HyperDbg Documentation
CommunityDownloadResearchTutorialhwdbg
  • HyperDbg
  • Getting Started
    • Quick Start
    • FAQ
    • Build & Install
    • Attach to HyperDbg
      • Attach to a remote machine
      • Attach to local machine
      • Start a new process
      • Attach to a running process
  • Using HyperDbg
    • Prerequisites
      • Operation Modes
      • How to create a condition?
      • How to create an action?
      • Signatures
    • User-mode Debugging
      • Principles
      • Examples
        • basics
        • events
          • Getting Results of a System-call
    • Kernel-mode Debugging
      • Principles
      • Examples
        • beginning
          • Connecting To HyperDbg
          • Configuring Symbol Server/Path
        • basics
          • Setting Breakpoints & Stepping Instructions
          • Displaying & Editing & Searching Memory
          • Showing & Modifying Registers and Flags
          • Switching to a Specific Process or Thread
          • Mapping Data & Create Structures, and Enums From Symbols
        • events
          • Managing Events
          • Hooking Any Function
          • Intercepting All SYSCALLs
          • Monitoring Accesses To Structures
          • Triggering Special Instructions
          • Identifying System Behavior
        • Scripting Language Examples
    • Software Development Kit (SDK)
      • Events
        • Conditions
        • Actions
      • IOCTL
        • Event Registration
  • Commands
    • Debugging Commands
      • ? (evaluate and execute expressions and scripts in debuggee)
      • ~ (display and change the current operating core)
      • a (assemble virtual address)
      • load (load the kernel modules)
      • unload (unload the kernel modules)
      • status (show the debuggee status)
      • events (show and modify active/disabled events)
      • p (step-over)
      • t (step-in)
      • i (instrumentation step-in)
      • gu (step-out or go up)
      • r (read or modify registers)
      • bp (set breakpoint)
      • bl (list breakpoints)
      • be (enable breakpoints)
      • bd (disable breakpoints)
      • bc (clear and remove breakpoints)
      • g (continue debuggee or processing kernel packets)
      • x (examine symbols and find functions and variables address)
      • db, dc, dd, dq (read virtual memory)
      • eb, ed, eq (edit virtual memory)
      • sb, sd, sq (search virtual memory)
      • u, u64, u2, u32 (disassemble virtual address)
      • k, kd, kq (display stack backtrace)
      • dt (display and map virtual memory to structures)
      • struct (make structures, enums, data types from symbols)
      • sleep (wait for specific time in the .script command)
      • pause (break to the debugger and pause processing kernel packets)
      • print (evaluate and print expression in debuggee)
      • lm (view loaded modules)
      • cpu (check cpu supported technologies)
      • rdmsr (read model-specific register)
      • wrmsr (write model-specific register)
      • flush (remove pending kernel buffers and messages)
      • prealloc (reserve pre-allocated pools)
      • preactivate (pre-activate special functionalities)
      • output (create output source for event forwarding)
      • test (test functionalities)
      • settings (configures different options and preferences)
      • exit (exit from the debugger)
    • Meta Commands
      • .help (show the help of commands)
      • .debug (prepare and connect to debugger)
      • .connect (connect to a session)
      • .disconnect (disconnect from a session)
      • .listen (listen on a port and wait for the debugger to connect)
      • .status (show the debugger status)
      • .start (start a new process)
      • .restart (restart the process)
      • .attach (attach to a process)
      • .detach (detach from the process)
      • .switch (show the list and switch between active debugging processes)
      • .kill (terminate the process)
      • .process, .process2 (show the current process and switch to another process)
      • .thread, .thread2 (show the current thread and switch to another thread)
      • .pagein (bring the page into the RAM)
      • .dump (save the virtual memory into a file)
      • .formats (show number formats)
      • .script (run batch script commands)
      • .sympath (set the symbol server)
      • .sym (load pdb symbols)
      • .pe (parse PE file)
      • .logopen (open log file)
      • .logclose (close log file)
      • .cls (clear the screen)
    • Extension Commands
      • !a (assemble physical address)
      • !pte (display page-level address and entries)
      • !db, !dc, !dd, !dq (read physical memory)
      • !eb, !ed, !eq (edit physical memory)
      • !sb, !sd, !sq (search physical memory)
      • !u, !u64, !u2, !u32 (disassemble physical address)
      • !dt (display and map physical memory to structures)
      • !track (track and map function calls and returns to the symbols)
      • !epthook (hidden hook with EPT - stealth breakpoints)
      • !epthook2 (hidden hook with EPT - detours)
      • !monitor (monitor read/write/execute to a range of memory)
      • !syscall, !syscall2 (hook system-calls)
      • !sysret, !sysret2 (hook SYSRET instruction execution)
      • !mode (detect kernel-to-user and user-to-kernel transitions)
      • !cpuid (hook CPUID instruction execution)
      • !msrread (hook RDMSR instruction execution)
      • !msrwrite (hook WRMSR instruction execution)
      • !tsc (hook RDTSC/RDTSCP instruction execution)
      • !pmc (hook RDPMC instruction execution)
      • !vmcall (hook hypercalls)
      • !exception (hook first 32 entries of IDT)
      • !interrupt (hook external device interrupts)
      • !dr (hook access to debug registers)
      • !ioin (hook IN instruction execution)
      • !ioout (hook OUT instruction execution)
      • !hide (enable transparent-mode)
      • !unhide (disable transparent-mode)
      • !measure (measuring and providing details for transparent-mode)
      • !va2pa (convert a virtual address to physical address)
      • !pa2va (convert physical address to virtual address)
      • !dump (save the physical memory into a file)
      • !pcitree (show PCI/PCIe device tree)
      • !pcicam (dump the PCI/PCIe configuration space)
      • !idt (show Interrupt Descriptor Table entries)
      • !apic (dump local APIC entries in XAPIC and X2APIC modes)
      • !ioapic (dump I/O APIC)
    • Scripting Language
      • Assumptions & Evaluations
      • Variables & Assignments
      • Casting & Type-awareness
      • Conditionals & Loops
      • Constants & Functions
      • Debugger Script (DS)
      • Examples
        • view system state (registers, memory, variables)
        • change system state (registers, memory, variables)
        • trace function calls
        • pause the debugger conditionally
        • conditional breakpoints and events
        • patch the normal sequence of execution
        • access to a shared variable from different cores
        • count occurrences of events
      • Functions
        • debugger
          • pause
        • events
          • event_enable
          • event_disable
          • event_clear
          • event_sc
          • event_inject
          • event_inject_error_code
          • flush
        • exports
          • print
          • printf
        • interlocked
          • interlocked_compare_exchange
          • interlocked_decrement
          • interlocked_exchange
          • interlocked_exchange_add
          • interlocked_increment
        • memory
          • check_address
          • eb, ed, eq
          • eb_pa, ed_pa, eq_pa
          • memcpy
          • memcpy_pa
          • memcmp
          • virtual_to_physical
          • physical_to_virtual
        • diassembler
          • disassemble_len
          • disassemble_len32
        • spinlocks
          • spinlock_lock
          • spinlock_lock_custom_wait
          • spinlock_unlock
        • strings
          • strlen
          • wcslen
          • strcmp
          • strncmp
          • wcscmp
          • wcsncmp
    • Commands Map
  • Tips & Tricks
    • Considerations
      • Basic concepts in Intel VT-x
      • VMX root-mode vs VMX non-root mode
      • The "unsafe" behavior
      • Script engine in VMX non-root mode
      • Difference between process and thread switching commands
      • Accessing Invalid Address
      • Transparent Mode
    • Nested-Virtualization Environments
      • Supported Virtual Machines
      • Run HyperDbg on VMware
      • Run HyperDbg on Hyper-V
      • Supporting VMware/Hyper-V
      • VMware backdoor I/O ports
    • Misc
      • Event forwarding
      • Event short-circuiting
      • Event calling stage
      • Instant events
      • Message overflow
      • Customize build
        • Increase Communication Buffer Size
        • Number of EPT Hooks in One Page
        • Change Script Engine Limitations
      • Enable and disable events in Debugger Mode
      • Switch to New Process Layout
  • Contribution
    • Style Guide
      • Coding style
      • Command style
      • Doxygen style
    • Logo & Artworks
  • Design
    • Features
      • VMM (Module)
        • Control over NMIs
        • VMX root-mode compatible message tracing
        • Design of !epthook
        • Design of !epthook2
        • Design of !monitor
        • Design of !syscall & !sysret
        • Design of !exception & !interrupt
    • Debugger Internals
      • Events
      • Conditions
      • Actions
      • Kernel Debugger
        • Design Perspective
        • Connection
  • Links
    • Twitter
    • Telegram
    • Discord
    • Matrix
    • Mastodon
    • YouTube
    • hwdbg (Chip Debugger)
    • Doxygen
    • Contribution
Powered by GitBook
On this page
  • Command
  • Syntax
  • Description
  • Parameters
  • Examples
  • IOCTL
  • Remarks
  • Requirements
  • Related
Edit on GitHub
  1. Commands
  2. Debugging Commands

lm (view loaded modules)

Description of the 'lm' command in HyperDbg.

Command

lm

Syntax

lm [m Name (string)] [pid ProcessId (hex)] [Filter (string)]

Description

Shows the loaded modules' base address, size, name, full path.

Parameters

[m Name (string)] (optional)

The name or a part of the name that will be searched through all the modules and only those which match will be shown. The search is case-insensitive.

[pid ProcessId (hex)] (optional)

The Process Id of the target process in which the user-mode modules are shown. The process id only makes sense in user-mode modules, and this parameter will be ignored for kernel-mode modules.

By default, when you didn't use the pid parameter, if you are attached to a process in the user-mode debugger, this command shows the user-mode modules of the debuggee process; otherwise, it shows the user-mode modules of the process of HyperDbg.

[Filter (string)] (optional)

Can be one of these values :

km: only shows the kernel-mode modules.

um: only shows the user-mode modules.

Examples

The following command shows all the user-mode and kernel-mode modules.

HyperDbg> lm
user mode
start                   entrypoint              path

....
00007ffd885e0000        00007ffd885f5600        C:\Windows\System32\ADVAPI32.dll
00007ffd86fc0000        00007ffd86fc7850        C:\Windows\System32\msvcrt.dll
00007ffd87df0000        00007ffd87e0cd20        C:\Windows\System32\sechost.dll
00007ffd86e60000        00007ffd86ebdfb0        C:\Windows\System32\RPCRT4.dll
00007ffd88cb0000        00007ffd88cba7a0        C:\Windows\System32\SHLWAPI.dll
00007ffd886a0000        00007ffd886b4300        C:\Windows\System32\WS2_32.dll
...

==============================================================================

kernel mode
start                   size    name                            path

fffff801`63000000       1046000 ntoskrnl.exe                    \SystemRoot\system32\ntoskrnl.exe
fffff801`5fa40000       6000    hal.dll                         \SystemRoot\system32\hal.dll
fffff801`5fab0000       49000   kdnet.dll                       \SystemRoot\system32\kdnet.dll
fffff801`5fa50000       5c000   kd_02_8086.dll                  \SystemRoot\system32\kd_02_8086.dll
...

This command only shows the user-mode modules.

HyperDbg> lm um
user mode
start                   entrypoint              path

...
00007ffd88d50000        0000000000000000        C:\Windows\SYSTEM32\ntdll.dll
00007ffd88860000        00007ffd888770d0        C:\Windows\System32\KERNEL32.DLL
00007ffd865f0000        00007ffd865f92c0        C:\Windows\System32\KERNELBASE.dll
00007ffd83d90000        00007ffd83da0880        C:\Windows\SYSTEM32\apphelp.dll
...

The following command shows the user-mode modules of the process with process id equal to 1240 that contains "kernel" in their path.

HyperDbg> lm um m kernel pid 1240
user mode
start                   entrypoint              path

00007ffd88860000        00007ffd888770d0        C:\Windows\System32\KERNEL32.DLL
00007ffd865f0000        00007ffd865f92c0        C:\Windows\System32\KERNELBASE.dll

The following example shows the kernel-mode modules that contain "nt" in their path or name.

HyperDbg> lm km m nt
kernel mode
start                   size    name                            path

fffff801`63000000       1046000 ntoskrnl.exe                    \SystemRoot\system32\ntoskrnl.exe
fffff801`5f7b0000       28f000  mcupdate_GenuineIntel.dll       \SystemRoot\system32\mcupdate_GenuineIntel.dll
fffff801`65330000       c000    ntosext.sys                     \SystemRoot\System32\drivers\ntosext.sys
fffff801`656a0000       1a000   SgrmAgent.sys                   \SystemRoot\system32\drivers\SgrmAgent.sys
fffff801`657c0000       6b000   intelpep.sys                    \SystemRoot\System32\drivers\intelpep.sys
fffff801`65850000       b000    IntelTA.sys                     \SystemRoot\System32\drivers\IntelTA.sys
fffff801`658a0000       b000    intelide.sys                    \SystemRoot\System32\drivers\intelide.sys
fffff801`65b80000       1e000   mountmgr.sys                    \SystemRoot\System32\drivers\mountmgr.sys
fffff801`65e10000       2d9000  Ntfs.sys                        \SystemRoot\System32\Drivers\Ntfs.sys
fffff801`66640000       7f000   fwpkclnt.sys                    \SystemRoot\System32\drivers\fwpkclnt.sys
fffff801`67c10000       b000    vmgencounter.sys                \SystemRoot\System32\drivers\vmgencounter.sys
fffff801`67c50000       40000   intelppm.sys                    \SystemRoot\System32\drivers\intelppm.sys

IOCTL

For getting the information about user-mode modules, you should use DeviceIoControl with IOCTL = IOCTL_GET_USER_MODE_MODULE_DETAILS, you have to send it in the following structure.

typedef struct _USERMODE_LOADED_MODULE_DETAILS
{
    UINT32  ProcessId;
    BOOLEAN OnlyCountModules;
    UINT32  ModulesCount;
    UINT32  Result;

    //
    // Here is a list of USERMODE_LOADED_MODULE_SYMBOLS (appended)
    //

} USERMODE_LOADED_MODULE_DETAILS, *PUSERMODE_LOADED_MODULE_DETAILS;

First, you need to fill the ProcessId and set the OnlyCountModules to TRUE. After that send the IOCTL and if the Result field of the above structure was equal to DEBUGEER_OPERATION_WAS_SUCCESSFULL, then you can see the number of modules at the ModulesCount field.

After that, you need to send the above IOCTL one more time. First, you need to allocate a buffer with the size of ModulesCount * sizeof(USERMODE_LOADED_MODULE_SYMBOLS) + sizeof(USERMODE_LOADED_MODULE_DETAILS), fill the ProcessId and set the OnlyCountModules to FALSE.

typedef struct _USERMODE_LOADED_MODULE_SYMBOLS
{
    UINT64  BaseAddress;
    UINT64  Entrypoint;
    wchar_t FilePath[MAX_PATH];

} USERMODE_LOADED_MODULE_SYMBOLS, *PUSERMODE_LOADED_MODULE_SYMBOLS;

When the above structure is returned, at the bottom of the USERMODE_LOADED_MODULE_DETAILS is filled with an array of USERMODE_LOADED_MODULE_SYMBOLS. This array contains information about the module's BaseAddress, Entrypoint, and the FilePath.

Getting modules information for the kernel-mode modules are done by calling NtQuerySystemInformation and does not gets the address from the kernel, so it doesn't have any IOCTL.

Remarks

This command will continue the debuggee for some time (in Debugger Mode). This means that you lose the current context (registers & memory) after executing this command.

Requirements

None

Related

None

Previousprint (evaluate and print expression in debuggee)Nextcpu (check cpu supported technologies)

Last updated 3 years ago