HyperDbg Documentation
HyperDbgDownloadSource codeCite paper
Search…
HyperDbg
Getting Started
Quick Start
FAQ
Build & Install
Attach to HyperDbg
Using HyperDbg
Prerequisites
User-mode Debugging
Kernel-mode Debugging
Commands
Debugging Commands
# (comment in batch scripts)
? (evaluate and execute expressions and scripts in debuggee)
~ (display and change the current operating core)
load (load the kernel modules)
unload (unload the kernel modules)
status (show the debuggee status)
events (show and modify active/disabled events)
p (step-over)
t (step-in)
i (instrumentation step-in)
r (read or modify registers)
bp (set breakpoint)
bl (list breakpoints)
be (enable breakpoints)
bd (disable breakpoints)
bc (clear and remove breakpoints)
g (continue debuggee or processing kernel packets)
x (examine symbols and find functions and variables address)
db, dc, dd, dq (read virtual memory)
eb, ed, eq (edit virtual memory)
sb, sd, sq (search virtual memory)
u, u2 (disassemble virtual address)
k, kd, kq (display stack backtrace)
dt (display and map virtual memory to structures)
struct (make structures, enums, data types from symbols)
sleep (wait for specific time in the .script command)
pause (break to the debugger and pause processing kernel packets)
print (evaluate and print expression in debuggee)
lm (view loaded modules)
cpu (check cpu supported technologies)
rdmsr (read model-specific register)
wrmsr (write model-specific register)
flush (remove pending kernel buffers and messages)
prealloc (reserve pre-allocated pools)
output (create output source for event forwarding)
test (test functionalities)
settings (configures different options and preferences)
exit (exit from the debugger)
Meta Commands
Extension Commands
Scripting Language
Tips & Tricks
Considerations
Nested-Virtualization Environments
Misc
Contribution
Style Guide
Logo & Artworks
Design
Features
Debugger Internals
Script Engine
Links
Twitter
YouTube
Doxygen
Contribution
Powered By GitBook
unload (unload the kernel modules)
Description of the 'unload' command in HyperDbg.

Command

unload

Syntax

unload [remove] [ModuleName (string)]

Description

Unloads the HyperDbg drivers and kernel modules from the target system.

Parameters

[remove](optional)
If you want to remove the installed driver. (See Remarks for more information)
[ModuleName (string)]
The name of the module that you want to unload.

Modules

Module Name
Description
vmm
Hypervisor-related capabilities
The debugger functions are implemented on top of the 'vmm' module.
vmm : this module contains commands related to the debugger and all hypervisor-related capabilities. Currently, vmm is the only module of HyperDbg.

Examples

The following example unloads vmm module.
1
HyperDbg> unload vmm
Copied!

IOCTL

This function first invokes IOCTL_TERMINATE_VMX to turn off the vmx operation and IOCTL_RETURN_IRP_PENDING_PACKETS_AND_DISALLOW_IOCTL to complete all the IRP Pending sessions so that we can call CloseHandle.
If you're using APIs, the following export in hprdbgctrl can be used.
1
HPRDBGCTRL_API int HyperdbgUnload();
Copied!

Remarks

This command will continue the debuggee for some time (in Debugger Mode). This means that you lose the current context (registers & memory) after executing this command.
If you use the remove argument, then the driver will be marked to be stopped and uninstalled. You cannot re-load that module again until the target machine is restarted.

Requirements

None
Previous
load (load the kernel modules)
Next
status (show the debuggee status)
Last modified 2mo ago
Copy link
Edit on GitHub
Contents
Command
Syntax
Description
Parameters
Modules
Examples
IOCTL
Remarks
Requirements
Related