v0.18.1

HyperDbg v0.18.1 is released!

If you’re enjoying HyperDbg, don’t forget to give a star 🌟 on GitHub!

Please visit Build & Install to configure the environment for running HyperDbg. Check out the Quick Start and Frequently Asked Questions (FAQs) to learn more. You can use the examples of using the debugger and the script engine to get started with HyperDbg.

Added

• Hypertrace now works with HyperDbg VMM (link)
• Progress on implementing Last Branch Recode (LBR) (link)
• Applying LBR registers on the VMCS instead of the DEBUGCTL MSR (link)

Changed

• Fix the problem of the '!epthook' not finding the PML1 entry (link)
• Fix the problem of getting the PML1 entry of the target address on Intel Core Ultra processors (#567) (link)
• Fix the '.clang-format' formatting error

v0.18

HyperDbg v0.18 is released!

If you’re enjoying HyperDbg, don’t forget to give a star 🌟 on GitHub!

Please visit Build & Install to configure the environment for running HyperDbg. Check out the Quick Start and Frequently Asked Questions (FAQs) to learn more. You can use the examples of using the debugger and the script engine to get started with HyperDbg.

Added

• Script engine now supports writing libraries using the '#include' keyword thanks to @xmaple555 (link)(link)(link)
• Initial codes for the hypertrace project by using Intel Last Branch Record (LBR) and Branch Trace Store (BTS) thanks to @harimishal1 (link)
• The hypertrace project is now linked to the hyperkd
• Initial efforts to port HyperDbg to Linux have started thanks to @Alish14 (link)

Changed

• Fix compilation error in Zydis with the new Windows WDK (link)

v0.17

HyperDbg v0.17 is released!

If you’re enjoying HyperDbg, don’t forget to give a star 🌟 on GitHub!

Please visit Build & Install to configure the environment for running HyperDbg. Check out the Quick Start and Frequently Asked Questions (FAQs) to learn more. You can use the examples of using the debugger and the script engine to get started with HyperDbg.

Added

• Added 1D and 2D arrays (multidimensional arrays) in the script engine (link)(link)
• Added compound assignments in the script engine (link)(link)
• Added multiple assignments in the script engine (link)(link)

Changed

• Fix bugs for interpreting 'db_pa, 'dd_pa', 'eb_pa', and 'ed_pa' keywords in the script engine (link)(link)
• Fix variable types in the script engine (link)
• Fix and update array index for boolean expressions in the script engine (link)

v0.16

HyperDbg v0.16 is released!

If you’re enjoying HyperDbg, don’t forget to give a star 🌟 on GitHub!

Please visit Build & Install to configure the environment for running HyperDbg. Check out the Quick Start and Frequently Asked Questions (FAQs) to learn more. You can use the examples of using the debugger and the script engine to get started with HyperDbg.

Added

• The !xsetbv event command was added for handling the execution of the XSETBV instruction, thanks to HyperDbg group members (link)
• Display of the number of blocked context switches in the '.switch' command (link)
• Added support for step-in (the 't' command) in the user debugger (link)
• Added support for step-over (the 'p' command) in the user debugger (link)
• Added support to show all registers or a specific register in the user debugger (link)
• Exported SDK API for running scripts in either the kernel debugger or the user debugger
• Added support to modify registers or a specific register in the user debugger (link)
• Added support to evaluate (run) scripts on the target thread in the user debugger (link)
• Added an indication of a thread's running or paused state to the HyperDbg signature in the user debugger (link)
• Added support for the '.formats' command in the user debugger (link)
• Added support for interpreting parameters based on script engine expressions in the user debugger
• Exported SDK API for evaluating expressions based on the context of the kernel debugger or the user debugger
• Added a new mechanism for showing the 'printf' and the 'print' function messages in the user debugger (link)(link)

Changed

• Non-volatile XMM registers are no longer saved/restored on VM-exit handler (link)
• Fix grammar and spelling errors throughout HyperDbg codebase (link)
• Relocate extension command files into their corresponding VS directory
• Fix infinite VM-exit bug for the '!monitor x' command thanks to @unlockable (link)

v0.15

HyperDbg v0.15 is released!

If you’re enjoying HyperDbg, don’t forget to give a star 🌟 on GitHub!

Please visit Build & Install to configure the environment for running HyperDbg. Check out the Quick Start and Frequently Asked Questions (FAQs) to learn more. You can use the examples of using the debugger and the script engine to get started with HyperDbg.

Added

• Added the '!smi' command for performing operations related to System Management Interrupt (SMI) (link)
• Export the SDK functions for SMI operations (link)
• Check for Intel CET IBT (indirect branch tracking) support
• Check for Intel CET shadow stack support
• Added support to Intel CET for SYSCALL/SYSRET emulation (link)(link)

Changed

• The 'hyperhv' project now has build optimizations enabled
• Reformat VMXOFF restoring routines to restore general-purpose and XMM registers correctly before moving to the previous stack
• Fix unloading (VMXOFF) crash when restoring XMM registers
• Fix the problem with restoring XMM registers (#468) (link)
• Enhanced the '.pe' command to support PE Rich Headers thanks to @Alish14 (link)
• Updated ia32-doc to fix VMCS PL3 SSP fields (link)
• Fix the terminating process issue of the '!syscall/!sysret' commands on 11 generation (Rocket Lake/Tiger Lake) and newer Intel processors (link)
• Reenable the support for the '.start' command in the Debugger mode (link)
• The '!mode' event command is now compatible with different EPT hook commands (e.g., !epthook, !epthook2, !monitor, .start, and .restart) (link)
• The '!mode' command doesn't need allocating extra EPTPs (link)

v0.14.1

HyperDbg v0.14 is released!

If you’re enjoying HyperDbg, don’t forget to give a star 🌟 on GitHub!

Please visit Build & Install to configure the environment for running HyperDbg. Check out the Quick Start and Frequently Asked Questions (FAQs) to learn more. You can use the examples of using the debugger and the script engine to get started with HyperDbg.

Changed

• Restored the previous optimization on the release builds
• Fixed the issue of not properly restoring registers after the 'CPUID' instruction
• Fixed the building issues of the user debugger with the 'bp' and the '.start' commands

v0.14

HyperDbg v0.14 is released!

If you’re enjoying HyperDbg, don’t forget to give a star 🌟 on GitHub!

Please visit Build & Install to configure the environment for running HyperDbg. Check out the Quick Start and Frequently Asked Questions (FAQs) to learn more. You can use the examples of using the debugger and the script engine to get started with HyperDbg.

Note: We temporarily disabled the optimization of the release builds due to a Visual Studio (MSVC) optimization bug. Check this tweet for more information.

Added

• microsleep(microseconds) function in the script engine (link)
• rdtsc() and rdtscp() functions in the script engine (link)(link)
• Added functions to get system-call number from the running system (link)
• Added the support for the '.start' command in the VMI mode (link)
• Added a new mechanism for finding the system-call number based on the running system (link)
• Added hyperevade transparency project (link)
• Added support to the '.attach' and '.detach' in the debugger mode (link)(link)
• Added support to the '.start' command in the VMI mode for the user debugger (link)
• Added support to setting the breakpoint using the 'bp' command in the VMI mode (link)
• Added EPT page table support for MMIO addresses above 512 GB

Changed

• Redesigned the '!mode' extension command without extra EPTP (link)
• The user mode debugger now uses MBEC for preventing user-mode code execution (link)
• Apply transparent-mode based on dynamic system-calls (link)
• Breakpoint initialization is changed from kernel debugger to the regular debugger (link)
• Fixed the build issue on new Windows SDK for Token structures (link)
• Fixed retrieving valid watching process IDs for the execution trap and user-mode execution prevention
• Fixed crashing the driver if the hyperlog memory was not properly allocated
• The target runner image for deploying HyperDbg (CI/CD) changed from Windows Server 2019 to 2022
• Restored the pid and the process name parameters of the '!hide' command (link)
• Fixed crashing Windows when using 'TPAUSE' instruction on bare metal Windows 11 24h2
• Check to avoid putting EPT hooks on physical addresses greater than 512 GB

v0.13.2

HyperDbg v0.13.2 is released!

If you’re enjoying HyperDbg, don’t forget to give a star 🌟 on GitHub!

Please visit Build & Install to configure the environment for running HyperDbg. Check out the Quick Start and Frequently Asked Questions (FAQs) to learn more. You can use the examples of using the debugger and the script engine to get started with HyperDbg.

Added

• Intercepting system-call return results using the TRAP flag for the transparent-mode
• Added optional parameters and context for the transparent-mode system-call return interceptions

Changed

• Set variable length (stack frames) for showing the callstack (link)
• Fixed VMCS layout corruption due to NMI injection (VMRESUME 0x7 error) in nested-virtualization on Meteor Lake processors
• Restore RDMSR handler for VM-exits

v0.13.1

HyperDbg v0.13.1 is released!

If you’re enjoying HyperDbg, don’t forget to give a star 🌟 on GitHub!

Please visit Build & Install to configure the environment for running HyperDbg. Check out the Quick Start and Frequently Asked Questions (FAQs) to learn more. You can use the examples of using the debugger and the script engine to get started with HyperDbg.

Added

• Added new transparency methods for hiding nested virtualization environments thanks to @CokeTree3 (link)

Changed

• Fix '.thread' command crash (link)
• Update .clang-format format file based on the new version of LLVM
• Update the list of required contributions

v0.13

HyperDbg v0.13 is released!

If you’re enjoying HyperDbg, don’t forget to give a star 🌟 on GitHub!

Please visit Build & Install to configure the environment for running HyperDbg. Check out the Quick Start and Frequently Asked Questions (FAQs) to learn more. You can use the examples of using the debugger and the script engine to get started with HyperDbg.

Added

• Added mitigation for the anti-hypervisor method in handling the trap flag for emulated instructions (link)
• Export the SDK functions for enabling and disabling transparent mode (link)(link)
• New description of changing script engine constants (link)
• Added the command for interpreting PCI CAM (PCI configuration space) fields (link)
• Added the command for dumping PCI CAM (PCI configuration space) memory (link)
• Checking for and unloading the older version of the driver (if it exists) (link)
• memcpy_pa() function in the script engine (link)
• poi_pa, hi_pa, low_pa, db_pa, dd_pa, dw_pa, and dq_pa keywords in the script engine (link)
• eb_pa, ed_pa, and eq_pa functions in the script engine (link)

Changed

• Fix the 'lm' command issue of not showing kernel module addresses (KASLR leak mitigation) introduced in Windows 11 24h2 (link)
• Deprecated TSC mitigation for the transparent mode (link)
• Changed the parameters of the '!hide' command (link)
• Changed the parameters of the '!unhide' command (link)
• Fix containing backslash escape character in script strings (link)
• Fix reading/writing into devices' physical memory (MMIO region) in VMI Mode (link)
• All test cases for command parsing are now passed (link)
• The '.sympath' command now requires the symbol server path to be within quotes, although it is not mandatory (link)