HyperDbg Documentation
CommunityDownloadResearchTutorialhwdbg
  • HyperDbg
  • Getting Started
    • Quick Start
    • FAQ
    • Build & Install
    • Attach to HyperDbg
      • Attach to a remote machine
      • Attach to local machine
      • Start a new process
      • Attach to a running process
  • Using HyperDbg
    • Prerequisites
      • Operation Modes
      • How to create a condition?
      • How to create an action?
      • Signatures
    • User-mode Debugging
      • Principles
      • Examples
        • basics
        • events
          • Getting Results of a System-call
    • Kernel-mode Debugging
      • Principles
      • Examples
        • beginning
          • Connecting To HyperDbg
          • Configuring Symbol Server/Path
        • basics
          • Setting Breakpoints & Stepping Instructions
          • Displaying & Editing & Searching Memory
          • Showing & Modifying Registers and Flags
          • Switching to a Specific Process or Thread
          • Mapping Data & Create Structures, and Enums From Symbols
        • events
          • Managing Events
          • Hooking Any Function
          • Intercepting All SYSCALLs
          • Monitoring Accesses To Structures
          • Triggering Special Instructions
          • Identifying System Behavior
        • Scripting Language Examples
    • Software Development Kit (SDK)
      • Events
        • Conditions
        • Actions
      • IOCTL
        • Event Registration
  • Commands
    • Debugging Commands
      • ? (evaluate and execute expressions and scripts in debuggee)
      • ~ (display and change the current operating core)
      • a (assemble virtual address)
      • load (load the kernel modules)
      • unload (unload the kernel modules)
      • status (show the debuggee status)
      • events (show and modify active/disabled events)
      • p (step-over)
      • t (step-in)
      • i (instrumentation step-in)
      • gu (step-out or go up)
      • r (read or modify registers)
      • bp (set breakpoint)
      • bl (list breakpoints)
      • be (enable breakpoints)
      • bd (disable breakpoints)
      • bc (clear and remove breakpoints)
      • g (continue debuggee or processing kernel packets)
      • x (examine symbols and find functions and variables address)
      • db, dc, dd, dq (read virtual memory)
      • eb, ed, eq (edit virtual memory)
      • sb, sd, sq (search virtual memory)
      • u, u64, u2, u32 (disassemble virtual address)
      • k, kd, kq (display stack backtrace)
      • dt (display and map virtual memory to structures)
      • struct (make structures, enums, data types from symbols)
      • sleep (wait for specific time in the .script command)
      • pause (break to the debugger and pause processing kernel packets)
      • print (evaluate and print expression in debuggee)
      • lm (view loaded modules)
      • cpu (check cpu supported technologies)
      • rdmsr (read model-specific register)
      • wrmsr (write model-specific register)
      • flush (remove pending kernel buffers and messages)
      • prealloc (reserve pre-allocated pools)
      • preactivate (pre-activate special functionalities)
      • output (create output source for event forwarding)
      • test (test functionalities)
      • settings (configures different options and preferences)
      • exit (exit from the debugger)
    • Meta Commands
      • .help (show the help of commands)
      • .debug (prepare and connect to debugger)
      • .connect (connect to a session)
      • .disconnect (disconnect from a session)
      • .listen (listen on a port and wait for the debugger to connect)
      • .status (show the debugger status)
      • .start (start a new process)
      • .restart (restart the process)
      • .attach (attach to a process)
      • .detach (detach from the process)
      • .switch (show the list and switch between active debugging processes)
      • .kill (terminate the process)
      • .process, .process2 (show the current process and switch to another process)
      • .thread, .thread2 (show the current thread and switch to another thread)
      • .pagein (bring the page into the RAM)
      • .dump (save the virtual memory into a file)
      • .formats (show number formats)
      • .script (run batch script commands)
      • .sympath (set the symbol server)
      • .sym (load pdb symbols)
      • .pe (parse PE file)
      • .logopen (open log file)
      • .logclose (close log file)
      • .cls (clear the screen)
    • Extension Commands
      • !a (assemble physical address)
      • !pte (display page-level address and entries)
      • !db, !dc, !dd, !dq (read physical memory)
      • !eb, !ed, !eq (edit physical memory)
      • !sb, !sd, !sq (search physical memory)
      • !u, !u64, !u2, !u32 (disassemble physical address)
      • !dt (display and map physical memory to structures)
      • !track (track and map function calls and returns to the symbols)
      • !epthook (hidden hook with EPT - stealth breakpoints)
      • !epthook2 (hidden hook with EPT - detours)
      • !monitor (monitor read/write/execute to a range of memory)
      • !syscall, !syscall2 (hook system-calls)
      • !sysret, !sysret2 (hook SYSRET instruction execution)
      • !mode (detect kernel-to-user and user-to-kernel transitions)
      • !cpuid (hook CPUID instruction execution)
      • !msrread (hook RDMSR instruction execution)
      • !msrwrite (hook WRMSR instruction execution)
      • !tsc (hook RDTSC/RDTSCP instruction execution)
      • !pmc (hook RDPMC instruction execution)
      • !vmcall (hook hypercalls)
      • !exception (hook first 32 entries of IDT)
      • !interrupt (hook external device interrupts)
      • !dr (hook access to debug registers)
      • !ioin (hook IN instruction execution)
      • !ioout (hook OUT instruction execution)
      • !hide (enable transparent-mode)
      • !unhide (disable transparent-mode)
      • !measure (measuring and providing details for transparent-mode)
      • !va2pa (convert a virtual address to physical address)
      • !pa2va (convert physical address to virtual address)
      • !dump (save the physical memory into a file)
      • !pcitree (show PCI/PCIe device tree)
      • !pcicam (dump the PCI/PCIe configuration space)
      • !idt (show Interrupt Descriptor Table entries)
      • !apic (dump local APIC entries in XAPIC and X2APIC modes)
      • !ioapic (dump I/O APIC)
    • Scripting Language
      • Assumptions & Evaluations
      • Variables & Assignments
      • Casting & Type-awareness
      • Conditionals & Loops
      • Constants & Functions
      • Debugger Script (DS)
      • Examples
        • view system state (registers, memory, variables)
        • change system state (registers, memory, variables)
        • trace function calls
        • pause the debugger conditionally
        • conditional breakpoints and events
        • patch the normal sequence of execution
        • access to a shared variable from different cores
        • count occurrences of events
      • Functions
        • debugger
          • pause
        • events
          • event_enable
          • event_disable
          • event_clear
          • event_sc
          • event_inject
          • event_inject_error_code
          • flush
        • exports
          • print
          • printf
        • interlocked
          • interlocked_compare_exchange
          • interlocked_decrement
          • interlocked_exchange
          • interlocked_exchange_add
          • interlocked_increment
        • memory
          • check_address
          • eb, ed, eq
          • eb_pa, ed_pa, eq_pa
          • memcpy
          • memcpy_pa
          • memcmp
          • virtual_to_physical
          • physical_to_virtual
        • diassembler
          • disassemble_len
          • disassemble_len32
        • spinlocks
          • spinlock_lock
          • spinlock_lock_custom_wait
          • spinlock_unlock
        • strings
          • strlen
          • wcslen
          • strcmp
          • strncmp
          • wcscmp
          • wcsncmp
    • Commands Map
  • Tips & Tricks
    • Considerations
      • Basic concepts in Intel VT-x
      • VMX root-mode vs VMX non-root mode
      • The "unsafe" behavior
      • Script engine in VMX non-root mode
      • Difference between process and thread switching commands
      • Accessing Invalid Address
      • Transparent Mode
    • Nested-Virtualization Environments
      • Supported Virtual Machines
      • Run HyperDbg on VMware
      • Run HyperDbg on Hyper-V
      • Supporting VMware/Hyper-V
      • VMware backdoor I/O ports
    • Misc
      • Event forwarding
      • Event short-circuiting
      • Event calling stage
      • Instant events
      • Message overflow
      • Customize build
        • Increase Communication Buffer Size
        • Number of EPT Hooks in One Page
        • Change Script Engine Limitations
      • Enable and disable events in Debugger Mode
      • Switch to New Process Layout
  • Contribution
    • Style Guide
      • Coding style
      • Command style
      • Doxygen style
    • Logo & Artworks
  • Design
    • Features
      • VMM (Module)
        • Control over NMIs
        • VMX root-mode compatible message tracing
        • Design of !epthook
        • Design of !epthook2
        • Design of !monitor
        • Design of !syscall & !sysret
        • Design of !exception & !interrupt
    • Debugger Internals
      • Events
      • Conditions
      • Actions
      • Kernel Debugger
        • Design Perspective
        • Connection
  • Links
    • Twitter
    • Telegram
    • Discord
    • Matrix
    • Mastodon
    • YouTube
    • hwdbg (Chip Debugger)
    • Doxygen
    • Contribution
Powered by GitBook
On this page
  • Command
  • Syntax
  • Description
  • Parameters
  • Examples
  • IOCTL
  • Remarks
  • Requirements
  • Related
Edit on GitHub
  1. Commands
  2. Debugging Commands

u, u64, u2, u32 (disassemble virtual address)

Description of 'u, u64, u2, u32' commands in HyperDbg.

Command

u

u64

u2

u32

Syntax

u [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]

u64 [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]

u2 [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]

u32 [Address (hex)] [l Length (hex)] [pid ProcessId (hex)]

u and u64 disassembles as x64 while u2 and u32 adisassembles as x86. u and u64 are the same commands while u2 and u32 are the same.

Description

Shows the assembly regarding memory content at the virtual address hex form.

Parameters

[Address (hex)]

The virtual address of where we want to start to disassemble its memory.

[l Length (hex)] (optional)

The length (byte) in hex format.

[pid ProcessId (hex)] (optional)

The Process ID that's in the hex format is what we want to see the memory from its context (cr3).

If you don't specify the pid, then the default pid is the current process (HyperDbg) process layout of memory.

Examples

The following command is used when we want to disassemble the content of memory (x64) at fffff800`3ad6f010 with length of 0x50 bytes from the memory layout view of process (4 a.k.a. system process).

HyperDbg> u fffff800`3ad6f010 l 50 pid 4
fffff800`3ad6f010 48 89 5C 24 08                      mov qword ptr ss:[rsp+0x08], rbx
fffff800`3ad6f015 48 89 6C 24 10                      mov qword ptr ss:[rsp+0x10], rbp
fffff800`3ad6f01a 48 89 74 24 18                      mov qword ptr ss:[rsp+0x18], rsi
fffff800`3ad6f01f 57                                  push rdi
fffff800`3ad6f020 41 56                               push r14
fffff800`3ad6f022 41 57                               push r15
fffff800`3ad6f024 48 83 EC 30                         sub rsp, 0x30
fffff800`3ad6f028 65 48 8B 04 25 20 00 00 00          mov rax, qword ptr gs:[0x0000000000000020]
fffff800`3ad6f031 33 DB                               xor ebx, ebx
fffff800`3ad6f033 44 0F B7 3D C5 3F 20 00             movzx r15d, word ptr ds:[0xFFFFF8003AF73000]
fffff800`3ad6f03b 41 8B E8                            mov ebp, r8d
fffff800`3ad6f03e 48 8B F2                            mov rsi, rdx
fffff800`3ad6f041 89 5C 24 68                         mov dword ptr ss:[rsp+0x68], ebx
fffff800`3ad6f045 8B F9                               mov edi, ecx
fffff800`3ad6f047 4C 8B 88 C0 00 00 00                mov r9, qword ptr ds:[rax+0xC0]
fffff800`3ad6f04e 45 0F B7 B1 92 00 00 00             movzx r14d, word ptr ds:[r9+0x92]
fffff800`3ad6f056 41 8B C6                            mov eax, r14d
fffff800`3ad6f059 44 8B C8                            mov r9d, eax
fffff800`3ad6f05c 89 5C 24 20                         mov dword ptr ss:[rsp+0x20], ebx

The following example shows the assembly content (x64) of memory at nt!ExAllocatePoolWithTag from current process memory layout.

HyperDbg> u nt!ExAllocatePoolWithTag
nt!ExAllocatePoolWithTag:
fffff801`639b1030    48 89 5C 24 08                      mov qword ptr ss:[rsp+0x08], rbx
fffff801`639b1035    48 89 6C 24 10                      mov qword ptr ss:[rsp+0x10], rbp
fffff801`639b103a    48 89 74 24 18                      mov qword ptr ss:[rsp+0x18], rsi
fffff801`639b103f    57                                  push rdi
fffff801`639b1040    41 56                               push r14
fffff801`639b1042    41 57                               push r15
fffff801`639b1044    48 83 EC 30                         sub rsp, 0x30
fffff801`639b1048    65 48 8B 04 25 20 00 00 00          mov rax, qword ptr gs:[0x0000000000000020]
fffff801`639b1051    45 8B F0                            mov r14d, r8d
fffff801`639b1054    44 0F B7 3D A4 8F 34 00             movzx r15d, word ptr ds:[0xFFFFF80163CFA000]
fffff801`639b105c    48 8B EA                            mov rbp, rdx
fffff801`639b105f    8B F1                               mov esi, ecx
fffff801`639b1061    4C 8B 88 C0 00 00 00                mov r9, qword ptr ds:[rax+0xC0]
fffff801`639b1068    41 0F B7 B9 92 00 00 00             movzx edi, word ptr ds:[r9+0x92]

The following example shows the assembly content (x64) of memory at nt!ExAllocatePoolWithTag+5 from current process memory layout.

HyperDbg> u nt!ExAllocatePoolWithTag+5
nt!ExAllocatePoolWithTag+0x5:
fffff801`639b1035    48 89 6C 24 10                      mov qword ptr ss:[rsp+0x10], rbp
fffff801`639b103a    48 89 74 24 18                      mov qword ptr ss:[rsp+0x18], rsi
fffff801`639b103f    57                                  push rdi
fffff801`639b1040    41 56                               push r14
fffff801`639b1042    41 57                               push r15
fffff801`639b1044    48 83 EC 30                         sub rsp, 0x30
fffff801`639b1048    65 48 8B 04 25 20 00 00 00          mov rax, qword ptr gs:[0x0000000000000020]
fffff801`639b1051    45 8B F0                            mov r14d, r8d
fffff801`639b1054    44 0F B7 3D A4 8F 34 00             movzx r15d, word ptr ds:[0xFFFFF80163CFA000]
fffff801`639b105c    48 8B EA                            mov rbp, rdx
fffff801`639b105f    8B F1                               mov esi, ecx
fffff801`639b1061    4C 8B 88 C0 00 00 00                mov r9, qword ptr ds:[rax+0xC0]
fffff801`639b1068    41 0F B7 B9 92 00 00 00             movzx edi, word ptr ds:[r9+0x92]
fffff801`639b1070    0F BA EF 1F                         bts edi, 0x1F

The following example shows the assembly content (x64) of memory at fffff800`3ad6f010 from current process memory layout.

HyperDbg> u fffff800`3ad6f010
fffff800`3ad6f010 48 89 5C 24 08                      mov qword ptr ss:[rsp+0x08], rbx
fffff800`3ad6f015 48 89 6C 24 10                      mov qword ptr ss:[rsp+0x10], rbp
fffff800`3ad6f01a 48 89 74 24 18                      mov qword ptr ss:[rsp+0x18], rsi
fffff800`3ad6f01f 57                                  push rdi
fffff800`3ad6f020 41 56                               push r14
fffff800`3ad6f022 41 57                               push r15
fffff800`3ad6f024 48 83 EC 30                         sub rsp, 0x30
fffff800`3ad6f028 65 48 8B 04 25 20 00 00 00          mov rax, qword ptr gs:[0x0000000000000020]
fffff800`3ad6f031 33 DB                               xor ebx, ebx
fffff800`3ad6f033 44 0F B7 3D C5 3F 20 00             movzx r15d, word ptr ds:[0xFFFFF8003AF73000]
fffff800`3ad6f03b 41 8B E8                            mov ebp, r8d
fffff800`3ad6f03e 48 8B F2                            mov rsi, rdx
fffff800`3ad6f041 89 5C 24 68                         mov dword ptr ss:[rsp+0x68], ebx
fffff800`3ad6f045 8B F9                               mov edi, ecx
fffff800`3ad6f047 4C 8B 88 C0 00 00 00                mov r9, qword ptr ds:[rax+0xC0]

IOCTL

This function works by calling DeviceIoControl with IOCTL = IOCTL_DEBUGGER_READ_MEMORY , you have to send it in the following structure.

typedef struct _DEBUGGER_READ_MEMORY {

    UINT32 Pid; // Read from cr3 of what process
    UINT64 Address;
    UINT32 Size;
    DEBUGGER_READ_MEMORY_TYPE MemoryType;
    DEBUGGER_READ_READING_TYPE ReadingType;

} DEBUGGER_READ_MEMORY, * PDEBUGGER_READ_MEMORY;

Where Pid is the process id, Address is the target location address and size is the length of the byte that you need to read.

MemoryTypeis either virtual or physical.

typedef enum _DEBUGGER_READ_MEMORY_TYPE { DEBUGGER_READ_PHYSICAL_ADDRESS, DEBUGGER_READ_VIRTUAL_ADDRESS } DEBUGGER_READ_MEMORY_TYPE;

ReadingType is either from the kernel or from the vmx root. Currently, only the reading from the kernel is implemented.

typedef enum _DEBUGGER_READ_READING_TYPE { READ_FROM_KERNEL, READ_FROM_VMX_ROOT } DEBUGGER_READ_READING_TYPE;

If you don't want to read from the kernel directly, use the following HyperDbg Routine.

void HyperDbgReadMemoryAndDisassemble(DEBUGGER_SHOW_MEMORY_STYLE Style, UINT64 Address,
                        DEBUGGER_READ_MEMORY_TYPE MemoryType,
                        DEBUGGER_READ_READING_TYPE ReadingType, UINT32 Pid,
                        UINT Size);

The above function fills the IOCTL structure and shows the memory content. It is also able to disassemble the memory. You can specify one of the following styles to show the memory.

typedef enum _DEBUGGER_SHOW_MEMORY_STYLE { DEBUGGER_SHOW_COMMAND_DISASSEMBLE64, DEBUGGER_SHOW_COMMAND_DISASSEMBLE32, DEBUGGER_SHOW_COMMAND_DB, DEBUGGER_SHOW_COMMAND_DC, DEBUGGER_SHOW_COMMAND_DQ, DEBUGGER_SHOW_COMMAND_DD } DEBUGGER_SHOW_MEMORY_STYLE;

For disassembling, use the DEBUGGER_SHOW_COMMAND_DISASSEMBLE64 as the Style for x64 disassembling, and for disassembling x86, use the DEBUGGER_SHOW_COMMAND_DISASSEMBLE32.

In the debugger mode, HyperDbg uses the exact same structure, you should send the above structure over serial to the debuggee which is paused in vmx-root mode.

You should send the above structure with DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_READ_MEMORY as RequestedAction and DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT as PacketType.

In return, the debuggee sends the above structure with the following type.

DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_READING_MEMORY

The following function is responsible for sending reading memory in the debugger.

BOOLEAN KdSendReadMemoryPacketToDebuggee(PDEBUGGER_READ_MEMORY ReadMem);

Remarks

  • If you don't specify the length, the default length for HyperDbg is 0x40 Bytes.

  • If you've ever seen any object name with two additions like ExAllocatePoolWithTag+0x8f+0x2, it means that the address is outside the function size that we've parsed from the symbol PDB files. Compilers often put some junk codes at the end of functions to create an alignment, and HyperDbg will notify you about these situations with two additions. Also, if the function is from a stripped symbol (or, in other words, the function size is not available), we set the function size to a maximum length of 0xffff.

Please note that you should specify a space between 'l' and the length for HyperDbg. For example, 'l10' is invalid, but 'l 10' is valid. (It's opposed to windbg).

This command is guaranteed to keep debuggee in a halt state (in Debugger Mode); thus, nothing will change during its execution.

Requirements

None

Related

Previoussb, sd, sq (search virtual memory)Nextk, kd, kq (display stack backtrace)

Last updated 10 months ago

By default, HyperDbg converts addresses to the object names (if the symbol for that address is available). If you want to see the address in hex format, you can turn addressconversion to off using the '' command.

HyperDbg uses as its core disassembler.

settings
Zydis
Zydis
!u (disassemble physical address)
a (assemble virtual address)
!a (assemble physical address)