!epthook2 (hidden hook with EPT - detours)

Description of the '!epthook2' command in HyperDbg.

Command

!epthook2

Syntax

!epthook2 [Address (hex)] [pid ProcessId (hex)] [core CoreId (hex)] [imm IsImmediate (yesno)] [buffer PreAllocatedBuffer (hex)] [script { Script (string) }] [asm condition { Condition (assembly/hex) }] [asm code { Code (assembly/hex) }] [output {OutputName (string)}]

Description

Puts an in-line, detours-style kernel EPT hidden hook (fast).

This implementation of the hidden hook won't cause vm-exit when it triggers. It's like detours, and everything is done in vmx non-root, so it's much faster than !epthook, but it some limitations. See Remarks for more information.

Parameters

[Address (hex)]

The Virtual address of where we want to put the hook.

[pid ProcessId (hex)] (optional)

Optional value to trigger the event in just a specific process. Add pid xx to your command; thus, the command will be executed if the process id is equal to xx. If you don't specify this option, then by default, you receive events on all processes.

Still, in the case of user-mode debugging, HyperDbg will apply it only to the current active debugging process (not all the processes). In that case, you can specify pid all to intercept events from the entire system.

[core CoreId (hex)] (optional)

Optional value to trigger the event in just a specific core. Add core xx to your command thus command will be executed if core id is equal to xx. If you don't specify this option, then by default, you receive events on all cores.

[imm IsImmediate (yesno)] (optional)

Optional value in which yes means the results (printed texts in scripts) should be delivered immediately to the debugger. no means that the results can be accumulated and delivered as a couple of messages when the buffer is full; thus, it's substantially faster, but it's not real-time. By default, this value is set to yes.

[buffer PreAllocatedBuffer (hex)] (optional)

[script { Script (string) }] (optional)

[asm condition { Condition (assembly/hex) }] (optional)

[asm code { Code (assembly/hex) }] (optional)

[output {OutputName (string)}] (optional)

Context

As the Context ($context pseudo-register in the event's script, r8 in custom code, and rdx in condition code register) to the event trigger, HyperDbg sends the virtual address of where you put the hidden hook's breakpoint.

Short-circuiting

Calling Stages

Debugger

This event supports three debugging mechanisms.

Break
Script
Custom Code

Break

Imagine we want to put a hook on fffff800`4ed6f010, this will break into the debugger when the target address hits and gives the control back to you.

HyperDbg> !epthook2 fffff800`4ed6f010

Alternatively, you can use nt!ExAllocatePoolWithTag too.

HyperDbg> !epthook2 nt!ExAllocatePoolWithTag

You can also use an expression like nt!ExAllocatePoolWithTag+@rcx+5 too.

HyperDbg> !epthook2 nt!ExAllocatePoolWithTag+@rcx+5

Script

HyperDbg> !epthook2 fffff800`4ed6f010 script { HyperDbg Script Here }

The above command when messages don't need to be delivered immediately.

HyperDbg> !epthook2 fffff800`4ed6f010 script { HyperDbg Script Here } imm no

Script (From File)

If you saved your script into a file, then you can add file: instead of a script and append the file path to it. For example, the following examples show how you can run a script from file:c:\users\sina\desktop\script.txt.

HyperDbg> !epthook2 fffff800`4ed6f010 script {file:c:\users\sina\desktop\script.txt}

Custom Code

Run Custom Code (Unconditional)

HyperDbg> !epthook2 fffff801deadbeef code {90 90 90}

Or if you want to use assembly codes directly, you can add an asm before the code.

HyperDbg> !epthook2 fffff801deadbeef asm code {nop; nop; nop}

Run Custom Code (Conditional)

HyperDbg> !epthook2 fffff801deadbeef code {90 90 90} condition {90 90 90}

Or if you want to use assembly codes directly, you can add an asm before the condition and also before the code.

HyperDbg> !epthook2 fffff801deadbeef asm code {nop; nop; nop} asm condition {nop; nop; nop}

Keep in mind that a conditional event can be used in Breaking to Debugger and Running Script too.

IOCTL

Use HIDDEN_HOOK_EXEC_DETOURS as EventType, and send the address of where you want to hook in OptionalParam1in DEBUGGER_GENERAL_EVENT_DETAIL.

Design

Remarks

This command is much faster than !epthook, but it has the following limitations:

It can be used only in kernel addresses, which means that you cannot use it for user-mode addresses.
You can only use one hook in a page of memory. For example, if you put a hook on fffff80126551006 then you cannot put another hook in the range of fffff80126551000 to fffff80126551fff because it's within the same page (0x1000 or 4096 bytes).
It has the limitation of classic detours hooks. We patch 19 bytes for our detours hook, so when you put a hook anywhere in your assembly, you have to make sure that there is no relative jump or relative call within 19 bytes after the hook address. Most of the time, the start address of the function is detours-compatible (doesn't start with relative jumps or relative calls), especially in x64 fast call functions; thus, the start address of a function is a good point to put these hidden hooks.

You shouldn't use any of !monitor, !epthook, and !epthook2 commands on the same page (4KB) simultaneously. For example, when you put a hidden hook (!epthook2) on 0x10000005, you shouldn't use any of !monitor or !epthook commands on the address starting from 0x10000000 to 0x10000fff.

You can use !epthook (just !epthook not !epthook2 and not !monitor) on two or more addresses on the same page (means that you can use the !epthook multiple times for addresses between a single page or putting multiple hidden breakpoints on a single page). But you can't use !monitor or !epthook2 twice on the same page.

Requirements

Post-Nehalem Processor (EPT)

Processor with Execute-only Pages Support

Previous!epthook (hidden hook with EPT - stealth breakpoints)Next!monitor (monitor read/write/execute to a range of memory)

Last updated 9 months ago

!epthook2 (hidden hook with EPT - detours)

Description of the '!epthook2' command in HyperDbg.

Command

!epthook2

Syntax

!epthook2 [Address (hex)] [pid ProcessId (hex)] [core CoreId (hex)] [imm IsImmediate (yesno)] [buffer PreAllocatedBuffer (hex)] [script { Script (string) }] [asm condition { Condition (assembly/hex) }] [asm code { Code (assembly/hex) }] [output {OutputName (string)}]

Description

Puts an in-line, detours-style kernel EPT hidden hook (fast).

Parameters

[Address (hex)]

The Virtual address of where we want to put the hook.

[pid ProcessId (hex)] (optional)

[core CoreId (hex)] (optional)

[imm IsImmediate (yesno)] (optional)

[buffer PreAllocatedBuffer (hex)] (optional)

Optional value which reserves a safe to be accessed within the event codes.

[script { Script (string) }] (optional)

A HyperDbg will be executed each time the event is triggered.

[asm condition { Condition (assembly/hex) }] (optional)

Optional assembly codes which check for in assembly.

[asm code { Code (assembly/hex) }] (optional)

Optional will be executed each time the event is triggered.

[output {OutputName (string)}] (optional)

Optional output resource name for .

Context

Short-circuiting

This event does not support '', as this mechanism won't make sense for the function hooks.

Calling Stages

This event does not support . Due to the nature of function hooking implementing calling stages in this context wouldn't be meaningful.

Debugger

This event supports three debugging mechanisms.

Break
Script
Custom Code

Please read "" if you need a conditional event, a conditional event can be used in all "Break", "Script", and "Custom Code".

Break

Imagine we want to put a hook on fffff800`4ed6f010, this will break into the debugger when the target address hits and gives the control back to you.

HyperDbg> !epthook2 fffff800`4ed6f010

Alternatively, you can use nt!ExAllocatePoolWithTag too.

HyperDbg> !epthook2 nt!ExAllocatePoolWithTag

You can also use an expression like nt!ExAllocatePoolWithTag+@rcx+5 too.

HyperDbg> !epthook2 nt!ExAllocatePoolWithTag+@rcx+5

Script

Important: This command operates in vmx non-root mode; however, HyperDbg's script engine is designed to work on vmx root-mode. We prefer to use the script engine in !epthook2 and won't cause vm-exit to keep this command as fast as possible, thus, you have some limitations on using script engine as is described on "".

Using the following command, you can use HyperDbg's Script Engine. You should replace the string between braces (HyperDbg Script Here) with your script. You can find script examples .

HyperDbg> !epthook2 fffff800`4ed6f010 script { HyperDbg Script Here }

The above command when messages don't need to be delivered immediately.

HyperDbg> !epthook2 fffff800`4ed6f010 script { HyperDbg Script Here } imm no

Script (From File)

HyperDbg> !epthook2 fffff800`4ed6f010 script {file:c:\users\sina\desktop\script.txt}

You can use to forward the event monitoring results from this event and other events to an external source, e.g., File, NamedPipe, or TCP Socket. This way, you can use HyperDbg as a monitoring tool and gather your target system's behavior and use it later or analyze it on other systems.

Custom Code

Please read "" to get an idea about how to run a custom buffer code in HyperDbg.

Your custom code will be executed in vmx-root mode. Take a look at for more information. Running code in vmx-root is considered "".

Run Custom Code (Unconditional)

Putting a hook on fffff801deadbeef and run 3 nops whenever the hook is triggered. Take a look at for more information.

HyperDbg> !epthook2 fffff801deadbeef code {90 90 90}

Or if you want to use assembly codes directly, you can add an asm before the code.

HyperDbg> !epthook2 fffff801deadbeef asm code {nop; nop; nop}

Run Custom Code (Conditional)

Putting a hook on fffff801deadbeef and run 3 nops whenever the hook is triggered and also 3 nops condition. Take a look at and for more information.

HyperDbg> !epthook2 fffff801deadbeef code {90 90 90} condition {90 90 90}

Or if you want to use assembly codes directly, you can add an asm before the condition and also before the code.

HyperDbg> !epthook2 fffff801deadbeef asm code {nop; nop; nop} asm condition {nop; nop; nop}

Keep in mind that a conditional event can be used in Breaking to Debugger and Running Script too.

IOCTL

This command uses the same method to .

Use HIDDEN_HOOK_EXEC_DETOURS as EventType, and send the address of where you want to hook in OptionalParam1in DEBUGGER_GENERAL_EVENT_DETAIL.

Design

Take a look at "" to see how does it work.

Remarks

This command is much faster than !epthook, but it has the following limitations:

It can be used only in kernel addresses, which means that you cannot use it for user-mode addresses.
You can only use one hook in a page of memory. For example, if you put a hook on fffff80126551006 then you cannot put another hook in the range of fffff80126551000 to fffff80126551fff because it's within the same page (0x1000 or 4096 bytes).
It has the limitation of classic detours hooks. We patch 19 bytes for our detours hook, so when you put a hook anywhere in your assembly, you have to make sure that there is no relative jump or relative call within 19 bytes after the hook address. Most of the time, the start address of the function is detours-compatible (doesn't start with relative jumps or relative calls), especially in x64 fast call functions; thus, the start address of a function is a good point to put these hidden hooks.

This command cannot be used simultaneously with the '' command.

This command creates an . Starting from HyperDbg v0.7, events are guaranteed to keep the debuggee in a halt state (in the ); thus, nothing will change during its execution and the context (registers and memory) remain untouched. You can visit for more information.

Requirements

Post-Nehalem Processor (EPT)

Processor with Execute-only Pages Support

Previous!epthook (hidden hook with EPT - stealth breakpoints)Next!monitor (monitor read/write/execute to a range of memory)

Last updated 9 months ago

Command

Syntax

Description

Parameters

Context

Short-circuiting

Calling Stages

Debugger

Break

Script

Custom Code

IOCTL

Design

Remarks

Requirements

Related

Command

Syntax

Description

Parameters

Context

Short-circuiting

Calling Stages

Debugger

Break

Script

Custom Code

IOCTL

Design

Remarks

Requirements

Related