HyperDbg Documentation
HyperDbgResearchDownloadSource code
Search…
HyperDbg
Getting Started
Quick Start
FAQ
Build & Install
Attach to HyperDbg
Using HyperDbg
Prerequisites
User-mode Debugging
Kernel-mode Debugging
Commands
Debugging Commands
# (comment in batch scripts)
? (evaluate and execute expressions and scripts in debuggee)
~ (display and change the current operating core)
load (load the kernel modules)
unload (unload the kernel modules)
status (show the debuggee status)
events (show and modify active/disabled events)
p (step-over)
t (step-in)
i (instrumentation step-in)
r (read or modify registers)
bp (set breakpoint)
bl (list breakpoints)
be (enable breakpoints)
bd (disable breakpoints)
bc (clear and remove breakpoints)
g (continue debuggee or processing kernel packets)
x (examine symbols and find functions and variables address)
db, dc, dd, dq (read virtual memory)
eb, ed, eq (edit virtual memory)
sb, sd, sq (search virtual memory)
u, u2 (disassemble virtual address)
k, kd, kq (display stack backtrace)
dt (display and map virtual memory to structures)
struct (make structures, enums, data types from symbols)
sleep (wait for specific time in the .script command)
pause (break to the debugger and pause processing kernel packets)
print (evaluate and print expression in debuggee)
lm (view loaded modules)
cpu (check cpu supported technologies)
rdmsr (read model-specific register)
wrmsr (write model-specific register)
flush (remove pending kernel buffers and messages)
prealloc (reserve pre-allocated pools)
output (create output source for event forwarding)
test (test functionalities)
settings (configures different options and preferences)
exit (exit from the debugger)
Meta Commands
Extension Commands
Scripting Language
Commands Map
Tips & Tricks
Considerations
Nested-Virtualization Environments
Misc
Contribution
Style Guide
Logo & Artworks
Design
Features
Debugger Internals
Links
Twitter
YouTube
Doxygen
Contribution
Powered By GitBook
bp (set breakpoint)
Description of the 'bp' command in HyperDbg.

bp

bp [Address (hex)] [pid ProcessId (hex)] [tid ThreadId (hex)] [core CoreId (hex)]

Puts a breakpoint (0xcc) on the target function in user-mode and kernel-mode.
In HyperDbg, the 'bp' breakpoints are NOT events. If you want to use breakpoint in an event-like form (e.g., if you want to create logs using script-engine), you should use !epthook command instead.
If you use the 'bp' command, HyperDbg won't hide your breakpoint for the applications that read the memory. The only reason to use 'bp' instead of !epthook is that 'bp' is guaranteed to keep debuggee in a halt state (in Debugger Mode); thus, nothing will change during its execution. However, the in !epthook the guest will be continued for some time, and you lose the current context.

[Address (hex)]
The Virtual address of where we want to put a breakpoint.
[pid ProcessId (hex)] [tid ThreadId (hex)] [core CoreId (hex)] (optional)
Optional value to trigger breakpoint in just one special process or one special thread, or one special core. Add pid xx to your command or tid yy or core zz; thus, the command will be executed if the process id is equal to xx or the thread id is equal to yy or the core is equal to zz . If you don't specify these options, then by default, you receive breakpoints on all conditions. See the Remarks section for more information about pid.

As the Context, HyperDbg sends the virtual address of where the breakpoint is triggered (RIP of the triggered breakpoint).

If you want to put breakpoints on nt!ExAllocatePoolWithTag, nt!ExAllocatePoolWithTag+5,[email protected]+5, fffff801639b1035, fffff801639b103a, and fffff801639b103f, you can use the following commands.
0: kHyperDbg> bp nt!ExAllocatePoolWithTag
0: kHyperDbg> bp nt!ExAllocatePoolWithTag+5
0: kHyperDbg> bp [email protected]+5
0: kHyperDbg> bp fffff801`639b1035
0: kHyperDbg> bp fffff801`639b103a
0: kHyperDbg> bp fffff801`639b103f
After that, you can see a list of active breakpoints using the 'bl' command.
HyperDbg> bl
id address status
-- --------------- --------
01 fffff801639b1030 enabled
02 fffff801639b1035 enabled
03 fffff801639b1040 enabled
04 fffff801639b1035 enabled
05 fffff801639b103a enabled
06 fffff801639b103f enabled

This commands works over serial by sending the serial packets to the remote computer.
First of all, you should fill the following structure, set the Address to your target virtual address that you want to put a breakpoint on it, and fill Pid to your special process id, and/or Tid to your special thread id, and/or Core to your special core.
typedef struct _DEBUGGEE_BP_PACKET {
​
UINT64 Address;
UINT32 Pid;
UINT32 Tid;
UINT32 Core;
UINT32 Result;
​
} DEBUGGEE_BP_PACKET, *PDEBUGGEE_BP_PACKET;
If you want your breakpoint to be triggered for all processes, threads, and cores, then choose DEBUGGEE_BP_APPLY_TO_ALL_PROCESSES, DEBUGGEE_BP_APPLY_TO_ALL_THREADS, DEBUGGEE_BP_APPLY_TO_ALL_CORES.
The next step is sending the above structure to the debuggee when debuggee is paused and waiting for new command on vmx-root mode.
You should send the above structure with DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_BP as RequestedAction and DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT as PacketType.
In return, the debuggee sends the above structure with the following type.
DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_BP
In the returned structure, the Result is filled by the kernel.
If the Result is DEBUGEER_OPERATION_WAS_SUCCESSFULL, then the operation was successful. Otherwise, the returned result is an error.
The following function is responsible for sending breakpoint buffers in the debugger.
BOOLEAN KdSendBpPacketToDebuggee(PDEBUGGEE_BP_PACKET BpPacket);

In this command, pid xx does not mean that we will change the layout to a new process, it means that the address should be available in the current process layout but will be triggered only on the process with process id equal to xx, you can use the '.process' command to switch to a new process if you want to put a breakpoint on the layout of another process.
This command is guaranteed to keep debuggee in a halt state (in Debugger Mode); thus, nothing will change during its execution.

None
​bl (list breakpoints)​
​be (enable breakpoints)​
​bd (disable breakpoints)​
Previous
r (read or modify registers)
Next
bl (list breakpoints)
Last modified 5mo ago
Copy link
Edit on GitHub
On this page
Command
Syntax
Description
Parameters
Context
Examples
IOCTL
Remarks
Requirements
Related