!epthook2
!epthook2 [Address (hex)] [pid ProcessId (hex)] [core CoreId (hex)] [imm IsImmediate (yesno)] [buffer PreAllocatedBuffer (hex)] [script { Script (string) }] [condition { Condition (hex) }] [code { Code (hex) }]
pid xx
to your command; thus, the command will be executed if the process id is equal to xx
. If you don't specify this option, then by default, you receive events on all processes.pid all
to intercept events from the entire system.core xx
to your command thus command will be executed if core id is equal to xx
. If you don't specify this option, then by default, you receive events on all cores.yes
means the results (printed texts in scripts) should be delivered immediately to the debugger. no
means that the results can be accumulated and delivered as a couple of messages when the buffer is full; thus, it's substantially faster, but it's not real-time. By default, this value is set to yes
.$context
pseudo-register in the event's script, r8
in custom code, and rdx
in condition code register) to the event trigger, HyperDbg sends the virtual address of where you put the hidden hook's breakpoint.fffff800`4ed6f010
, this will break into the debugger when the target address hits and gives the control back to you.nt!ExAllocatePoolWithTag
too.[email protected]+5
too.HyperDbg Script Here
) with your script. You can find script examples here.file:
instead of a script and append the file path to it. For example, the following examples show how you can run a script from file:c:\users\sina\desktop\script.txt
.fffff801deadbeef
and run 3 nops whenever the hook is triggered. Take a look at Run Custom Code for more information.fffff801deadbeef
and run 3 nops whenever the hook is triggered and also 3 nops condition. Take a look at Run Custom Code and how to create a condition for more information.HIDDEN_HOOK_EXEC_DETOURS
as EventType, and send the address of where you want to hook in OptionalParam1
in DEBUGGER_GENERAL_EVENT_DETAIL
.fffff80126551006
then you cannot put another hook in the range of fffff80126551000
to fffff80126551fff
because it's within the same page (0x1000
or 4096
bytes).