a (assemble virtual address)

Command

a

Syntax

a [Address (hex)] [asm {AsmCmd1; AsmCmd2}] [pid ProcessId (hex)]

Description

Assembles (shows HEX byte codes) or puts the resulting instruction codes into the (virtual) memory.

Parameters

[Address (hex)] (optional)

The virtual address of where we want to start putting resulting codes into its memory.

[asm {AsmCmd1; AsmCmd2}]

The target assembly codes.

[pid ProcessId (hex)] (optional)

The Process ID that's in the hex format is what we want to put the memory to its context (cr3).

Examples

If you just want to view the result of assembly (byte codes in HEX) without modifying the memory, the following command can be used.

HyperDbg> a { nop; xor rax, rax; nop }
warning, no start address provided to calculate relative asm commands

generated assembly: 5 bytes, 3 statements ==>>  nop; xor rax, rax; nop  = 90 48 31 c0 90

The following command is used when we want to assemble assembly codes and put the resulting bytes into the target memory at fffff800`3ad6f010 .

HyperDbg> a fffff800`3ad6f010 { nop; nop; nop }
generated assembly: 3 bytes, 3 statements ==>>  nop; nop; nop  = 90 90 90
successfully assembled at 0xfffff8003ad6f010 address

The following command is used when we want to assemble assembly codes and put the resulting bytes into the target memory at nt!ExAllocatePoolWithTag .

2: kHyperDbg> a nt!ExAllocatePoolWithTag { nop; nop; nop }
generated assembly: 3 bytes, 3 statements ==>>  nop; nop; nop  = 90 90 90
successfully assembled at 0xfffff804136acc80 address

The following command is used when we want to assemble assembly codes and put the resulting bytes into the target memory at nt!ExAllocatePoolWithTag+5 .

2: kHyperDbg> a nt!ExAllocatePoolWithTag+5 { nop; nop; nop }
generated assembly: 3 bytes, 3 statements ==>>  nop; nop; nop  = 90 90 90
successfully assembled at 0xfffff804136acc85 address

You can also write multiple lines of assembly codes and use function names in your assembly:

2: kHyperDbg> a nt!ExAllocatePoolWithTag {
>       add DWORD PTR [<nt!ExAllocatePoolWithTag+10+@rax>], 99;
>       nop;
>       nop
>       }
generated assembly: 12 bytes, 3 statements ==>>         add DWORD PTR [0xfffff804138cecd4], 99; nop;    nop      = 81 05 4a 20 22 00 99 00 00 00 90 90
successfully assembled at 0xfffff804136acc80 address

SDK

To assemble a buffer, you need to use the following function in libhyperdbg:

BOOLEAN
hyperdbg_u_assemble(const CHAR * assembly_code, UINT64 start_address, PVOID buffer_to_store_assembled_data, UINT32 buffer_size);

To get the length of the assembly code, you need to use the following function in libhyperdbg:

BOOLEAN
hyperdbg_u_assemble_get_length(const CHAR * assembly_code, UINT64 start_address, UINT32 * length);

Remarks

• To view the byte code of an assembly snippet, you can use the following command (StartAddress is useful when dealing with relative instructions like JMP).

 a {jmp <nt!ExAllocatePoolWithTag+10>} [StartAddress]

This command is guaranteed to keep debuggee in a halt state (in Debugger Mode); thus, nothing will change during its execution.

Requirements

None

Related