settings (configures different options and preferences)
Description of the 'settings' command in HyperDbg.
Command
settings
Syntax
settings [OptionName (string)]settings [OptionName (string)] [Value (hex)]settings [OptionName (string)] [Value (string)]settings [OptionName (string)] [on|off]
Description
This command queries or changes the value of options and preferences.
Parameters
[OptionName (string)]
Name of the option.
[Value (hex)]
Target value (hex) to modify the option.
[Value (string)]
Target value (string) to modify the option.
[on|off]
On or off value to modify the option.
Each option has its own value; for example, some options might be on or off, and others might be custom numbers or names.
Options
Options
Values
Default Value
autoflush
on | off
off
autounpause
on | off
on
syntax
intel | att | masm
intel
addressconversion
on | off
on
autoflush : if you turn autoflush on, after each disabling or clearing an event using the 'events' command, all the possible pending buffers and messages from all the commands (not just the command that you disabled or removed) that are stored to be received by the user-mode from the kernel-mode and when you press 'g', you no longer see any results from previous commands; however, some commands might continue generating new messages, and those new messages won't be removed.
autounpause : if you turn autounpause on, then if you press CTRL+C or run the 'pause' command to break to the debugger, every new event will automatically turn off your break, and you'll start receiving events and messages from the kernel-mode buffers. However, if you turn it off, then you won't receive kernel buffers and messages when you invoke a new event as the debugger will remain in the paused state (for example, paused because of 'pause' command or CTRL+C), in this case, you can resume receiving messages from the kernel-mode buffer by running 'g' command.
addressconverison : if you turn addressconversion on, then in the case of disassembling memory, it converts addresses to object names (if the symbol is available for that address). Otherwise, it shows the address in hex format. This option also affects showing function names in stepping through the instructions.
Examples
The following command shows the state of
autounpause option.1
HyperDbg> settings autounpause
2
auto-unpause is enabled
Copied!
The following command turns
autounpause on.1
HyperDbg> settings autounpause on
2
set auto-unpause to enabled
Copied!
The following command turns
autounpause off.1
HyperDbg> settings autounpause off
2
set auto-unpause to disabled
Copied!
The following command shows the different syntax used in the disassembler. You can choose your favorite syntax to show in '!u and !u2' commands.
1
HyperDbg> settings syntax intel
2
set syntax to intel
3
​
4
​
5
HyperDbg >u fffff804`2d16f010
6
fffff804`2d16f010 48 89 5C 24 08 mov qword ptr ss:[rsp+0x08], rbx
7
fffff804`2d16f015 48 89 6C 24 10 mov qword ptr ss:[rsp+0x10], rbp
8
fffff804`2d16f01a 48 89 74 24 18 mov qword ptr ss:[rsp+0x18], rsi
9
fffff804`2d16f01f 57 push rdi
10
fffff804`2d16f020 41 56 push r14
11
fffff804`2d16f022 41 57 push r15
12
fffff804`2d16f024 48 83 EC 30 sub rsp, 0x30
13
fffff804`2d16f028 65 48 8B 04 25 20 00 00 00 mov rax, qword ptr gs:[0x0000000000000020]
14
fffff804`2d16f031 33 DB xor ebx, ebx
15
fffff804`2d16f033 44 0F B7 3D C5 3F 20 00 movzx r15d, word ptr ds:[0xFFFFF8042D373000]
16
fffff804`2d16f03b 41 8B E8 mov ebp, r8d
17
fffff804`2d16f03e 48 8B F2 mov rsi, rdx
18
fffff804`2d16f041 89 5C 24 68 mov dword ptr ss:[rsp+0x68], ebx
19
fffff804`2d16f045 8B F9 mov edi, ecx
20
fffff804`2d16f047 4C 8B 88 C0 00 00 00 mov r9, qword ptr ds:[rax+0xC0]
21
​
22
​
23
HyperDbg> settings syntax att
24
set syntax to at&t
25
​
26
HyperDbg> u fffff804`2d16f010
27
fffff804`2d16f010 48 89 5C 24 08 movq %rbx, %ss:0x08(%rsp)
28
fffff804`2d16f015 48 89 6C 24 10 movq %rbp, %ss:0x10(%rsp)
29
fffff804`2d16f01a 48 89 74 24 18 movq %rsi, %ss:0x18(%rsp)
30
fffff804`2d16f01f 57 push %rdi
31
fffff804`2d16f020 41 56 push %r14
32
fffff804`2d16f022 41 57 push %r15
33
fffff804`2d16f024 48 83 EC 30 sub $0x30, %rsp
34
fffff804`2d16f028 65 48 8B 04 25 20 00 00 00 movq %gs:0x0000000000000020, %rax
35
fffff804`2d16f031 33 DB xor %ebx, %ebx
36
fffff804`2d16f033 44 0F B7 3D C5 3F 20 00 movzxw %ds:0xFFFFF8042D373000, %r15d
37
fffff804`2d16f03b 41 8B E8 mov %r8d, %ebp
38
fffff804`2d16f03e 48 8B F2 mov %rdx, %rsi
39
fffff804`2d16f041 89 5C 24 68 movl %ebx, %ss:0x68(%rsp)
40
fffff804`2d16f045 8B F9 mov %ecx, %edi
41
fffff804`2d16f047 4C 8B 88 C0 00 00 00 movq %ds:0xC0(%rax), %r9
42
​
43
​
44
HyperDbg> settings syntax masm
45
set syntax to masm
46
​
47
HyperDbg >u fffff804`2d16f010
48
fffff804`2d16f010 48 89 5C 24 08 mov qword ptr ss:[rsp+8h], rbx
49
fffff804`2d16f015 48 89 6C 24 10 mov qword ptr ss:[rsp+10h], rbp
50
fffff804`2d16f01a 48 89 74 24 18 mov qword ptr ss:[rsp+18h], rsi
51
fffff804`2d16f01f 57 push rdi
52
fffff804`2d16f020 41 56 push r14
53
fffff804`2d16f022 41 57 push r15
54
fffff804`2d16f024 48 83 EC 30 sub rsp, 30h
55
fffff804`2d16f028 65 48 8B 04 25 20 00 00 00 mov rax, qword ptr gs:[$+20h]
56
fffff804`2d16f031 33 DB xor ebx, ebx
57
fffff804`2d16f033 44 0F B7 3D C5 3F 20 00 movzx r15d, word ptr ds:[$+203FCDh]
58
fffff804`2d16f03b 41 8B E8 mov ebp, r8d
59
fffff804`2d16f03e 48 8B F2 mov rsi, rdx
60
fffff804`2d16f041 89 5C 24 68 mov dword ptr ss:[rsp+68h], ebx
61
fffff804`2d16f045 8B F9 mov edi, ecx
62
fffff804`2d16f047 4C 8B 88 C0 00 00 00 mov r9, qword ptr ds:[rax+C0h]
Copied!
IOCTL
None
Remarks
autounpause and autoflush do not change anything in debugger mode. It is because the buffers are not accumulated and passed instantly in this mode; thus, there is nothing to flush.
Requirements
None
Related
None
Last modified 2mo ago
Copy link
Edit on GitHub