HyperDbg Documentation
HyperDbgResearchDownloadSource code
Search…
HyperDbg
Getting Started
Quick Start
FAQ
Build & Install
Attach to HyperDbg
Using HyperDbg
Prerequisites
User-mode Debugging
Kernel-mode Debugging
Commands
Debugging Commands
# (comment in batch scripts)
? (evaluate and execute expressions and scripts in debuggee)
~ (display and change the current operating core)
load (load the kernel modules)
unload (unload the kernel modules)
status (show the debuggee status)
events (show and modify active/disabled events)
p (step-over)
t (step-in)
i (instrumentation step-in)
r (read or modify registers)
bp (set breakpoint)
bl (list breakpoints)
be (enable breakpoints)
bd (disable breakpoints)
bc (clear and remove breakpoints)
g (continue debuggee or processing kernel packets)
x (examine symbols and find functions and variables address)
db, dc, dd, dq (read virtual memory)
eb, ed, eq (edit virtual memory)
sb, sd, sq (search virtual memory)
u, u2 (disassemble virtual address)
k, kd, kq (display stack backtrace)
dt (display and map virtual memory to structures)
struct (make structures, enums, data types from symbols)
sleep (wait for specific time in the .script command)
pause (break to the debugger and pause processing kernel packets)
print (evaluate and print expression in debuggee)
lm (view loaded modules)
cpu (check cpu supported technologies)
rdmsr (read model-specific register)
wrmsr (write model-specific register)
flush (remove pending kernel buffers and messages)
prealloc (reserve pre-allocated pools)
output (create output source for event forwarding)
test (test functionalities)
settings (configures different options and preferences)
exit (exit from the debugger)
Meta Commands
Extension Commands
Scripting Language
Commands Map
Tips & Tricks
Considerations
Nested-Virtualization Environments
Misc
Contribution
Style Guide
Logo & Artworks
Design
Features
Debugger Internals
Links
Twitter
YouTube
Doxygen
Contribution
Powered By GitBook
p (step-over)
Description of the 'p' command in HyperDbg.

p
pr

p
p [Count (hex)]
pr
pr [Count (hex)]

Executes a single instruction (step-over) and optionally displays the resulting values of all registers and flags.

[Count (hex)] (optional)
Count of step(s), or how many times perform the stepping operation. If you don't set this argument, then by default, the Count is 1.

If you want to step-over one instruction.
0: kHyperDbg> p
fffff801`68d91267 41 5B pop r11
If you want to step-over one instruction and view the registers.
0: kHyperDbg> pr
fffff801`68d91269 41 5A pop r10
RAX=0000000000000000 RBX=ffff948cbf6599d0 RCX=0000000000000024
RDX=0000000000000000 RSI=0000000000000000 RDI=ffff948cc266d670
RIP=fffff80168d91269 RSP=ffff9305492df6a8 RBP=0000000000000002
R8=0000000000000000 R9=0000000000000000 R10=0000000048564653
R11=0000000000000000 R12=0000000000000000 R13=0000000000000000
R14=ffff948cc266d670 R15=ffff948cc058e6b0 IOPL=00
OF 0 DF 0 IF 0 SF 0
ZF 1 PF 1 CF 0 AXF 0
CS 0010 SS 0018 DS 002b ES 002b FS 0053 GS 002b
RFLAGS=0000000000040046
If you want to step-over for 5 instructions.
0: kHyperDbg> p 5
fffff801`68d9126b 9D popfq
fffff801`68d9126c C3 ret
fffff801`63a12948 6A D1 push 0xFFFFFFFFFFFFFFD1
fffff801`63a1294a E9 B1 00 00 00 jmp 0xFFFFF80163A12A00
fffff801`63a12b00 F6 44 24 10 01 test byte ptr ss:[rsp+0x10], 0x01

This commands works over serial by sending the serial packets to the remote computer.
First of all, you should fill the following structure, set the StepType to the type of step that you want to perform (e.g., step-in, step-over, and instrumentation step-in), and if it's a step-over (only step-over), then if the currently executing instruction is a call instruction, set the IsCurrentInstructionACall to TRUE and also set the length of the current call instruction (if it's a call instruction) to CallLength, so you can hint the debuggee to find the next instruction. In step-over, just set the StepType and set all the other members to null.
typedef struct _DEBUGGEE_STEP_PACKET {
​
DEBUGGER_REMOTE_STEPPING_REQUEST StepType;
​
//
// Only in the case of call instructions
// the 'p' command
//
BOOLEAN IsCurrentInstructionACall;
UINT32 CallLength;
​
} DEBUGGEE_STEP_PACKET, *PDEBUGGEE_STEP_PACKET;
StepType can be chosen from one of the following types.
typedef enum _DEBUGGER_REMOTE_STEPPING_REQUEST {
​
DEBUGGER_REMOTE_STEPPING_REQUEST_STEP_OVER,
DEBUGGER_REMOTE_STEPPING_REQUEST_STEP_IN,
DEBUGGER_REMOTE_STEPPING_REQUEST_INSTRUMENTATION_STEP_IN,
​
} DEBUGGER_REMOTE_STEPPING_REQUEST;
The next step is sending the above structure to the debuggee when debuggee is paused and waiting for new command on vmx-root mode.
You should send the above structure with DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_MODE_STEP as RequestedAction and DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT as PacketType.
In return, the debuggee sends a pause packet with the following type.
DEBUGGEE_PAUSING_REASON_DEBUGGEE_STEPPED
The following function is responsible for sending breakpoint buffers in the debugger.
BOOLEAN KdSendStepPacketToDebuggee(DEBUGGER_REMOTE_STEPPING_REQUEST StepRequestType);

This command will set a trap flag in debuggee and continue all the cores. After executing one instruction, it halts the debuggee again.
If the target instruction is a call instruction, it configures the first hardware debug register breakpoint to the instruction after that call. After that, it continues the debuggee and waits for the call to be returned and the next instruction (after the call) to be executed.
All cores and threads (except the currently executing thread) find a chance to be executed between each step in this type of stepping.
If you load symbols and you don't want to see function names, you turn addressconversion off in the 'settings' command.

None
​t (step-in)​
Previous
events (show and modify active/disabled events)
Next
t (step-in)
Last modified 5mo ago
Copy link
Edit on GitHub
On this page
Command
Syntax
Description
Parameters
Examples
IOCTL
Remarks
Requirements
Related