g : !crwrite 0 0x10000\n");
32 ShowMessages("\t\te.g : !crwrite 4 pid 400\n");
33 ShowMessages("\t\te.g : !crwrite 4 core 2 pid 400\n");
34 ShowMessages("\t\te.g : !crwrite 4 script { printf(\"4th control register is modified at: %%llx\\n\", @rip); }\n");
35 ShowMessages("\t\te.g : !crwrite 4 asm code { nop; nop; nop }\n");
36}

◆ CommandDebugHelp()

VOID CommandDebugHelp ( )

help of the .debug command

Returns
VOID
30{
31 ShowMessages(
32 ".debug : debugs a target machine or makes this machine a debuggee.\n\n");
33
34 ShowMessages(
35 "syntax : \t.debug [remote] [serial|namedpipe] [Baudrate (decimal)] [Address (string)]\n");
36 ShowMessages(
37 "syntax : \t.debug [prepare] [serial] [Baudrate (decimal)] [Address (string)]\n");
38 ShowMessages("syntax : \t.debug [close]\n");
39
40 ShowMessages("\n");
41 ShowMessages("\t\te.g : .debug remote serial 115200 com2\n");
42 ShowMessages("\t\te.g : .debug remote namedpipe \\\\.\\pipe\\HyperDbgPipe\n");
43 ShowMessages("\t\te.g : .debug prepare serial 115200 com1\n");
44 ShowMessages("\t\te.g : .debug prepare serial 115200 com2\n");
45 ShowMessages("\t\te.g : .debug close\n");
46
47 ShowMessages(
48 "\nvalid baud rates (decimal) : 110, 300, 600, 1200, 2400, 4800, 9600, "
49 "14400, 19200, 38400, 56000, 57600, 115200, 128000, 256000\n");
50 ShowMessages("valid COM ports : COM1, COM2, COM3, COM4 \n");
51}

◆ CommandDetachHelp()

VOID CommandDetachHelp ( )

help of the .detach command

Returns
VOID
27{
28 ShowMessages(".detach : detaches from debugging a user-mode process.\n\n");
29
30 ShowMessages("syntax : \t.detach \n");
31}

◆ CommandDisconnectHelp()

VOID CommandDisconnectHelp ( )

help of the .disconnect command

Returns
VOID
29{
30 ShowMessages(".disconnect : disconnects from a debugging session (it won't "
31 "unload the modules).\n\n");
32
33 ShowMessages("syntax : \t.disconnect \n");
34}

◆ CommandDrHelp()

VOID CommandDrHelp ( )

help of the !dr command

Returns
VOID
21{
22 ShowMessages("!dr : monitors any access to debug registers.\n\n");
23
24 ShowMessages("syntax : \t!dr [pid ProcessId (hex)] [core CoreId (hex)] "
25 "[imm IsImmediate (yesno)] [sc EnableShortCircuiting (onoff)] [stage CallingStage (prepostall)] "
26 "[buffer PreAllocatedBuffer (hex)] [script { Script (string) }] [asm condition { Condition (assembly/hex) }] "
27 "[asm code { Code (assembly/hex) }] [output {OutputName (string)}]\n");
28
29 ShowMessages("\n");
30 ShowMessages("\t\te.g : !dr\n");
31 ShowMessages("\t\te.g : !dr pid 400\n");
32 ShowMessages("\t\te.g : !dr core 2 pid 400\n");
33 ShowMessages("\t\te.g : !dr script { printf(\"debug register modified!\\n\"); }\n");
34 ShowMessages("\t\te.g : !dr asm code { nop; nop; nop }\n");
35}

◆ CommandDtHelp()

VOID CommandDtHelp ( )

help of the dt command

Returns
VOID
27{
28 ShowMessages("dt !dt : displays information about a local variable, global "
29 "variable or data type.\n\n");
30
31 ShowMessages("If you want to read physical memory then add '!' at the "
32 "start of the command\n\n");
33
34 ShowMessages("syntax : \tdt [Module!SymbolName (string)] [AddressExpression (string)] "
35 "[pid ProcessId (hex)] [padding Padding (yesno)] [offset Offset (yesno)] "
36 "[bitfield Bitfield (yesno)] [native Native (yesno)] [decl Declaration (yesno)] "
37 "[def Definitions (yesno)] [func Functions (yesno)] [pragma Pragma (yesno)] "
38 "[prefix Prefix (string)] [suffix Suffix (string)] [inline Expantion (string)] "
39 "[output FileName (string)]\n\n");
40 ShowMessages("syntax : \t!dt [Module!SymbolName (string)] [AddressExpression (string)] "
41 "[padding Padding (yesno)] [offset Offset (yesno)] [bitfield Bitfield (yesno)] "
42 "[native Native (yesno)] [decl Declaration (yesno)] [def Definitions (yesno)] "
43 "[func Functions (yesno)] [pragma Pragma (yesno)] [prefix Prefix (string)] "
44 "[suffix Suffix (string)] [inline Expantion (string)] [output FileName (string)]\n");
45
46 ShowMessages("\n");
47 ShowMessages("\t\te.g : dt nt!_EPROCESS\n");
48 ShowMessages("\t\te.g : dt nt!_EPROCESS fffff8077356f010\n");
49 ShowMessages("\t\te.g : dt nt!_EPROCESS $proc\n");
50 ShowMessages("\t\te.g : dt nt!_KPROCESS @rax+@rbx+c0\n");
51 ShowMessages("\t\te.g : !dt nt!_EPROCESS 1f0300\n");
52 ShowMessages("\t\te.g : dt nt!_MY_STRUCT 7ff00040 pid 1420\n");
53 ShowMessages("\t\te.g : dt nt!_EPROCESS $proc inline all\n");
54 ShowMessages("\t\te.g : dt nt!_EPROCESS fffff8077356f010 inline no\n");
55}

◆ CommandDumpHelp()

VOID CommandDumpHelp ( )

help of the .dump command

Returns
VOID
37{
38 ShowMessages(".dump & !dump : saves memory context into a file.\n\n");
39
40 ShowMessages("syntax : \t.dump [FromAddress (hex)] [ToAddress (hex)] [pid ProcessId (hex)] [path Path (string)]\n");
41 ShowMessages("\nIf you want to dump physical memory then add '!' at the "
42 "start of the command\n\n");
43
44 ShowMessages("\n");
45 ShowMessages("\t\te.g : .dump 401000 40b000 path c:\\rev\\dump1.dmp\n");
46 ShowMessages("\t\te.g : .dump 401000 40b000 pid 1c0 path c:\\rev\\desktop\\dump2.dmp\n");
47 ShowMessages("\t\te.g : .dump fffff801deadb000 fffff801deade054 path c:\\rev\\dump3.dmp\n");
48 ShowMessages("\t\te.g : .dump fffff801deadb000 fffff801deade054 path c:\\rev\\dump4.dmp\n");
49 ShowMessages("\t\te.g : .dump 00007ff8349f2000 00007ff8349f8000 path c:\\rev\\dump5.dmp\n");
50 ShowMessages("\t\te.g : .dump @rax+@rcx @rax+@rcx+1000 path c:\\rev\\dump6.dmp\n");
51 ShowMessages("\t\te.g : !dump 1000 2100 path c:\\rev\\dump7.dmp\n");
52}

◆ CommandEditMemoryHelp()

VOID CommandEditMemoryHelp ( )

help of !e* and e* commands

Returns
VOID
27{
28 ShowMessages("eb !eb ed !ed eq !eq : edits the memory at specific address \n");
29 ShowMessages("eb Byte and ASCII characters\n");
30 ShowMessages("ed Double-word values (4 bytes)\n");
31 ShowMessages("eq Quad-word values (8 bytes). \n");
32
33 ShowMessages("\n If you want to edit physical (address) memory then add '!' "
34 "at the start of the command\n");
35
36 ShowMessages("syntax : \teb [Address (hex)] [Contents (hex)] [pid ProcessId (hex)]\n");
37 ShowMessages("syntax : \ted [Address (hex)] [Contents (hex)] [pid ProcessId (hex)]\n");
38 ShowMessages("syntax : \teq [Address (hex)] [Contents (hex)] [pid ProcessId (hex)]\n");
39
40 ShowMessages("\n");
41 ShowMessages("\t\te.g : eb fffff8077356f010 90 \n");
42 ShowMessages("\t\te.g : eb nt!Kd_DEFAULT_Mask ff ff ff ff \n");
43 ShowMessages("\t\te.g : eb nt!Kd_DEFAULT_Mask+10+@rcx ff ff ff ff \n");
44 ShowMessages("\t\te.g : eb fffff8077356f010 90 90 90 90 \n");
45 ShowMessages("\t\te.g : !eq 100000 9090909090909090\n");
46 ShowMessages("\t\te.g : !eq nt!ExAllocatePoolWithTag+55 9090909090909090\n");
47 ShowMessages("\t\te.g : !eq 100000 9090909090909090 9090909090909090 "
48 "9090909090909090 9090909090909090 9090909090909090\n");
49}

◆ CommandEptHook2Help()

VOID CommandEptHook2Help ( )

help of the !epthook2 command

Returns
VOID
21{
22 ShowMessages("!epthook2 : puts a hidden-hook EPT (detours).\n\n");
23
24 ShowMessages(
25 "syntax : \t!epthook2 [Address (hex)] [pid ProcessId (hex)] "
26 "[core CoreId (hex)] [imm IsImmediate (yesno)] [buffer PreAllocatedBuffer (hex)] "
27 "[script { Script (string) }] [asm condition { Condition (assembly/hex) }] [asm code { Code (assembly/hex) }] "
28 "[output {OutputName (string)}]\n");
29
30 ShowMessages("\n");
31 ShowMessages("\t\te.g : !epthook2 nt!ExAllocatePoolWithTag\n");
32 ShowMessages("\t\te.g : !epthook2 nt!ExAllocatePoolWithTag+5\n");
33 ShowMessages("\t\te.g : !epthook2 fffff801deadb000\n");
34 ShowMessages("\t\te.g : !epthook2 fffff801deadb000 pid 400\n");
35 ShowMessages("\t\te.g : !epthook2 fffff801deadb000 core 2 pid 400\n");
36 ShowMessages("\t\te.g : !epthook2 fffff801deadb000 script { printf(\"hook triggered at: %%llx\\n\", $context); }\n");
37 ShowMessages("\t\te.g : !epthook2 fffff801deadb000 asm code { nop; nop; nop }\n");
38}

◆ CommandEptHookHelp()

VOID CommandEptHookHelp ( )

help of the !epthook command

Returns
VOID
21{
22 ShowMessages("!epthook : puts a hidden-hook EPT (hidden breakpoints).\n\n");
23
24 ShowMessages(
25 "syntax : \t!epthook [Address (hex)] [pid ProcessId (hex)] [core CoreId (hex)] "
26 "[imm IsImmediate (yesno)] [buffer PreAllocatedBuffer (hex)] [script { Script (string) }] "
27 "[asm condition { Condition (assembly/hex) }] [asm code { Code (assembly/hex) }] [output {OutputName (string)}]\n");
28
29 ShowMessages("\n");
30 ShowMessages("\t\te.g : !epthook nt!ExAllocatePoolWithTag\n");
31 ShowMessages("\t\te.g : !epthook nt!ExAllocatePoolWithTag+5\n");
32 ShowMessages("\t\te.g : !epthook fffff801deadb000\n");
33 ShowMessages("\t\te.g : !epthook fffff801deadb000 pid 400\n");
34 ShowMessages("\t\te.g : !epthook fffff801deadb000 core 2 pid 400\n");
35 ShowMessages("\t\te.g : !epthook fffff801deadb000 script { printf(\"hook triggered at: %%llx\\n\", $context); }\n");
36 ShowMessages("\t\te.g : !epthook fffff801deadb000 asm code { nop; nop; nop }\n");
37}

◆ CommandEvalHelp()

VOID CommandEvalHelp ( )

help of the ? command

Returns
VOID
28{
29 ShowMessages("? : evaluates and execute expressions in debuggee.\n\n");
30
31 ShowMessages("syntax : \t? [Expression (string)]\n");
32
33 ShowMessages("\n");
34 ShowMessages("\t\te.g : ? print(dq(poi(@rcx)));\n");
35 ShowMessages("\t\te.g : ? json(dq(poi(@rcx)));\n");
36}

◆ CommandEventsHelp()

VOID CommandEventsHelp ( )

help of the events command

Returns
VOID
33{
34 ShowMessages("events : shows active and disabled events\n");
35
36 ShowMessages("syntax : \tevents\n");
37 ShowMessages("syntax : \tevents [e|d|c all|EventNumber (hex)]\n");
38 ShowMessages("syntax : \tevents [sc State (on|off)]\n");
39
40 ShowMessages("e : enable\n");
41 ShowMessages("d : disable\n");
42 ShowMessages("c : clear\n");
43
44 ShowMessages("note : If you specify 'all' then e, d, or c will be applied to "
45 "all of the events.\n\n");
46
47 ShowMessages("\n");
48 ShowMessages("\te.g : events \n");
49 ShowMessages("\te.g : events e 12\n");
50 ShowMessages("\te.g : events d 10\n");
51 ShowMessages("\te.g : events c 10\n");
52 ShowMessages("\te.g : events c all\n");
53 ShowMessages("\te.g : events sc on\n");
54 ShowMessages("\te.g : events sc off\n");
55}

◆ CommandExceptionHelp()

VOID CommandExceptionHelp ( )

help of the !exception command

Returns
VOID
21{
22 ShowMessages("!exception : monitors the first 32 entry of IDT (starting from "
23 "zero).\n\n");
24
25 ShowMessages(
26 "syntax : \t!exception [IdtIndex (hex)] [pid ProcessId (hex)] "
27 "[core CoreId (hex)] [imm IsImmediate (yesno)] [sc EnableShortCircuiting (onoff)] "
28 "[stage CallingStage (prepostall)] [buffer PreAllocatedBuffer (hex)] [script { Script (string) }] "
29 "[asm condition { Condition (assembly/hex) }] [asm code { Code (assembly/hex) }] [output {OutputName (string)}]\n");
30
31 ShowMessages("\nnote: monitoring page-faults (entry 0xe) is implemented differently (for more information, check the documentation).\n");
32
33 ShowMessages("\n");
34 ShowMessages("\t\te.g : !exception\n");
35 ShowMessages("\t\te.g : !exception 0xe\n");
36 ShowMessages("\t\te.g : !exception pid 400\n");
37 ShowMessages("\t\te.g : !exception core 2 pid 400\n");
38 ShowMessages("\t\te.g : !exception 0xe stage post script { printf(\"page-fault occurred at: %%llx\\n\", @cr2); }\n");
39 ShowMessages("\t\te.g : !exception asm code { nop; nop; nop }\n");
40}

◆ CommandExitHelp()

VOID CommandExitHelp ( )

help of the exit command

Returns
VOID
28{
29 ShowMessages(
30 "exit : unloads and uninstalls the drivers and closes the debugger.\n\n");
31
32 ShowMessages("syntax : \texit\n");
33}

◆ CommandFlushHelp()

VOID CommandFlushHelp ( )

help of the flush command

Returns
VOID
26{
27 ShowMessages("flush : removes all the buffer and messages from kernel-mode "
28 "buffers.\n\n");
29
30 ShowMessages("syntax : \tflush \n");
31}

◆ CommandFormatsHelp()

VOID CommandFormatsHelp ( )

help of the help command :)

Returns
VOID
21{
22 ShowMessages(".formats : shows a value or register in different formats.\n\n");
23
24 ShowMessages("syntax : \t.formats [Expression (string)]\n");
25
26 ShowMessages("\n");
27 ShowMessages("\t\te.g : .formats nt!ExAllocatePoolWithTag\n");
28 ShowMessages("\t\te.g : .formats nt!Kd_DEFAULT_Mask\n");
29 ShowMessages("\t\te.g : .formats nt!Kd_DEFAULT_Mask+5\n");
30 ShowMessages("\t\te.g : .formats 55\n");
31 ShowMessages("\t\te.g : .formats @rax\n");
32 ShowMessages("\t\te.g : .formats @rbx+@rcx\n");
33 ShowMessages("\t\te.g : .formats $pid\n");
34}

◆ CommandGHelp()

VOID CommandGHelp ( )

help of the g command

Returns
VOID
29{
30 ShowMessages("g : continues debuggee or continues processing kernel messages.\n\n");
31
32 ShowMessages("syntax : \tg \n");
33}

◆ CommandGuHelp()

VOID CommandGuHelp ( )

help of the gu command

Returns
VOID
30{
31 ShowMessages(
32 "gu : executes a single instruction (step-out) and optionally displays the "
33 "resulting values of all registers and flags.\n\n");
34
35 ShowMessages("syntax : \tgu\n");
36 ShowMessages("syntax : \tgu [Count (hex)]\n");
37
38 ShowMessages("\n");
39 ShowMessages("\t\te.g : gu\n");
40 ShowMessages("\t\te.g : gu 10000\n");
41}

◆ CommandHelpHelp()

VOID CommandHelpHelp ( )

help of the help command :)

Parameters
SplitCommand
Command
Returns
VOID
23{
24 ShowMessages(".help : shows help and example(s) of a specific command.\n\n");
25
26 ShowMessages("syntax : \t.help [Command (string)]\n");
27
28 ShowMessages("\n");
29 ShowMessages("\t\te.g : .help !monitor\n");
30}

◆ CommandHideHelp()

VOID CommandHideHelp ( )

help of the !hide command

Returns
VOID
35{
36 ShowMessages("!hide : tries to make HyperDbg transparent from anti-debugging "
37 "and anti-hypervisor methods.\n\n");
38
39 ShowMessages("syntax : \t!hide\n");
40 ShowMessages("syntax : \t!hide [pid ProcessId (hex)]\n");
41 ShowMessages("syntax : \t!hide [name ProcessName (string)]\n");
42
43 ShowMessages("note : \tprocess names are case sensitive and you can use "
44 "this command multiple times.\n");
45
46 ShowMessages("\n");
47 ShowMessages("\t\te.g : !hide\n");
48 ShowMessages("\t\te.g : !hide pid b60 \n");
49 ShowMessages("\t\te.g : !hide name procexp.exe\n");
50}

◆ CommandHwClkHelp()

VOID CommandHwClkHelp ( )

help of the !hw_clk command

Returns
VOID
29{
30 ShowMessages("!hw_clk : performs actions related to hwdbg hardware debugging events for each clock cycle.\n\n");
31
32 ShowMessages("syntax : \t!hw_clk [script { Script (string) }]\n");
33
34 ShowMessages("\n");
35 ShowMessages("\t\te.g : !hw_clk script { @hw_pin1 = 0; }\n");
36}

◆ CommandIHelp()

VOID CommandIHelp ( )

help of the i command

Returns
VOID
28{
29 ShowMessages(
30 "i : executes a single instruction (step-in) and guarantees that no "
31 "other instruction is executed other than the displayed instruction "
32 "including user to the kernel (syscalls) and kernel to the user "
33 "(sysrets) and exceptions and page-faults and optionally displays all "
34 "registers and flags' resulting values.\n\n");
35
36 ShowMessages("syntax : \ti\n");
37 ShowMessages("syntax : \ti [Count (hex)]\n");
38 ShowMessages("syntax : \tir\n");
39 ShowMessages("syntax : \tir [Count (hex)]\n");
40
41 ShowMessages("\n");
42 ShowMessages("\t\te.g : i\n");
43 ShowMessages("\t\te.g : ir\n");
44 ShowMessages("\t\te.g : ir 1f\n");
45}

◆ CommandInterruptHelp()

VOID CommandInterruptHelp ( )

help of the !interrupt command

Returns
VOID
21{
22 ShowMessages("!interrupt : monitors the external interrupt (IDT >= 32).\n\n");
23
24 ShowMessages("syntax : \t[IdtIndex (hex)] [pid ProcessId (hex)] "
25 "[core CoreId (hex)] [imm IsImmediate (yesno)] [sc EnableShortCircuiting (onoff)] "
26 "[stage CallingStage (prepostall)] [buffer PreAllocatedBuffer (hex)] [script { Script (string) }] "
27 "[asm condition { Condition (assembly/hex) }] [asm code { Code (assembly/hex) }] [output {OutputName (string)}]\n");
28
29 ShowMessages("\nnote : The index should be greater than 0x20 (32) and less "
30 "than 0xFF (255) - starting from zero.\n");
31
32 ShowMessages("\n");
33 ShowMessages("\t\te.g : !interrupt 0x2f\n");
34 ShowMessages("\t\te.g : !interrupt 0x2f pid 400\n");
35 ShowMessages("\t\te.g : !interrupt 0x2f core 2 pid 400\n");
36 ShowMessages("\t\te.g : !interrupt 0xd1 script { printf(\"clock interrupt received at the core: %%x\\n\", $core); }\n");
37 ShowMessages("\t\te.g : !interrupt 0x2f asm code { nop; nop; nop }\n");
38}

◆ CommandIoinHelp()

VOID CommandIoinHelp ( )

help of the !ioin command

Returns
VOID
21{
22 ShowMessages("!ioin : detects the execution of IN (I/O instructions) "
23 "instructions.\n\n");
24
25 ShowMessages("syntax : \t!ioin [Port (hex)] [pid ProcessId (hex)] [core CoreId (hex)] "
26 "[imm IsImmediate (yesno)] [sc EnableShortCircuiting (onoff)] [stage CallingStage (prepostall)] "
27 "[buffer PreAllocatedBuffer (hex)] [script { Script (string) }] [asm condition { Condition (assembly/hex) }] "
28 "[asm code { Code (assembly/hex) }] [output {OutputName (string)}]\n");
29
30 ShowMessages("\n");
31 ShowMessages("\t\te.g : !ioin\n");
32 ShowMessages("\t\te.g : !ioin 0x64\n");
33 ShowMessages("\t\te.g : !ioin pid 400\n");
34 ShowMessages("\t\te.g : !ioin core 2 pid 400\n");
35 ShowMessages("\t\te.g : !ioin script { printf(\"IN instruction is executed at port: %%llx\\n\", $context); }\n");
36 ShowMessages("\t\te.g : !ioin asm code { nop; nop; nop }\n");
37}

◆ CommandIooutHelp()

VOID CommandIooutHelp ( )

help of the !ioout command

Returns
VOID
21{
22 ShowMessages("!ioout : detects the execution of OUT (I/O instructions) "
23 "instructions.\n\n");
24
25 ShowMessages("syntax : \t!ioout [Port (hex)] [pid ProcessId (hex)] "
26 "[core CoreId (hex)] [imm IsImmediate (yesno)] [sc EnableShortCircuiting (onoff)] "
27 "[stage CallingStage (prepostall)] [buffer PreAllocatedBuffer (hex)] [script { Script (string) }] "
28 "[asm condition { Condition (assembly/hex) }] [asm code { Code (assembly/hex) }] [output {OutputName (string)}]\n");
29
30 ShowMessages("\n");
31 ShowMessages("\t\te.g : !ioout\n");
32 ShowMessages("\t\te.g : !ioout 0x64\n");
33 ShowMessages("\t\te.g : !ioout pid 400\n");
34 ShowMessages("\t\te.g : !ioout core 2 pid 400\n");
35 ShowMessages("\t\te.g : !ioout script { printf(\"OUT instruction is executed at port: %%llx\\n\", $context); }\n");
36 ShowMessages("\t\te.g : !ioout asm code { nop; nop; nop }\n");
37}

◆ CommandKHelp()

VOID CommandKHelp ( )

help of the k command

Returns
VOID
27{
28 ShowMessages(
29 "k, kd, kq : shows the callstack of the thread.\n\n");
30
31 ShowMessages("syntax : \tk\n");
32 ShowMessages("syntax : \tkd\n");
33 ShowMessages("syntax : \tkq\n");
34 ShowMessages("syntax : \tk [base StackAddress (hex)] [l Length (hex)]\n");
35 ShowMessages("syntax : \tkd [base StackAddress (hex)] [l Length (hex)]\n");
36 ShowMessages("syntax : \tkq [base StackAddress (hex)] [l Length (hex)]\n");
37
38 ShowMessages("\n");
39 ShowMessages("\t\te.g : k\n");
40 ShowMessages("\t\te.g : k l 100\n");
41 ShowMessages("\t\te.g : kd base 0x77356f010\n");
42 ShowMessages("\t\te.g : kq base fffff8077356f010\n");
43 ShowMessages("\t\te.g : kq base @rbx-10\n");
44 ShowMessages("\t\te.g : kq base fffff8077356f010 l 100\n");
45}

◆ CommandKillHelp()

VOID CommandKillHelp ( )

help of the .kill command

Returns
VOID
27{
28 ShowMessages(".kill : terminates the current running process.\n\n");
29
30 ShowMessages("syntax : \t.kill \n");
31}

◆ CommandListenHelp()

VOID CommandListenHelp ( )

help of the listen command

Returns
VOID
30{
31 ShowMessages(".listen : listens for a client to connect to HyperDbg (works as "
32 "a guest server).\n\n");
33
34 ShowMessages("note : \tif you don't specify port then HyperDbg uses the "
35 "default port (%s)\n",
36 DEFAULT_PORT);
37
38 ShowMessages("syntax : \t.listen [Port (decimal)]\n");
39
40 ShowMessages("\n");
41 ShowMessages("\t\te.g : .listen\n");
42 ShowMessages("\t\te.g : .listen 50000\n");
43}
DEFAULT_PORT
#define DEFAULT_PORT
default port of HyperDbg for listening by debuggee (server, guest)
Definition Constants.h:323

◆ CommandLmHelp()

VOID CommandLmHelp ( )

help of the lm command

Returns
VOID
28{
29 ShowMessages("lm : lists user/kernel modules' base address, size, name and path.\n\n");
30
31 ShowMessages("syntax : \tlm [m Name (string)] [pid ProcessId (hex)] [Filter (string)]\n");
32
33 ShowMessages("\n");
34 ShowMessages("\t\te.g : lm\n");
35 ShowMessages("\t\te.g : lm km\n");
36 ShowMessages("\t\te.g : lm um\n");
37 ShowMessages("\t\te.g : lm m nt\n");
38 ShowMessages("\t\te.g : lm km m ntos\n");
39 ShowMessages("\t\te.g : lm um m kernel32\n");
40 ShowMessages("\t\te.g : lm um m kernel32 pid 1240\n");
41}

◆ CommandLoadHelp()

VOID CommandLoadHelp ( )

help of the load command

Returns
VOID
29{
30 ShowMessages("load : installs the drivers and load the modules.\n\n");
31
32 ShowMessages("syntax : \tload [ModuleName (string)]\n");
33
34 ShowMessages("\n");
35 ShowMessages("\t\te.g : load vmm\n");
36}

◆ CommandLogcloseHelp()

VOID CommandLogcloseHelp ( )

help .logclose command

Returns
VOID
27{
28 ShowMessages(".logclose : closes the previously opened log.\n\n");
29
30 ShowMessages("syntax : \t.logclose\n");
31}

◆ CommandLogopenHelp()

VOID CommandLogopenHelp ( )

help of the .logopen command

Returns
VOID
29{
30 ShowMessages(".logopen : saves commands and results in a file.\n\n");
31
32 ShowMessages("syntax : \t.logopen [FilePath (string)]\n");
33}

◆ CommandMeasureHelp()

VOID CommandMeasureHelp ( )

help of the !measure command

Returns
VOID
34{
35 ShowMessages(
36 "!measure : measures the arguments needs for the '!hide' command.\n\n");
37
38 ShowMessages("syntax : \t!measure [default]\n");
39
40 ShowMessages("\n");
41 ShowMessages("\t\te.g : !measure\n");
42 ShowMessages("\t\te.g : !measure default\n");
43}

◆ CommandModeHelp()

VOID CommandModeHelp ( )

help of the !mode command

Returns
VOID
21{
22 ShowMessages("!mode : traps (and possibly blocks) the execution of user-mode/kernel-mode instructions.\n\n");
23
24 ShowMessages("syntax : \t!mode [Mode (string)] [pid ProcessId (hex)] [core CoreId (hex)] [imm IsImmediate (yesno)] "
25 "[sc EnableShortCircuiting (onoff)] [buffer PreAllocatedBuffer (hex)] [script { Script (string) }] "
26 "[asm condition { Condition (assembly/hex) }] [asm code { Code (assembly/hex) }] [output {OutputName (string)}]\n");
27
28 ShowMessages("\n");
29 ShowMessages("\t\te.g : !mode u pid 1c0\n");
30 ShowMessages("\t\te.g : !mode k pid 1c0\n");
31 ShowMessages("\t\te.g : !mode ku pid 1c0\n");
32 ShowMessages("\t\te.g : !mode ku core 2 pid 400\n");
33 ShowMessages("\t\te.g : !mode u pid 1c0 script { printf(\"kernel -> user transition occurred!\\n\"); }\n");
34 ShowMessages("\t\te.g : !mode ku pid 1c0 asm code { nop; nop; nop }\n");
35
36 ShowMessages("\n");
37 ShowMessages("note: this event applies to the target process; thus, you need to specify the process id\n");
38}

◆ CommandMonitorHelp()

VOID CommandMonitorHelp ( )

help of the !monitor command

Returns
VOID
21{
22 ShowMessages("!monitor : monitors address range for read and writes.\n\n");
23
24 ShowMessages("syntax : \t!monitor [MemoryType (vapa)] [Attribute (string)] [FromAddress (hex)] "
25 "[ToAddress (hex)] [pid ProcessId (hex)] [core CoreId (hex)] "
26 "[imm IsImmediate (yesno)] [sc EnableShortCircuiting (onoff)] [stage CallingStage (prepostall)] "
27 "[buffer PreAllocatedBuffer (hex)] [script { Script (string) }] [asm condition { Condition (assembly/hex) }] "
28 "[asm code { Code (assembly/hex) }] [output {OutputName (string)}]\n");
29
30 ShowMessages("syntax : \t!monitor [MemoryType (vapa)] [Attribute (string)] [FromAddress (hex)] "
31 "[l Length (hex)] [pid ProcessId (hex)] [core CoreId (hex)] "
32 "[imm IsImmediate (yesno)] [sc EnableShortCircuiting (onoff)] [stage CallingStage (prepostall)] "
33 "[buffer PreAllocatedBuffer (hex)] [script { Script (string) }] [asm condition { Condition (assembly/hex) }] "
34 "[asm code { Code (assembly/hex) }] [output {OutputName (string)}]\n");
35
36 ShowMessages("\n");
37 ShowMessages("\t\te.g : !monitor rw fffff801deadb000 fffff801deadbfff\n");
38 ShowMessages("\t\te.g : !monitor rw fffff801deadb000 l 1000\n");
39 ShowMessages("\t\te.g : !monitor pa rw c01000 l 1000\n");
40 ShowMessages("\t\te.g : !monitor rwx fffff801deadb000 fffff801deadbfff\n");
41 ShowMessages("\t\te.g : !monitor rwx fffff801deadb000 l 230d0\n");
42 ShowMessages("\t\te.g : !monitor rw nt!Kd_DEFAULT_Mask Kd_DEFAULT_Mask+5\n");
43 ShowMessages("\t\te.g : !monitor r fffff801deadb000 fffff801deadbfff pid 400\n");
44 ShowMessages("\t\te.g : !monitor w fffff801deadb000 fffff801deadbfff core 2 pid 400\n");
45 ShowMessages("\t\te.g : !monitor w c01000 c01000+2500 core 2 pid 400\n");
46 ShowMessages("\t\te.g : !monitor x fffff801deadb000 fffff801deadbfff core 2 pid 400\n");
47 ShowMessages("\t\te.g : !monitor x fffff801deadb000 l 500 core 2 pid 400\n");
48 ShowMessages("\t\te.g : !monitor wx fffff801deadb000 fffff801deadbfff core 2 pid 400\n");
49 ShowMessages("\t\te.g : !monitor rw fffff801deadb000 l 1000 script { printf(\"read/write occurred at the virtual address: %%llx\\n\", $context); }\n");
50 ShowMessages("\t\te.g : !monitor rw fffff801deadb000 l 1000 asm code { nop; nop; nop }\n");
51}

◆ CommandMsrreadHelp()

VOID CommandMsrreadHelp ( )

help of the !msrread command

Returns
VOID
21{
22 ShowMessages("!msrread : detects the execution of rdmsr instructions.\n\n");
23
24 ShowMessages("syntax : \t!msrread [Msr (hex)] [pid ProcessId (hex)] "
25 "[core CoreId (hex)] [imm IsImmediate (yesno)] [sc EnableShortCircuiting (onoff)] "
26 "[stage CallingStage (prepostall)] [buffer PreAllocatedBuffer (hex)] [script { Script (string) }] "
27 "[asm condition { Condition (assembly/hex) }] [asm code { Code (assembly/hex) }] [output {OutputName (string)}]\n");
28
29 ShowMessages("\n");
30 ShowMessages("\t\te.g : !msrread\n");
31 ShowMessages("\t\te.g : !msrread 0xc0000082\n");
32 ShowMessages("\t\te.g : !msread pid 400\n");
33 ShowMessages("\t\te.g : !msrread core 2 pid 400\n");
34 ShowMessages("\t\te.g : !msrread script { printf(\"msr read with the 'ecx' register equal to: %%llx\\n\", $context); }\n");
35 ShowMessages("\t\te.g : !msrread asm code { nop; nop; nop }\n");
36}

◆ CommandMsrwriteHelp()

VOID CommandMsrwriteHelp ( )

help of the !msrwrite command

Returns
VOID
21{
22 ShowMessages("!msrwrite : detects the execution of wrmsr instructions.\n\n");
23
24 ShowMessages("syntax : \t!msrwrite [Msr (hex)] [pid ProcessId (hex)] [core CoreId (hex)] "
25 "[imm IsImmediate (yesno)] [sc EnableShortCircuiting (onoff)] [stage CallingStage (prepostall)] "
26 "[buffer PreAllocatedBuffer (hex)] [script { Script (string) }] [asm condition { Condition (assembly/hex) }] "
27 "[asm code { Code (assembly/hex) }] [output {OutputName (string)}]\n");
28
29 ShowMessages("\n");
30 ShowMessages("\t\te.g : !msrwrite\n");
31 ShowMessages("\t\te.g : !msrwrite 0xc0000082\n");
32 ShowMessages("\t\te.g : !msrwrite pid 400\n");
33 ShowMessages("\t\te.g : !msrwrite core 2 pid 400\n");
34 ShowMessages("\t\te.g : !msrwrite script { printf(\"msr write with the 'ecx' register equal to: %%llx\\n\", $context); }\n");
35 ShowMessages("\t\te.g : !msrwrite asm code { nop; nop; nop }\n");
36}

◆ CommandOutputHelp()

VOID CommandOutputHelp ( )

help of the output command

Returns
VOID
27{
28 ShowMessages("output : creates an output instance that can be used in event "
29 "forwarding.\n\n");
30
31 ShowMessages("syntax : \toutput [create Name (string)] [file|namedpipe|tcp Address (string)]\n");
32 ShowMessages("syntax : \toutput [open|close Name (string)]\n");
33
34 ShowMessages("\n");
35 ShowMessages("\t\te.g : output create MyOutputName1 file "
36 "c:\\rev\\output.txt\n");
37 ShowMessages("\t\te.g : output create MyOutputName2 tcp 192.168.1.10:8080\n");
38 ShowMessages("\t\te.g : output create MyOutputName3 namedpipe "
39 "\\\\.\\Pipe\\HyperDbgOutput\n");
40 ShowMessages("\t\te.g : output create MyOutputName1 module "
41 "c:\\rev\\event_forwarding.dll\n");
42 ShowMessages("\t\te.g : output open MyOutputName1\n");
43 ShowMessages("\t\te.g : output close MyOutputName1\n");
44}

◆ CommandPa2vaHelp()

VOID CommandPa2vaHelp ( )

help of the !pa2va command

Returns
VOID
27{
28 ShowMessages("!pa2va : converts virtual address to physical address.\n\n");
29
30 ShowMessages("syntax : \t!pa2va [PhysicalAddress (hex)] [pid ProcessId (hex)]\n");
31
32 ShowMessages("\n");
33 ShowMessages("\t\te.g : !pa2va nt!ExAllocatePoolWithTag\n");
34 ShowMessages("\t\te.g : !pa2va nt!ExAllocatePoolWithTag+5\n");
35 ShowMessages("\t\te.g : !pa2va @rax+5\n");
36 ShowMessages("\t\te.g : !pa2va fffff801deadbeef\n");
37 ShowMessages("\t\te.g : !pa2va fffff801deadbeef pid 0xc8\n");
38}

◆ CommandPageinHelp()

VOID CommandPageinHelp ( )

help of the .pagein command

Returns
VOID
27{
28 ShowMessages(".pagein : brings the page in, making it available in the RAM.\n\n");
29
30 ShowMessages("syntax : \t.pagein [Mode (string)] [l Length (hex)]\n");
31 ShowMessages("syntax : \t.pagein [Mode (string)] [VirtualAddress (hex)] [l Length (hex)]\n");
32
33 ShowMessages("\n");
34 ShowMessages("\t\te.g : .pagein fffff801deadbeef\n");
35 ShowMessages("\t\te.g : .pagein 00007ff8349f2224 l 1a000\n");
36 ShowMessages("\t\te.g : .pagein u 00007ff8349f2224\n");
37 ShowMessages("\t\te.g : .pagein w 00007ff8349f2224\n");
38 ShowMessages("\t\te.g : .pagein f 00007ff8349f2224\n");
39 ShowMessages("\t\te.g : .pagein pw 00007ff8349f2224\n");
40 ShowMessages("\t\te.g : .pagein wu 00007ff8349f2224\n");
41 ShowMessages("\t\te.g : .pagein wu 00007ff8349f2224 l 6000\n");
42 ShowMessages("\t\te.g : .pagein pf @rax\n");
43 ShowMessages("\t\te.g : .pagein uf @rip+@rcx\n");
44 ShowMessages("\t\te.g : .pagein pwu @rax+5\n");
45 ShowMessages("\t\te.g : .pagein pwu @rax l 2000\n");
46
47 ShowMessages("\n");
48 ShowMessages("valid mode formats: \n");
49
50 ShowMessages("\tp : present\n");
51 ShowMessages("\tw : write\n");
52 ShowMessages("\tu : user\n");
53 ShowMessages("\tf : fetch\n");
54 ShowMessages("\tk : protection key\n");
55 ShowMessages("\ts : shadow stack\n");
56 ShowMessages("\th : hlat\n");
57 ShowMessages("\tg : sgx\n");
58
59 ShowMessages("\n");
60 ShowMessages("common page-fault codes: \n");
61
62 ShowMessages("\t0x0: (default)\n");
63 ShowMessages("\t0x2: w (write access fault)\n");
64 ShowMessages("\t0x3: pw (present, write access fault)\n");
65 ShowMessages("\t0x4: u (user access fault)\n");
66 ShowMessages("\t0x6: wu (write, user access fault)\n");
67 ShowMessages("\t0x7: pwu (present, write, user access fault)\n");
68 ShowMessages("\t0x10: f (fetch instruction fault)\n");
69 ShowMessages("\t0x11: pf (present, fetch instruction fault)\n");
70 ShowMessages("\t0x14: uf (user, fetch instruction fault)\n");
71}

◆ CommandPauseHelp()

VOID CommandPauseHelp ( )

help of the pause command

Returns
VOID
28{
29 ShowMessages("pause : pauses the kernel events.\n\n");
30
31 ShowMessages("syntax : \tpause \n");
32}

◆ CommandPeHelp()

VOID CommandPeHelp ( )

help of the .pe command

Returns
VOID
23{
24 ShowMessages(".pe : parses portable executable (PE) files and dump sections.\n\n");
25
26 ShowMessages("syntax : \t.pe [header] [FilePath (string)]\n");
27 ShowMessages("syntax : \t.pe [section] [SectionName (string)] [FilePath (string)]\n");
28
29 ShowMessages("\n");
30 ShowMessages("\t\te.g : .pe header c:\\reverse files\\myfile.exe\n");
31 ShowMessages("\t\te.g : .pe section .text c:\\reverse files\\myfile.exe\n");
32 ShowMessages("\t\te.g : .pe section .rdata c:\\reverse files\\myfile.exe\n");
33}

◆ CommandPHelp()

VOID CommandPHelp ( )

help of the p command

Returns
VOID
28{
29 ShowMessages(
30 "p : executes a single instruction (step) and optionally displays the "
31 "resulting values of all registers and flags.\n\n");
32
33 ShowMessages("syntax : \tp\n");
34 ShowMessages("syntax : \tp [Count (hex)]\n");
35 ShowMessages("syntax : \tpr\n");
36 ShowMessages("syntax : \tpr [Count (hex)]\n");
37
38 ShowMessages("\n");
39 ShowMessages("\t\te.g : p\n");
40 ShowMessages("\t\te.g : pr\n");
41 ShowMessages("\t\te.g : pr 1f\n");
42}

◆ CommandPmcHelp()

VOID CommandPmcHelp ( )

help of the !pmc command

Returns
VOID
21{
22 ShowMessages("!pmc : monitors execution of rdpmc instructions.\n\n");
23
24 ShowMessages("syntax : \t!pmc [pid ProcessId (hex)] [core CoreId (hex)] [imm IsImmediate (yesno)] "
25 "[sc EnableShortCircuiting (onoff)] [stage CallingStage (prepostall)] [buffer PreAllocatedBuffer (hex)] "
26 "[script { Script (string) }] [asm condition { Condition (assembly/hex) }] [asm code { Code (assembly/hex) }] "
27 "[output {OutputName (string)}]\n");
28
29 ShowMessages("\n");
30 ShowMessages("\t\te.g : !pmc\n");
31 ShowMessages("\t\te.g : !pmc pid 400\n");
32 ShowMessages("\t\te.g : !pmc core 2 pid 400\n");
33 ShowMessages("\t\te.g : !pmc script { printf(\"RDPMC instruction called at: %%llx\\n\", @rip); }\n");
34 ShowMessages("\t\te.g : !pmc asm code { nop; nop; nop }\n");
35}

◆ CommandPreactivateHelp()

VOID CommandPreactivateHelp ( )

help of the preactivate command

Returns
VOID
21{
22 ShowMessages("preactivate : preactivates a special functionality.\n\n");
23
24 ShowMessages("syntax : \tpreactivate [Type (string)]\n");
25
26 ShowMessages("\n");
27 ShowMessages("\t\te.g : preactivate mode\n");
28
29 ShowMessages("\n");
30 ShowMessages("type of activations:\n");
31 ShowMessages("\tmode: used for preactivation of the '!mode' event\n");
32}

◆ CommandPreallocHelp()

VOID CommandPreallocHelp ( )

help of the prealloc command

Returns
VOID
21{
22 ShowMessages("prealloc : pre-allocates buffer for special purposes.\n\n");
23
24 ShowMessages("syntax : \tprealloc [Type (string)] [Count (hex)]\n");
25
26 ShowMessages("\n");
27 ShowMessages("\t\te.g : prealloc thread-interception 8\n");
28 ShowMessages("\t\te.g : prealloc monitor 10\n");
29 ShowMessages("\t\te.g : prealloc epthook 5\n");
30 ShowMessages("\t\te.g : prealloc epthook2 3\n");
31 ShowMessages("\t\te.g : prealloc regular-event 12\n");
32 ShowMessages("\t\te.g : prealloc big-safe-buffert 1\n");
33
34 ShowMessages("\n");
35 ShowMessages("type of allocations:\n");
36 ShowMessages("\tthread-interception: used for pre-allocations of the thread holders for the thread interception mechanism\n");
37 ShowMessages("\tmonitor: used for pre-allocations of the '!monitor' EPT hooks\n");
38 ShowMessages("\tepthook: used for pre-allocations of the '!epthook' EPT hooks\n");
39 ShowMessages("\tepthook2: used for pre-allocations of the '!epthook2' EPT hooks\n");
40 ShowMessages("\tregular-event: used for pre-allocations of regular instant events\n");
41 ShowMessages("\tbig-event: used for pre-allocations of big instant events\n");
42 ShowMessages("\tregular-safe-buffer: used for pre-allocations of the regular event safe buffers ($buffer) for instant events\n");
43 ShowMessages("\tbig-safe-buffer: used for pre-allocations of the big event safe buffers ($buffer) for instant events\n");
44}

◆ CommandPrintHelp()

VOID CommandPrintHelp ( )

help of the print command

Returns
VOID
29{
30 ShowMessages("print : evaluates expressions.\n\n");
31
32 ShowMessages("syntax : \tprint [Expression (string)]\n");
33
34 ShowMessages("\n");
35 ShowMessages("\t\te.g : print dq(poi(@rcx))\n");
36}

◆ CommandProcessHelp()

VOID CommandProcessHelp ( )

help of the .process command

Returns
VOID
26{
27 ShowMessages(".process, .process2 : shows and changes the processes. "
28 "This command needs public symbols for ntoskrnl.exe if "
29 "you want to see the processes list. Please visit the "
30 "documentation to know about the difference between '.process' "
31 "and '.process2'.\n\n");
32
33 ShowMessages("syntax : \t.process\n");
34 ShowMessages("syntax : \t.process [list]\n");
35 ShowMessages("syntax : \t.process [pid ProcessId (hex)]\n");
36 ShowMessages("syntax : \t.process [process Eprocess (hex)]\n");
37 ShowMessages("syntax : \t.process2 [pid ProcessId (hex)]\n");
38 ShowMessages("syntax : \t.process2 [process Eprocess (hex)]\n");
39
40 ShowMessages("\n");
41 ShowMessages("\t\te.g : .process\n");
42 ShowMessages("\t\te.g : .process list\n");
43 ShowMessages("\t\te.g : .process pid 4\n");
44 ShowMessages("\t\te.g : .process2 pid 4\n");
45 ShowMessages("\t\te.g : .process process ffff948c`c2349280\n");
46}

◆ CommandPteHelp()

VOID CommandPteHelp ( )

help of the !pte command

Returns
VOID
27{
28 ShowMessages("!pte : finds virtual addresses of different paging-levels.\n\n");
29
30 ShowMessages("syntax : \t!pte [VirtualAddress (hex)] [pid ProcessId (hex)]\n");
31
32 ShowMessages("\n");
33 ShowMessages("\t\te.g : !pte nt!ExAllocatePoolWithTag\n");
34 ShowMessages("\t\te.g : !pte nt!ExAllocatePoolWithTag+5\n");
35 ShowMessages("\t\te.g : !pte fffff801deadbeef\n");
36 ShowMessages("\t\te.g : !pte 0x400021000 pid 1c0\n");
37}

◆ CommandRdmsrHelp()

VOID CommandRdmsrHelp ( )

help of the rdmsr command

Returns
VOID
21{
22 ShowMessages("rdmsr : reads a model-specific register (MSR).\n\n");
23
24 ShowMessages("syntax : \trdmsr [Msr (hex)] [core CoreNumber (hex)]\n");
25
26 ShowMessages("\n");
27 ShowMessages("\t\te.g : rdmsr c0000082\n");
28 ShowMessages("\t\te.g : rdmsr c0000082 core 2\n");
29}

◆ CommandReadMemoryAndDisassemblerHelp()

VOID CommandReadMemoryAndDisassemblerHelp ( )

help of u* d* !u* !d* commands

Returns
VOID
27{
28 ShowMessages("db dc dd dq !db !dc !dd !dq & u u64 !u !u64 u2 u32 !u2 !u32 : reads the "
29 "memory different shapes (hex) and disassembler\n");
30 ShowMessages("db Byte and ASCII characters\n");
31 ShowMessages("dc Double-word values (4 bytes) and ASCII characters\n");
32 ShowMessages("dd Double-word values (4 bytes)\n");
33 ShowMessages("dq Quad-word values (8 bytes). \n");
34 ShowMessages("u u64 Disassembler at the target address (x64) \n");
35 ShowMessages("u2 u32 Disassembler at the target address (x86) \n");
36 ShowMessages("\nIf you want to read physical memory then add '!' at the "
37 "start of the command\n");
38 ShowMessages("you can also disassemble physical memory using '!u'\n\n");
39
40 ShowMessages("syntax : \tdb [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]\n");
41 ShowMessages("syntax : \tdc [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]\n");
42 ShowMessages("syntax : \tdd [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]\n");
43 ShowMessages("syntax : \tdq [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]\n");
44 ShowMessages("syntax : \tu [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]\n");
45 ShowMessages("syntax : \tu64 [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]\n");
46 ShowMessages("syntax : \tu2 [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]\n");
47 ShowMessages("syntax : \tu32 [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]\n");
48
49 ShowMessages("\n");
50 ShowMessages("\t\te.g : db nt!Kd_DEFAULT_Mask\n");
51 ShowMessages("\t\te.g : db nt!Kd_DEFAULT_Mask+10\n");
52 ShowMessages("\t\te.g : db @rax\n");
53 ShowMessages("\t\te.g : db @rax+50\n");
54 ShowMessages("\t\te.g : db fffff8077356f010\n");
55 ShowMessages("\t\te.g : !dq 100000\n");
56 ShowMessages("\t\te.g : !dq @rax+77\n");
57 ShowMessages("\t\te.g : u32 @eip\n");
58 ShowMessages("\t\te.g : u nt!ExAllocatePoolWithTag\n");
59 ShowMessages("\t\te.g : u nt!ExAllocatePoolWithTag+30\n");
60 ShowMessages("\t\te.g : u fffff8077356f010\n");
61 ShowMessages("\t\te.g : u fffff8077356f010+@rcx\n");
62}

◆ CommandRestartHelp()

VOID CommandRestartHelp ( )

help of the .restart command

Returns
VOID
30{
31 ShowMessages(".restart : restarts the previously started process "
32 "(using '.start' command).\n\n");
33
34 ShowMessages(
35 "syntax : \t.restart \n");
36}

◆ CommandRevHelp()

VOID CommandRevHelp ( )

help of the !rev command

Returns
VOID
29{
30 ShowMessages("!rev : uses the reversing machine module in order to reconstruct the programmer/memory assumptions.\n\n");
31
32 ShowMessages("syntax : \t!rev [config] [pid ProcessId (hex)]\n");
33 ShowMessages("syntax : \t!rev [path Path (string)] [Parameters (string)]\n");
34
35 ShowMessages("\n");
36 ShowMessages("\t\te.g : !rev path c:\\reverse eng\\my_file.exe\n");
37 ShowMessages("\t\te.g : !rev pattern\n");
38 ShowMessages("\t\te.g : !rev reconstruct\n");
39 ShowMessages("\t\te.g : !rev pattern pid 1c0\n");
40 ShowMessages("\t\te.g : !rev reconstruct pid 1c0\n");
41}

◆ CommandRHelp()

VOID CommandRHelp ( )

help of the r command

Returns
VOID
152{
153 ShowMessages("r : reads or modifies registers.\n\n");
154
155 ShowMessages("syntax : \tr\n");
156 ShowMessages("syntax : \tr [Register (string)] [= Expr (string)]\n");
157
158 ShowMessages("\n");
159 ShowMessages("\t\te.g : r\n");
160 ShowMessages("\t\te.g : r @rax\n");
161 ShowMessages("\t\te.g : r rax\n");
162 ShowMessages("\t\te.g : r rax = 0x55\n");
163 ShowMessages("\t\te.g : r rax = @rbx + @rcx + 0n10\n");
164}

◆ CommandScriptHelp()

VOID CommandScriptHelp ( )

help of the .script command

Returns
VOID
28{
29 ShowMessages(".script : runs a HyperDbg script.\n\n");
30
31 ShowMessages("syntax : .script [FilePath (string)] [Args (string)]\n");
32
33 ShowMessages("\n");
34 ShowMessages("\t\te.g : .script C:\\scripts\\script.ds\n");
35 ShowMessages("\t\te.g : .script C:\\scripts\\script.ds 95 85 @rsp\n");
36 ShowMessages("\t\te.g : .script \"C:\\scripts\\hello world.ds\"\n");
37 ShowMessages("\t\te.g : .script \"C:\\scripts\\hello world.ds\" @rax\n");
38 ShowMessages("\t\te.g : .script \"C:\\scripts\\hello world.ds\" @rax @rcx+55 $pid\n");
39 ShowMessages("\t\te.g : .script \"C:\\scripts\\hello world.ds\" 12 55 @rip\n");
40}

◆ CommandSearchMemoryHelp()

VOID CommandSearchMemoryHelp ( )

help of !s* s* commands

Returns
VOID
27{
28 ShowMessages("sb !sb sd !sd sq !sq : searches a contiguous memory for a "
29 "special byte pattern\n");
30 ShowMessages("sb Byte and ASCII characters\n");
31 ShowMessages("sd Double-word values (4 bytes)\n");
32 ShowMessages("sq Quad-word values (8 bytes). \n");
33
34 ShowMessages(
35 "\n If you want to search in physical (address) memory then add '!' "
36 "at the start of the command\n");
37
38 ShowMessages("syntax : \tsb [StartAddress (hex)] [l Length (hex)] [BytePattern (hex)] [pid ProcessId (hex)]\n");
39 ShowMessages("syntax : \tsd [StartAddress (hex)] [l Length (hex)] [BytePattern (hex)] [pid ProcessId (hex)]\n");
40 ShowMessages("syntax : \tsq [StartAddress (hex)] [l Length (hex)] [BytePattern (hex)] [pid ProcessId (hex)]\n");
41
42 ShowMessages("\n");
43 ShowMessages("\t\te.g : sb nt!ExAllocatePoolWithTag 90 85 95 l ffff \n");
44 ShowMessages("\t\te.g : sb nt!ExAllocatePoolWithTag+5 90 85 95 l ffff \n");
45 ShowMessages("\t\te.g : sb @rcx+5 90 85 95 l ffff \n");
46 ShowMessages("\t\te.g : sb fffff8077356f010 90 85 95 l ffff \n");
47 ShowMessages("\t\te.g : sd fffff8077356f010 90423580 l ffff pid 1c0 \n");
48 ShowMessages("\t\te.g : !sq 100000 9090909090909090 l ffff\n");
49 ShowMessages("\t\te.g : !sq @rdx+r12 9090909090909090 l ffff\n");
50 ShowMessages("\t\te.g : !sq 100000 9090909090909090 9090909090909090 "
51 "9090909090909090 l ffffff\n");
52}

◆ CommandSettingsHelp()

VOID CommandSettingsHelp ( )

help of the settings command

Returns
VOID
30{
31 ShowMessages(
32 "settings : queries, sets, or changes a value for a special settings option.\n\n");
33
34 ShowMessages("syntax : \tsettings [OptionName (string)]\n");
35 ShowMessages("syntax : \tsettings [OptionName (string)] [Value (hex)]\n");
36 ShowMessages("syntax : \tsettings [OptionName (string)] [Value (string)]\n");
37 ShowMessages("syntax : \tsettings [OptionName (string)] [on|off]\n");
38
39 ShowMessages("\n");
40 ShowMessages("\t\te.g : settings autounpause\n");
41 ShowMessages("\t\te.g : settings autounpause on\n");
42 ShowMessages("\t\te.g : settings autounpause off\n");
43 ShowMessages("\t\te.g : settings addressconversion on\n");
44 ShowMessages("\t\te.g : settings addressconversion off\n");
45 ShowMessages("\t\te.g : settings autoflush on\n");
46 ShowMessages("\t\te.g : settings autoflush off\n");
47 ShowMessages("\t\te.g : settings syntax intel\n");
48 ShowMessages("\t\te.g : settings syntax att\n");
49 ShowMessages("\t\te.g : settings syntax masm\n");
50}

◆ CommandSleepHelp()

VOID CommandSleepHelp ( )

help of the sleep command

Returns
VOID
21{
22 ShowMessages("sleep : sleeps the debugger; this command is used in scripts, it doesn't breaks "
23 "the debugger but the debugger still shows the buffers received "
24 "from kernel.\n\n");
25
26 ShowMessages("syntax : \tsleep [MillisecondsTime (hex)]\n");
27}

◆ CommandStartHelp()

VOID CommandStartHelp ( )

help of the .start command

Returns
VOID
28{
29 ShowMessages(".start : runs a user-mode process.\n\n");
30
31 ShowMessages("syntax : \t.start [path Path (string)] [Parameters (string)]\n");
32
33 ShowMessages("\n");
34 ShowMessages("\t\te.g : .start path c:\\reverse eng\\my_file.exe\n");
35}

◆ CommandStatusHelp()

VOID CommandStatusHelp ( )

help of the .status command

Returns
VOID
32{
33 ShowMessages(".status | status : gets the status of current debugger in local "
34 "system (if you connected to a remote system then '.status' "
35 "shows the state of current debugger, while 'status' shows the "
36 "state of remote debuggee).\n\n");
37
38 ShowMessages("syntax : \t.status\n");
39 ShowMessages("syntax : \tstatus\n");
40}

◆ CommandStructHelp()

VOID CommandStructHelp ( )

help of the struct command

Returns
VOID
64{
65 ShowMessages("struct : displays a data type, enum, or structure derived from PDB symbols.\n\n");
66
67 ShowMessages("syntax : struct [Module!SymbolName (string)] [offset Offset (yesno)] [bitfield Bitfield (yesno)] "
68 "[native Native (yesno)] [decl Declaration (yesno)] [def Definitions (yesno)] "
69 "[func Functions (yesno)] [pragma Pragma (yesno)] [prefix Prefix (string)] "
70 "[suffix Suffix (string)] [inline Expantion (string)] [output FileName (string)]\n");
71
72 ShowMessages("\n");
73 ShowMessages("\t\te.g : struct nt!_EPROCESS\n");
74 ShowMessages("\t\te.g : struct nt!*\n");
75 ShowMessages("\t\te.g : struct nt!* output ntheader.h\n");
76 ShowMessages("\t\te.g : struct nt!* func yes output ntheader.h\n");
77 ShowMessages("\t\te.g : struct nt!* func yes output ntheader.h\n");
78}

◆ CommandSwitchHelp()

VOID CommandSwitchHelp ( )

help of the .switch command

Returns
VOID
27{
28 ShowMessages(".switch : shows the list of active debugging threads and switches "
29 "between processes and threads in VMI Mode.\n\n");
30
31 ShowMessages("syntax : \t.switch \n");
32 ShowMessages("syntax : \t.switch [pid ProcessId (hex)]\n");
33 ShowMessages("syntax : \t.switch [tid ThreadId (hex)]\n");
34
35 ShowMessages("\n");
36 ShowMessages("\t\te.g : .switch list\n");
37 ShowMessages("\t\te.g : .switch pid b60 \n");
38 ShowMessages("\t\te.g : .switch tid b60 \n");
39}

◆ CommandSymHelp()

VOID CommandSymHelp ( )

help of the .sym command

Returns
VOID
27{
28 ShowMessages(".sym : performs the symbol actions.\n\n");
29
30 ShowMessages("syntax : \t.sym [table]\n");
31 ShowMessages("syntax : \t.sym [reload] [pid ProcessId (hex)]\n");
32 ShowMessages("syntax : \t.sym [download]\n");
33 ShowMessages("syntax : \t.sym [load]\n");
34 ShowMessages("syntax : \t.sym [unload]\n");
35 ShowMessages("syntax : \t.sym [add] [base Address (hex)] [path Path (string)]\n");
36
37 ShowMessages("\n");
38 ShowMessages("\t\te.g : .sym table\n");
39 ShowMessages("\t\te.g : .sym reload\n");
40 ShowMessages("\t\te.g : .sym reload pid 3a24\n");
41 ShowMessages("\t\te.g : .sym load\n");
42 ShowMessages("\t\te.g : .sym download\n");
43 ShowMessages("\t\te.g : .sym add base fffff8077356000 path c:\\symbols\\my_dll.pdb\n");
44 ShowMessages("\t\te.g : .sym unload\n");
45}

◆ CommandSympathHelp()

VOID CommandSympathHelp ( )

help of the .sympath command

Returns
VOID
25{
26 ShowMessages(".sympath : shows and sets the symbol server and path.\n\n");
27
28 ShowMessages("syntax : \t.sympath\n");
29 ShowMessages("syntax : \t.sympath [SymServer (string)]\n");
30
31 ShowMessages("\n");
32 ShowMessages("\t\te.g : .sympath\n");
33 ShowMessages("\t\te.g : .sympath SRV*c:\\Symbols*https://msdl.microsoft.com/download/symbols \n");
34}

◆ CommandSyscallHelp()

VOID CommandSyscallHelp ( )

help of the !syscall command

Returns
VOID
21{
22 ShowMessages("!syscall : monitors and hooks all execution of syscall "
23 "instructions (by accessing memory and checking for instructions).\n\n");
24 ShowMessages("!syscall2 : monitors and hooks all execution of syscall "
25 "instructions (by emulating all #UDs).\n\n");
26
27 ShowMessages("syntax : \t!syscall [SyscallNumber (hex)] [pid ProcessId (hex)] [core CoreId (hex)] "
28 "[imm IsImmediate (yesno)] [sc EnableShortCircuiting (onoff)] [stage CallingStage (prepostall)] "
29 "[buffer PreAllocatedBuffer (hex)] [script { Script (string) }] [asm condition { Condition (assembly/hex) }] "
30 "[asm code { Code (assembly/hex) }] [output {OutputName (string)}]\n");
31 ShowMessages("syntax : \t!syscall2 [SyscallNumber (hex)] [pid ProcessId (hex)] [core CoreId (hex)] "
32 "[imm IsImmediate (yesno)] [sc EnableShortCircuiting (onoff)] [stage CallingStage (prepostall)] "
33 "[buffer PreAllocatedBuffer (hex)] [script { Script (string) }] [asm condition { Condition (assembly/hex) }] "
34 "[asm code { Code (assembly/hex) }] [output {OutputName (string)}]\n");
35
36 ShowMessages("\n");
37 ShowMessages("\t\te.g : !syscall\n");
38 ShowMessages("\t\te.g : !syscall2\n");
39 ShowMessages("\t\te.g : !syscall 0x55\n");
40 ShowMessages("\t\te.g : !syscall2 0x55\n");
41 ShowMessages("\t\te.g : !syscall 0x55 pid 400\n");
42 ShowMessages("\t\te.g : !syscall 0x55 core 2 pid 400\n");
43 ShowMessages("\t\te.g : !syscall2 0x55 core 2 pid 400\n");
44 ShowMessages("\t\te.g : !syscall script { printf(\"system-call num: %%llx, at process id: %%x\\n\", @rax, $pid); }\n");
45 ShowMessages("\t\te.g : !syscall asm code { nop; nop; nop }\n");
46}

◆ CommandSysretHelp()

VOID CommandSysretHelp ( )

help of the !sysret command

Returns
VOID
55{
56 ShowMessages("!sysret : monitors and hooks all execution of sysret "
57 "instructions (by accessing memory and checking for instructions).\n\n");
58 ShowMessages("!sysret2 : monitors and hooks all execution of sysret "
59 "instructions (by emulating all #UDs).\n\n");
60
61 ShowMessages("syntax : \t!sysret [pid ProcessId (hex)] [core CoreId (hex)] "
62 "[imm IsImmediate (yesno)] [sc EnableShortCircuiting (onoff)] [buffer PreAllocatedBuffer (hex)] "
63 "[script { Script (string) }] [asm condition { Condition (assembly/hex) }] [asm code { Code (assembly/hex) }]\n");
64
65 ShowMessages("\n");
66 ShowMessages("\t\te.g : !sysret\n");
67 ShowMessages("\t\te.g : !sysret2\n");
68 ShowMessages("\t\te.g : !sysret pid 400\n");
69 ShowMessages("\t\te.g : !sysret2 pid 400\n");
70 ShowMessages("\t\te.g : !sysret core 2 pid 400\n");
71 ShowMessages("\t\te.g : !sysret2 core 2 pid 400\n");
72 ShowMessages("\t\te.g : !sysret script { printf(\"SYSRET instruction is executed at process id: %%x\\n\", $pid); }\n");
73 ShowMessages("\t\te.g : !sysret asm code { nop; nop; nop }\n");
74}

◆ CommandTestHelp()

VOID CommandTestHelp ( )

help of the test command

Returns
VOID
26{
27 ShowMessages(
28 "test : tests essential features of HyperDbg in current machine.\n");
29
30 ShowMessages("syntax : \ttest [Task (string)]\n");
31
32 ShowMessages("\n");
33 ShowMessages("\t\te.g : test\n");
34 ShowMessages("\t\te.g : test query\n");
35 ShowMessages("\t\te.g : test trap-status\n");
36 ShowMessages("\t\te.g : test pool\n");
37 ShowMessages("\t\te.g : test query\n");
38 ShowMessages("\t\te.g : test breakpoint on\n");
39 ShowMessages("\t\te.g : test breakpoint off\n");
40 ShowMessages("\t\te.g : test trap on\n");
41 ShowMessages("\t\te.g : test trap off\n");
42}

◆ CommandTHelp()

VOID CommandTHelp ( )

help of the t command

Returns
VOID
28{
29 ShowMessages(
30 "t : executes a single instruction (step-in) and optionally displays the "
31 "resulting values of all registers and flags.\n\n");
32
33 ShowMessages("syntax : \tt\n");
34 ShowMessages("syntax : \tt [Count (hex)]\n");
35 ShowMessages("syntax : \ttr\n");
36 ShowMessages("syntax : \ttr [Count (hex)]\n");
37
38 ShowMessages("\n");
39 ShowMessages("\t\te.g : t\n");
40 ShowMessages("\t\te.g : tr\n");
41 ShowMessages("\t\te.g : tr 1f\n");
42}

◆ CommandThreadHelp()

VOID CommandThreadHelp ( )

help of the .thread command

Returns
VOID
26{
27 ShowMessages(".thread, .thread2 : shows and changes the threads. "
28 "This command needs public symbols for 'ntoskrnl.exe' if "
29 "you want to see the threads list. Please visit the "
30 "documentation to know about the difference between '.thread' "
31 "and '.thread2'.\n\n");
32
33 ShowMessages("syntax : \t.thread\n");
34 ShowMessages("syntax : \t.thread [list] [process Eprocess (hex)]\n");
35 ShowMessages("syntax : \t.thread [tid ThreadId (hex)]\n");
36 ShowMessages("syntax : \t.thread [thread Ethread (hex)]\n");
37 ShowMessages("syntax : \t.thread2 [tid ThreadId (hex)]\n");
38 ShowMessages("syntax : \t.thread2 [thread Ethread (hex)]\n");
39
40 ShowMessages("\n");
41 ShowMessages("\t\te.g : .thread\n");
42 ShowMessages("\t\te.g : .thread tid 48a4\n");
43 ShowMessages("\t\te.g : .thread2 tid 48a4\n");
44 ShowMessages("\t\te.g : .thread thread ffff948c`c8970200\n");
45 ShowMessages("\t\te.g : .thread list\n");
46 ShowMessages("\t\te.g : .thread list process ffff948c`a1279880\n");
47}

◆ CommandTraceHelp()

VOID CommandTraceHelp ( )

help of the !trace command

Returns
VOID
21{
22 ShowMessages("!trace : traces the execution of user-mode/kernel-mode instructions.\n\n");
23
24 ShowMessages("syntax : \t!trace [TraceType (string)] [pid ProcessId (hex)] [core CoreId (hex)] [imm IsImmediate (yesno)] "
25 "[sc EnableShortCircuiting (onoff)] [buffer PreAllocatedBuffer (hex)] [script { Script (string) }] "
26 "[asm condition { Condition (assembly/hex) }] [asm code { Code (assembly/hex) }] [output {OutputName (string)}]\n");
27
28 ShowMessages("\n");
29 ShowMessages("\t\te.g : !trace step-out\n");
30 ShowMessages("\t\te.g : !trace step-in pid 1c0\n");
31 ShowMessages("\t\te.g : !trace instrument-step core 2 pid 400\n");
32 ShowMessages("\t\te.g : !trace instrument-step asm code { nop; nop; nop }\n");
33
34 ShowMessages("\n");
35 ShowMessages("valid trace types: \n");
36
37 ShowMessages("\tstep-in : single step-in (regular)\n");
38 ShowMessages("\tstep-out : single step-out (regular)\n");
39 ShowMessages("\tinstrument-step : single step-in (instrumentation)\n");
40}

◆ CommandTrackHelp()

VOID CommandTrackHelp ( )

help of the !track command

Returns
VOID
72{
73

◆ CommandTscHelp()

VOID CommandTscHelp ( )

help of the !tsc command

Returns
VOID
21{
22 ShowMessages("!tsc : monitors execution of rdtsc/rdtscp instructions.\n\n");
23
24 ShowMessages("syntax : \t!tsc [pid ProcessId (hex)] [core CoreId (hex)] [imm IsImmediate (yesno)] "
25 "[sc EnableShortCircuiting (onoff)] [stage CallingStage (prepostall)] [buffer PreAllocatedBuffer (hex)] "
26 "[script { Script (string) }] [asm condition { Condition (assembly/hex) }] [asm code { Code (assembly/hex) }] "
27 "[output {OutputName (string)}]\n");
28
29 ShowMessages("\n");
30 ShowMessages("\t\te.g : !tsc\n");
31 ShowMessages("\t\te.g : !tsc pid 400\n");
32 ShowMessages("\t\te.g : !tsc core 2 pid 400\n");
33 ShowMessages("\t\te.g : !tsc script { printf(\"RDTSC/P instruction called at: %%llx\\n\", @rip); }\n");
34 ShowMessages("\t\te.g : !tsc asm code { nop; nop; nop }\n");
35}

◆ CommandUnhideHelp()

VOID CommandUnhideHelp ( )

help of the !unhide command

Returns
VOID
21{
22 ShowMessages("!unhide : reverts the transparency measures of the '!hide' command.\n\n");
23
24 ShowMessages("syntax : \t!unhide\n");
25
26 ShowMessages("\n");
27 ShowMessages("\t\te.g : !unhide\n");
28}

◆ CommandUnloadHelp()

VOID CommandUnloadHelp ( )

help of the unload command

Returns
VOID
29{
30 ShowMessages(
31 "unload : unloads the kernel modules and uninstalls the drivers.\n\n");
32
33 ShowMessages("syntax : \tunload [remove] [ModuleName (string)]\n");
34
35 ShowMessages("\n");
36 ShowMessages("\t\te.g : unload vmm\n");
37 ShowMessages("\t\te.g : unload remove vmm\n");
38}

◆ CommandVa2paHelp()

VOID CommandVa2paHelp ( )

help of the !va2pa command

Returns
VOID
27{
28 ShowMessages("!va2pa : converts virtual address to physical address.\n\n");
29
30 ShowMessages("syntax : \t!va2pa [VirtualAddress (hex)] [pid ProcessId (hex)]\n");
31
32 ShowMessages("\n");
33 ShowMessages("\t\te.g : !va2pa nt!ExAllocatePoolWithTag\n");
34 ShowMessages("\t\te.g : !va2pa nt!ExAllocatePoolWithTag+5\n");
35 ShowMessages("\t\te.g : !va2pa @rcx\n");
36 ShowMessages("\t\te.g : !va2pa @rcx+5\n");
37 ShowMessages("\t\te.g : !va2pa fffff801deadbeef\n");
38 ShowMessages("\t\te.g : !va2pa fffff801deadbeef pid 0xc8\n");
39}

◆ CommandVmcallHelp()

VOID CommandVmcallHelp ( )

help of the !vmcall command

Returns
VOID
21{
22 ShowMessages("!vmcall : monitors execution of VMCALL instruction.\n\n");
23
24 ShowMessages("syntax : \t!vmcall [pid ProcessId (hex)] [core CoreId (hex)] [imm IsImmediate (yesno)] "
25 "[sc EnableShortCircuiting (onoff)] [stage CallingStage (prepostall)] [buffer PreAllocatedBuffer (hex)] "
26 "[script { Script (string) }] [asm condition { Condition (assembly/hex) }] [asm code { Code (assembly/hex) }] "
27 "[output {OutputName (string)}]\n");
28
29 ShowMessages("\n");
30 ShowMessages("\t\te.g : !vmcall\n");
31 ShowMessages("\t\te.g : !vmcall pid 400\n");
32 ShowMessages("\t\te.g : !vmcall core 2 pid 400\n");
33 ShowMessages("\t\te.g : !vmcall script { printf(\"VMCALL executed with context: %%llx\\n\", $context); }\n");
34 ShowMessages("\t\te.g : !vmcall asm code { nop; nop; nop }\n");
35}

◆ CommandWrmsrHelp()

VOID CommandWrmsrHelp ( )

help of the wrmsr command

Returns
VOID
21{
22 ShowMessages("wrmsr : writes on a model-specific register (MSR).\n\n");
23
24 ShowMessages("syntax : \twrmsr [Msr (hex)] [Value (hex)] [core CoreNumber (hex)]\n");
25
26 ShowMessages("\n");
27 ShowMessages("\t\te.g : wrmsr c0000082 fffff8077356f010\n");
28 ShowMessages("\t\te.g : wrmsr c0000082 @rcx\n");
29 ShowMessages("\t\te.g : wrmsr c0000082 @rcx+@rdx+12\n");
30 ShowMessages("\t\te.g : wrmsr c0000082 fffff8077356f010 core 2\n");
31}

◆ CommandXHelp()

VOID CommandXHelp ( )

help of the x command

Returns
VOID
21{
22 ShowMessages("x : searches and shows symbols (wildcard) and corresponding addresses.\n\n");
23
24 ShowMessages("syntax : \tx [Module!Name (wildcard string)]\n");
25
26 ShowMessages("\n");
27 ShowMessages("\t\te.g : x nt!ExAllocatePoolWithTag \n");
28 ShowMessages("\t\te.g : x nt!ExAllocatePool* \n");
29 ShowMessages("\t\te.g : x nt!* \n");
30}