HyperDbg Documentation
HyperDbgDownloadSource codeBlog
Search…
HyperDbg
Getting Started
Quick Start
FAQ
Build & Install
Attach to HyperDbg
Using HyperDbg
Prerequisites
User-mode Debugging
Kernel-mode Debugging
Commands
Debugging Commands
# (comment in batch scripts)
? (evaluate and execute expressions and scripts in debuggee)
~ (display and change the current operating core)
load (load the kernel modules)
unload (unload the kernel modules)
status (show the debuggee status)
events (show and modify active/disabled events)
p (step-over)
t (step-in)
i (instrumentation step-in)
r (read or modify registers)
bp (set breakpoint)
bl (list breakpoints)
be (enable breakpoints)
bd (disable breakpoints)
bc (clear and remove breakpoints)
g (continue debuggee or processing kernel packets)
x (examine symbols and find functions and variables address)
db, dc, dd, dq (read virtual memory)
eb, ed, eq (edit virtual memory)
sb, sd, sq (search virtual memory)
u, u2 (disassemble virtual address)
sleep (wait for specific time in the .script command)
pause (break to the debugger and pause processing kernel packets)
print (evaluate and print expression in debuggee)
lm (view loaded modules)
cpu (check cpu supported technologies)
rdmsr (read model-specific register)
wrmsr (write model-specific register)
flush (remove pending kernel buffers and messages)
prealloc (reserve pre-allocated pools)
output (create output source for event forwarding)
test (test functionalities)
settings (configures different options and preferences)
exit (exit from the debugger)
Meta Commands
Extension Commands
Scripting Language
Tips & Tricks
Considerations
Nested-Virtualization Environments
Misc
Contribution
Style Guide
Logo & Artworks
Design
Features
Debugger Internals
Script Engine
Links
Twitter
YouTube
Doxygen
Contribution
Powered By GitBook
eb, ed, eq (edit virtual memory)
Description of 'e*' command in HyperDbg.

Command

eb : edit memory as Byte values
ed : edit memory as Double-word values (4 bytes)
eq : edit memory as Quad-word values (8 bytes)

Syntax

eb [address] [new value (hex)] pid [process id (hex)]
ed [address] [new value (hex)] pid [process id (hex)]
eq [address] [new value (hex)] pid [process id (hex)]

Description

Edits the virtual address memory contents.

Parameters

[Address]
The virtual address of where we want to edit its memory.
[new value (hex)]
The new contents in hex format.
pid [process id] (optional)
The process ID in the hex format that we want to see the memory from its context (cr3).
If you don't specify the pid, then the default pid is the current process (HyperDbg) process layout of memory.
In the Debugger Mode, the pid (parameter) is ignored. If you want to view another process memory, use the '.process' command to switch to another process memory layout.

Examples

The following command is used when we want to edit the content of memory at nt!Kd_DEFAULT_Mask in a hex byte form and change it to 0xff 0xff 0xff 0xff(modify four bytes).
1
HyperDbg> eb nt!Kd_DEFAULT_Mask ff ff ff ff
Copied!
The following command is used when we want to edit the content of memory at [email protected]+10 in a hex byte form and change it to 0xff 0xff 0xff 0xff(modify four bytes).
1
HyperDbg> eb [email protected]+10 ff ff ff ff
Copied!
The following command is used when we want to edit the content of memory at fffff800`3ad6f010 in a hex byte form and change it to 0x90 0x90 0x90 (modify three bytes).
1
HyperDbg> eb fffff800`3ad6f010 90 90 90
Copied!
The following example is used when we want to edit the contents of memory at fffff800`3ad6f010 in Double-word values (4 bytes), change it to 245C8948 .
1
HyperDbg> ed fffff800`3ad6f010 245C8948
Copied!
The following example is used when we want to edit the contents of memory at fffff800`3ad6f010 in Quad-word values (8 bytes), change it to 88889898`85858686 and92929393`97979898 (16 bytes).
1
0: kHyperDbg> dq fffff800`3ad6f010 88889898`85858686 92929393`97979898
Copied!

IOCTL

This function works by calling DeviceIoControl with IOCTL = IOCTL_DEBUGGER_EDIT_MEMORY, you have to send it in the following structure.
1
typedef struct _DEBUGGER_EDIT_MEMORY {
2
​
3
UINT32 Result; // Result from kernel
4
UINT64 Address; // Target adddress to modify
5
UINT32 ProcessId; // specifies the process id
6
DEBUGGER_EDIT_MEMORY_TYPE MemoryType; // Type of memory
7
DEBUGGER_EDIT_MEMORY_BYTE_SIZE ByteSize; // Modification size
8
UINT32 CountOf64Chunks;
9
UINT32 FinalStructureSize;
10
​
11
} DEBUGGER_EDIT_MEMORY, *PDEBUGGER_EDIT_MEMORY;
Copied!
The Result will be filled by the kernel-mode driver when it returns from the kernel and shows whether the editing was successful or not. The following results can come from the kernel:
1
#define DEBUGGER_ERROR_EDIT_MEMORY_STATUS_INVALID_PARAMETER 0xc000000b
2
#define DEBUGGER_ERROR_EDIT_MEMORY_STATUS_INVALID_ADDRESS_BASED_ON_CURRENT_PROCESS \
3
0xc000000c
4
#define DEBUGGER_ERROR_EDIT_MEMORY_STATUS_INVALID_ADDRESS_BASED_ON_OTHER_PROCESS \
5
0xc000000d
Copied!
The Address is where we want to modify, and it can be both a physical address or a virtual address.
ProcessId is the process that we want to modify based on its memory layout (cr3), it can't be null or zero.
MemoryType shows whether the Address is a physical address or a virtual address.
You can see its values in the following enum :
1
typedef enum _DEBUGGER_EDIT_MEMORY_TYPE {
2
EDIT_PHYSICAL_MEMORY,
3
EDIT_VIRTUAL_MEMORY
4
} DEBUGGER_EDIT_MEMORY_TYPE;
Copied!
ByteSize shows whether we want to modify the target Address in a byte, dword, or qword format.
1
typedef enum _DEBUGGER_EDIT_MEMORY_BYTE_SIZE {
2
EDIT_BYTE,
3
EDIT_DWORD,
4
EDIT_QWORD
5
} DEBUGGER_EDIT_MEMORY_BYTE_SIZE;
Copied!
The above structure is added on top of an array of 64-bit values, which is the new content to the memory.
For example, if you want to change the memory address of the target to 0x90 0x90 then you should provide an array of 0x0000000000000090 and 0x0000000000000090 and append it to the end of the above structure. The count of these chunks is stored at CountOf64Chunks in the above structure and the final buffer that will be sent into the kernel has a size of FinalStructureSize bytes.
In the debugger-mode, HyperDbg uses the exact same structure, you should send the above structure over serial to the debuggee which is paused in vmx-root mode.
You should send the above structure with DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_EDIT_MEMORY as RequestedAction and DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT as PacketType.
In return, the debuggee sends the above structure with the following type.
1
DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_EDITING_MEMORY
Copied!
The following function is responsible for sending editing memory in the debugger.
1
BOOLEAN KdSendEditMemoryPacketToDebuggee(PDEBUGGER_EDIT_MEMORY EditMem);
Copied!

Remarks

  • You can change as many bytes as you need in byte, dword, and qword formats; just add new values to the end of the command.
If you change the memory address that you previously set a breakpoint using the 'bp' command, the previous value is replaced when you remove the breakpoint.
This command is guaranteed to keep debuggee in a halt state (in Debugger Mode); thus, nothing will change during its execution.

Requirements

None
Previous
db, dc, dd, dq (read virtual memory)
Next
sb, sd, sq (search virtual memory)
Last modified 3mo ago
Copy link
Edit on GitHub
Contents
Command
Syntax
Description
Parameters
Examples
IOCTL
Remarks
Requirements
Related