!cpuid script

[xxA1eksandrxx]

Hi! I use " !cpuid script { {printf("cpuid : %p\n", @rip);} } " and want to add tr(step-in and registers) after print:
" !cpuid script { {printf("cpuid : %p\n", @rip);} , tr} " but this not working.... how i add debug command in script?

[SinaKarvandi]

Hi,
Thanks for creating this issue. 't' or 'tr' are commands in HyperDbg and commands are not designed to run as a VMX-root script. However, you can emulate their behavior by using the printf function.

For example:

printf("rax: %llx , rbx: %llx, rcx: %llx, rdx: %llx", @rax, @rbx, @rcx, @rdx); 

And so on...

If you want to know the content registers after the execution of CPUID instruction, you need to use the 'Event calling stage' mechanism.

Please take a look at the explanation available here:
https://docs.hyperdbg.org/tips-and-tricks/misc/event-calling-stage

In short, all you need to do is specify the calling stage on your '!cpuid' command:

!cpuid stage post script {
printf("rax: %llx , rbx: %llx, rcx: %llx, rdx: %llx", @rax, @rbx, @rcx, @rdx); 
}

For more information, take a look at Example 2:
https://docs.hyperdbg.org/tips-and-tricks/misc/event-calling-stage#example-2

Also, another video that might be helpful for your case:
https://www.youtube.com/watch?v=H4lrb5x64Ws&t=3s

Please let me know if you have any other questions.

[xxA1eksandrxx]

can the hypervisor change the register value "tsc" or is it necessary to change the value on the "fly" (tsc - time)

[SinaKarvandi]

It's possible to change the value of TSC (RDTSC/RDTSCP) but changing these values will make your system unstable and it's kinda tricky to change since the timing needs to be accurate but yes, you can easily change the value of registers in case the '!tsc' command.

More information:
https://research.hyperdbg.org/assets/documents/vm-exit-transparency.pdf

[xxA1eksandrxx]

!hide automatically change the value of registers after RDTSC?

[SinaKarvandi]

Yes, but the current implementation might make the system unstable. We might need to re-design this feature in the future.

[xxA1eksandrxx]

using a script !cpuid {file: .../script.txt }, global parameters are saved when calling this script in !cpuid?

[SinaKarvandi]

using a script !cpuid {file: .../script.txt }, global parameters are saved when calling this script in !cpuid?

What do you mean by 'global parameter'? Global variables?

[xxA1eksandrxx]

https://docs.hyperdbg.org/commands/scripting-language/variables-and-assignments - global variables assignment
if using ".my_variable = 0" in my script.txt (!cpuid {file: .../script.txt } ), then next call script.txt ".my_variable = 0" is save?

[SinaKarvandi]

Yes, as long as you use a dot '.' in your variable it will remain unchanged in all commands (including scripts and event scripts) until you unload HyperDbg. Once you unload HyperDbg, global variables will be removed.

Also please keep in mind that if your event is running the same script simultaneously in multiple cores, you might end up with incorrect values (behavior). Usually, those who use global variables in HyperDbg, also use spinlocks and interlocked functions alongside.

Example 1:
https://docs.hyperdbg.org/commands/scripting-language/examples/access-to-a-shared-variable-from-different-cores

Example 2:
https://docs.hyperdbg.org/commands/scripting-language/examples/count-occurrences-of-events

More information:
https://docs.hyperdbg.org/commands/scripting-language/functions/interlocked
and:
https://docs.hyperdbg.org/commands/scripting-language/functions/spinlocks

[xxA1eksandrxx]

thanks for the answer, I'm checking)

[xxA1eksandrxx]

how to use !hide for ring 0 (kernel driver)?

[xxA1eksandrxx]

.my_variable = 100;
if (@rip > fffff804d4bb99aa-11089AA && @rip < fffff804d4bb99aa+384656 )
{
printf("RDTSC : %p %p %p\n", @RDX, @Rax, @rip);
.my_variable = .my_variable-1;
printf("RDTSC : %p\n", .my_variable);
}

it`s my script with global variable, but his not working (the variable does not change )

[SinaKarvandi]

how to use !hide for ring 0 (kernel driver)?

You need to modify the following lines to check for your kernel driver and then compile your customized version of HyperDbg:

HyperDbg/hyperdbg/hprdbghv/code/transparency/Transparency.c

Line 521 in 78b01b3

// Check for process id and process name, if not match then we don't emulate it

[SinaKarvandi]

.my_variable = 100; if (@rip > fffff804d4bb99aa-11089AA && @rip < fffff804d4bb99aa+384656 ) { printf("RDTSC : %p %p %p\n", @RDX, @Rax, @rip); .my_variable = .my_variable-1; printf("RDTSC : %p\n", .my_variable); }

it`s my script with global variable, but his not working (the variable does not change )

Are you assigning .my_variable = 100; each time? If yes, then each time you run the script, it'll be reassigned to 100.

[xxA1eksandrxx]

Как использовать !hide для кольца 0 (драйвер ядра)?

Вам нужно изменить следующие строки, чтобы проверить наличие драйвера ядра, а затем скомпилировать свою пользовательскую версию HyperDbg:

HyperDbg/hyperdbg/hprdbghv/code/transparency/Transparency.c

Line 521 in 78b01b3

// Check for process id and process name, if not match then we don't emulate it

[xxA1eksandrxx]

what is the point hwdbg if there is a qemu? (sorry about the topic here)

[SinaKarvandi]

hwdbg is designed to debug hardware chips (FPGAs), not Windows, Linux, or any operating system.

[xxA1eksandrxx]

hwdbg предназначен для отладки аппаратных микросхем (FPGA), а не Windows, Linux или любой другой операционной системы.

is this an FPGA simulator?

[SinaKarvandi]

hwdbg предназначен для отладки аппаратных микросхем (FPGA), а не Windows, Linux или любой другой операционной системы.

is this an FPGA simulator?

Nope, it generates a synthesizable Verilog (SystemVerilog) code to run on FPGAs.

[xxA1eksandrxx]

hwdbg предназначен для отладки аппаратных микросхем (FPGA), а не Windows, Linux или любой другой операционной системы.

это симулятор ПЛИС?

Нет, он генерирует синтезируемый код Verilog (SystemVerilog) для запуска на FPGA.

when will it be possible to test?

[SinaKarvandi]

It will probably be in July or August if everything goes well.

[xxA1eksandrxx]

0: kHyperDbg> ? .my_variable = @Rax
Line 0:
.my_variable = @Rax
^
Syntax Error: Invalid Syntax

What am I doing wrong?

[SinaKarvandi]

You need to add a semicolon to the end of your assignment:

? .my_variable = @rax;

[xxA1eksandrxx]

? .my=@Rax; then script.txt @Rax = .my + 1000; but @Rax It doesn't change ... script.txt run in !tsc stage port script {file:...}

[SinaKarvandi]

? .my=@Rax; then script.txt @Rax = .my + 1000; but @Rax It doesn't change ... script.txt run in !tsc stage port script {file:...}

Could you post your full (!tsc) command? I couldn't quite understand the question. 🤨

[xxA1eksandrxx]

? .my=; тогда script.txt = .my + 1000; но Это не меняется... script.txt запускается в !tsc stage port script {file:...}

Не могли бы вы опубликовать свою полную (!tsc) команду? Я не совсем понял вопрос. 🤨

1: kHyperDbg> ? .my=@Rax;

then
script.txt:
if (@Rax!=0 ){
@Rax = .my + 1000;
printf("new RDTSC : %p\n", @Rax);
}

then
!tsc stage post script {file:C:\Users\Test\Documents\Virtual Machines\Windows 10 x64\release\1.txt}

result
1: kHyperDbg> g
debuggee is running...
new RDTSC : FFFFF804E6E1A9AA
new RDTSC : FFFFF804E6E1A9AA
new RDTSC : FFFFF804E6E1A9AA
new RDTSC : FFFFF804E6E1A9AA

[SinaKarvandi]

? .my=@rax;
The above statement only assigns for one time. Like next time the @Rax is changed, it won't influence the value of .my.

I think what you need is something like this:

!tsc stage post script {
    if (@rax != 0){
    @rax = @rax + 1000;
    printf("new RDTSC : %p\n", @rax);
    }
}

Please note that if you use a global variable, then it might change from different cores simultaneously. In these cases you need to use a local variable (local to the current core).

? my_local_variable = 0;
Not starting with a '.' which is a global variable:

? .my_global_variable = 0;

Please take a look at:
https://docs.hyperdbg.org/commands/scripting-language/variables-and-assignments

[xxA1eksandrxx]

? .my=@rax; Приведенная выше инструкция присваивается только один раз. Как и в следующий раз, когда перемена будет изменена, это не повлияет на значение ..my

Я думаю, что вам нужно что-то вроде этого:

!tsc stage post script {
    if (@rax != 0){
    @rax = @rax + 1000;
    printf("new RDTSC : %p\n", @rax);
    }
}

Обратите внимание, что если вы используете глобальную переменную, то она может изменяться из разных ядер одновременно. В этих случаях необходимо использовать локальную переменную (локальную для текущего ядра).

? my_local_variable = 0; Не начинаясь с '., которая является глобальной переменной:

? .my_global_variable = 0;

Пожалуйста, взгляните на: https://docs.hyperdbg.org/commands/scripting-language/variables-and-assignments

I need to store register values in a variable and by calling the script assign a new register value to the variable

[xxA1eksandrxx]

in fact this is little bypass rdtsc check

[SinaKarvandi]

I need to store register values in a variable and by calling the script assign a new register value to the variable

So, for this, you don't need a global variable, you just need a local variable. But this is exactly what the !hide command does. Why don't you use this command instead?

[xxA1eksandrxx]

Мне нужно сохранить значения регистров в переменной и, вызвав скрипт, присвоить переменной новое значение регистра

Таким образом, для этого вам не нужна глобальная переменная, вам нужна только локальная переменная. Но это именно то, что делает команда. Почему бы вам не использовать эту команду?!hide

yes, that's right, I'm debugging the ring0 code. and there is no regular option to specify the driver's memory area in the command !hide.

[SinaKarvandi]

yes, that's right, I'm debugging the ring0 code. and there is no regular option to specify the driver's memory area in the command !hide.

Yes, in this case, you just need to modify the following check, in HyperDbg (e.g. add a check for your special driver address based on its RIP register) and recompile HyperDbg:

HyperDbg/hyperdbg/hprdbghv/code/transparency/Transparency.c

Line 521 in 78b01b3

// Check for process id and process name, if not match then we don't emulate it

[xxA1eksandrxx]

yes, that's right, I'm debugging the ring0 code. and there is no regular option to specify the driver's memory area in the command !hide.

Yes, in this case, you just need to modify the following check, in HyperDbg (e.g. add a check for your special driver address based on its RIP register) and recompile HyperDbg:

HyperDbg/hyperdbg/hprdbghv/code/transparency/Transparency.c

Line 521 in 78b01b3

// Check for process id and process name, if not match then we don't emulate it

Thank you! it is very cool. but I ran into another problem
Debug Sinlge step... after tsc call exception - Debug Exception (#DB) w/ TF (https://secret.club/2020/04/13/how-anti-cheats-detect-system-emulation.html#debug-exception-db-w-tf)(https://secret.club/2020/04/13/how-anti-cheats-detect-system-emulation.html)
the hypervisor goes to debugging step by step and does not exit:
tsc : FFFFF80507FBE726
tsc : FFFFF80507F99953
fffff805`07f99956 68 93 F2 0F 9E push 0xFFFFFFFF9E0FF293
are there any settings for the hypervisor in this case?

[SinaKarvandi]

I'm not sure if I quite understand it correctly. 🤨

What do you mean by #DB after tsc? You mean single-stepping through the RDTSC/RDTSCP?

[xxA1eksandrxx]

Я не уверен, что понимаю это правильно. 🤨

Что вы имеете в виду под #DB после tsc? Вы имеете в виду одношаговое прохождение RDTSC/RDTSCP?

does the hypervisor handle single step exceptions correctly? https://howtohypervise.blogspot.com/2019/01/a-common-missight-in-most-hypervisors.html

[SinaKarvandi]

This is a good point, I'll try to fix it. Thank you for mentioning it

[xxA1eksandrxx]

Это хороший момент, постараюсь исправить. Спасибо, что упомянули об этом

your product is great, it's strange that it's free

[SinaKarvandi]

Это хороший момент, постараюсь исправить. Спасибо, что упомянули об этом

your product is great, it's strange that it's free

HyperDbg needs a lot of effort from the community, because of this, it's free and available to everyone.

[xxA1eksandrxx]

This is a good point, I'll try to fix it. Thank you for mentioning it

and when will it appear approximately fix?

[SinaKarvandi]

This is a good point, I'll try to fix it. Thank you for mentioning it

and when will it appear approximately fix?

I try to fix it this month with the v0.9 release. You could also fix it and send a PR. Contributing to HyperDbg is always super appreciated.

[xxA1eksandrxx]

This is a good point, I'll try to fix it. Thank you for mentioning it

and when will it appear approximately fix?

I try to fix it this month with the v0.9 release. You could also fix it and send a PR. Contributing to HyperDbg is always super appreciated.

having no experience in hypervisor development, this may take time... tell me, where is the exception handling in your hypervisor?

[SinaKarvandi]

So, in that case, let me fix it. It probably needs lots of tests to make sure it won't break other functionalities.

[SinaKarvandi]

I encountered this issue, but resolving it is not straightforward. A quick fix could potentially disrupt the functionality of the stepper, necessitating additional testing. Therefore, I've deferred this task to future versions (not v0.9).

[xxA1eksandrxx]

Я столкнулся с этой проблемой, но решить ее непросто. Быстрое исправление потенциально может нарушить функциональность степпера, что потребует дополнительного тестирования. Поэтому я отложил эту задачу до будущих версий (не v0.9).

what is a quick solution?

[SinaKarvandi]

A quick solution is to change the cpuid vm-exit handler and synchronize it with the stepping mechanism.

[xxA1eksandrxx]

A quick solution is to change the cpuid vm-exit handler and synchronize it with the stepping mechanism.

I would like to get a better understanding of the work of the hypervisor, do you have any other contacts? thank you

[SinaKarvandi]

You can also join the telegram group t.me/hyperdbg , we discuss HyperDbg at the Telegram group too.