a (assemble virtual address)

Description of the 'a' command in HyperDbg.

Command

a

Syntax

a [Address (hex)] [asm {AsmCmd1; AsmCmd2}] [pid ProcessId (hex)]

Description

Assembles (shows HEX byte codes) or puts the resulting instruction codes into the (virtual) memory.

Parameters

[Address (hex)] (optional)

The virtual address of where we want to start putting resulting codes into its memory.

If the Address is empty, you can use it to only assemble instructions without modifying the memory.

[asm {AsmCmd1; AsmCmd2}]

The target assembly codes.

[pid ProcessId (hex)] (optional)

The Process ID that's in the hex format is what we want to put the memory to its context (cr3).

If you don't specify the pid, then the default pid is the current process (HyperDbg) process layout of memory.

Examples

If you just want to view the result of assembly (byte codes in HEX) without modifying the memory, the following command can be used.

HyperDbg> a { nop; xor rax, rax; nop }
warning, no start address provided to calculate relative asm commands

generated assembly: 5 bytes, 3 statements ==>>  nop; xor rax, rax; nop  = 90 48 31 c0 90

The following command is used when we want to assemble assembly codes and put the resulting bytes into the target memory at fffff800`3ad6f010 .

HyperDbg> a fffff800`3ad6f010 { nop; nop; nop }
generated assembly: 3 bytes, 3 statements ==>>  nop; nop; nop  = 90 90 90
successfully assembled at 0xfffff8003ad6f010 address

The following command is used when we want to assemble assembly codes and put the resulting bytes into the target memory at nt!ExAllocatePoolWithTag .

2: kHyperDbg> a nt!ExAllocatePoolWithTag { nop; nop; nop }
generated assembly: 3 bytes, 3 statements ==>>  nop; nop; nop  = 90 90 90
successfully assembled at 0xfffff804136acc80 address

The following command is used when we want to assemble assembly codes and put the resulting bytes into the target memory at nt!ExAllocatePoolWithTag+5 .

2: kHyperDbg> a nt!ExAllocatePoolWithTag+5 { nop; nop; nop }
generated assembly: 3 bytes, 3 statements ==>>  nop; nop; nop  = 90 90 90
successfully assembled at 0xfffff804136acc85 address

You can also write multiple lines of assembly codes and use function names in your assembly:

2: kHyperDbg> a nt!ExAllocatePoolWithTag {
>       add DWORD PTR [<nt!ExAllocatePoolWithTag+10+@rax>], 99;
>       nop;
>       nop
>       }
generated assembly: 12 bytes, 3 statements ==>>         add DWORD PTR [0xfffff804138cecd4], 99; nop;    nop      = 81 05 4a 20 22 00 99 00 00 00 90 90
successfully assembled at 0xfffff804136acc80 address

IOCTL

None

Remarks

By default, HyperDbg converts addresses to the object names (if the symbol for that address is available). If you want to see the address in hex format, you can turn addressconversion to off using the 'settings' command.
To view the byte code of an assembly snippet, you can use the following command (StartAddress is useful when dealing with relative instructions like JMP).

 a {jmp <nt!ExAllocatePoolWithTag+10>} [StartAddress]

HyperDbg uses keystone as its core assembler.

This command is guaranteed to keep debuggee in a halt state (in Debugger Mode); thus, nothing will change during its execution.

Requirements

None

Keystone

!a (assemble physical address)

u, u64, u2, u32 (disassemble virtual address)

!u, !u64, !u2, !u32 (disassemble physical address)

Previous~ (display and change the current operating core)Nextload (load the kernel modules)

Last updated 4 months ago