load (load the kernel modules)
Description of the 'load' command in HyperDbg.
load
load [ModuleName (string)]
Loads the HyperDbg's drivers and kernel modules into the target system.
[ModuleName (string)]
The name of the module that you want to load.
Module Name | Description |
|---|---|
vmm | Hypervisor-related capabilities |
The debugger functions are implemented on top of 'vmm' module.
vmm : this module contains commands related to the debugger and all hypervisor-related capabilities. Currently, vmm is the only module of HyperDbg.
The following example loads
vmm module.HyperDbg> load vmm
This command causes to run a
CreateFile in the target system, in IRP_MJ_CREATE, the driver loads the modules like vt-x and debugger and all other kernel modules, so it doesn't have an IOCTL. You can call CreateFile to the driver's device and get a handle.If you're using APIs, the following export in hprdbgctrl can be used.
HPRDBGCTRL_API int HyperdbgLoadVmm();
- 1.Only one application can get the device handle; after that, no other application is able to create a handle from the device or, in other words, is not able to call
loadcommand until the first app releases the handle (byCloseHandle) or callunloadcommand. - 2.The application that requests to load the kernel modules should have
SeDebugPrivilegeto obtain a handle, otherwise anACCESS_DENIEDis thrown.
This command will continue the debuggee for some time (in Debugger Mode). This means that you lose the current context (registers & memory) after executing this command.
- Intel VT-x is required to be enabled to perform this action.
- Intel Extended Page Table (a.k.a. SLAT) should be present in the processor. If you have a Nehalem (2008) processor or a newer processor, then it supports this feature.