u and u64 disassembles as x64 while u2 and u32 adisassembles as x86. u and u64 are the same commands while u2 and u32 are the same.
Description
Shows the assembly regarding memory content at the virtual address hex form.
Parameters
[Address (hex)]
The virtual address of where we want to start to disassemble its memory.
[l Length (hex)] (optional)
The length (byte) in hex format.
[pid ProcessId (hex)] (optional)
The Process ID that's in the hex format is what we want to see the memory from its context (cr3).
If you don't specify the pid, then the default pid is the current process (HyperDbg) process layout of memory.
Examples
The following command is used when we want to disassemble the content of memory (x64) at fffff800`3ad6f010 with length of 0x50 bytes from the memory layout view of process (4 a.k.a. system process).
The above function fills the IOCTL structure and shows the memory content. It is also able to disassemble the memory. You can specify one of the following styles to show the memory.
For disassembling, use the DEBUGGER_SHOW_COMMAND_DISASSEMBLE64 as the Style for x64 disassembling, and for disassembling x86, use the DEBUGGER_SHOW_COMMAND_DISASSEMBLE32.
In the debugger mode, HyperDbg uses the exact same structure, you should send the above structure over serial to the debuggee which is paused in vmx-root mode.
You should send the above structure with DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_READ_MEMORY as RequestedAction and DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT as PacketType.
In return, the debuggee sends the above structure with the following type.
If you don't specify the length, the default length for HyperDbg is 0x40 Bytes.
If you've ever seen any object name with two additions like ExAllocatePoolWithTag+0x8f+0x2, it means that the address is outside the function size that we've parsed from the symbol PDB files. Compilers often put some junk codes at the end of functions to create an alignment, and HyperDbg will notify you about these situations with two additions. Also, if the function is from a stripped symbol (or, in other words, the function size is not available), we set the function size to a maximum length of 0xffff.
Please note that you should specify a space between 'l' and the length for HyperDbg. For example, 'l10' is invalid, but 'l 10' is valid. (It's opposed to windbg).
This command is guaranteed to keep debuggee in a halt state (in Debugger Mode); thus, nothing will change during its execution.
By default, HyperDbg converts addresses to the object names (if the symbol for that address is available). If you want to see the address in hex format, you can turn addressconversion to off using the '' command.
