HyperDbg Documentation
CommunityDownloadResearchTutorialhwdbg
  • HyperDbg
  • Getting Started
    • Quick Start
    • FAQ
    • Build & Install
    • Attach to HyperDbg
      • Attach to a remote machine
      • Attach to local machine
      • Start a new process
      • Attach to a running process
  • Using HyperDbg
    • Prerequisites
      • Operation Modes
      • How to create a condition?
      • How to create an action?
      • Signatures
    • User-mode Debugging
      • Principles
      • Examples
        • basics
        • events
          • Getting Results of a System-call
    • Kernel-mode Debugging
      • Principles
      • Examples
        • beginning
          • Connecting To HyperDbg
          • Configuring Symbol Server/Path
        • basics
          • Setting Breakpoints & Stepping Instructions
          • Displaying & Editing & Searching Memory
          • Showing & Modifying Registers and Flags
          • Switching to a Specific Process or Thread
          • Mapping Data & Create Structures, and Enums From Symbols
        • events
          • Managing Events
          • Hooking Any Function
          • Intercepting All SYSCALLs
          • Monitoring Accesses To Structures
          • Triggering Special Instructions
          • Identifying System Behavior
        • Scripting Language Examples
    • Software Development Kit (SDK)
      • Events
        • Conditions
        • Actions
      • IOCTL
        • Event Registration
  • Commands
    • Debugging Commands
      • ? (evaluate and execute expressions and scripts in debuggee)
      • ~ (display and change the current operating core)
      • a (assemble virtual address)
      • load (load the kernel modules)
      • unload (unload the kernel modules)
      • status (show the debuggee status)
      • events (show and modify active/disabled events)
      • p (step-over)
      • t (step-in)
      • i (instrumentation step-in)
      • gu (step-out or go up)
      • r (read or modify registers)
      • bp (set breakpoint)
      • bl (list breakpoints)
      • be (enable breakpoints)
      • bd (disable breakpoints)
      • bc (clear and remove breakpoints)
      • g (continue debuggee or processing kernel packets)
      • x (examine symbols and find functions and variables address)
      • db, dc, dd, dq (read virtual memory)
      • eb, ed, eq (edit virtual memory)
      • sb, sd, sq (search virtual memory)
      • u, u64, u2, u32 (disassemble virtual address)
      • k, kd, kq (display stack backtrace)
      • dt (display and map virtual memory to structures)
      • struct (make structures, enums, data types from symbols)
      • sleep (wait for specific time in the .script command)
      • pause (break to the debugger and pause processing kernel packets)
      • print (evaluate and print expression in debuggee)
      • lm (view loaded modules)
      • cpu (check cpu supported technologies)
      • rdmsr (read model-specific register)
      • wrmsr (write model-specific register)
      • flush (remove pending kernel buffers and messages)
      • prealloc (reserve pre-allocated pools)
      • preactivate (pre-activate special functionalities)
      • output (create output source for event forwarding)
      • test (test functionalities)
      • settings (configures different options and preferences)
      • exit (exit from the debugger)
    • Meta Commands
      • .help (show the help of commands)
      • .debug (prepare and connect to debugger)
      • .connect (connect to a session)
      • .disconnect (disconnect from a session)
      • .listen (listen on a port and wait for the debugger to connect)
      • .status (show the debugger status)
      • .start (start a new process)
      • .restart (restart the process)
      • .attach (attach to a process)
      • .detach (detach from the process)
      • .switch (show the list and switch between active debugging processes)
      • .kill (terminate the process)
      • .process, .process2 (show the current process and switch to another process)
      • .thread, .thread2 (show the current thread and switch to another thread)
      • .pagein (bring the page into the RAM)
      • .dump (save the virtual memory into a file)
      • .formats (show number formats)
      • .script (run batch script commands)
      • .sympath (set the symbol server)
      • .sym (load pdb symbols)
      • .pe (parse PE file)
      • .logopen (open log file)
      • .logclose (close log file)
      • .cls (clear the screen)
    • Extension Commands
      • !a (assemble physical address)
      • !pte (display page-level address and entries)
      • !db, !dc, !dd, !dq (read physical memory)
      • !eb, !ed, !eq (edit physical memory)
      • !sb, !sd, !sq (search physical memory)
      • !u, !u64, !u2, !u32 (disassemble physical address)
      • !dt (display and map physical memory to structures)
      • !track (track and map function calls and returns to the symbols)
      • !epthook (hidden hook with EPT - stealth breakpoints)
      • !epthook2 (hidden hook with EPT - detours)
      • !monitor (monitor read/write/execute to a range of memory)
      • !syscall, !syscall2 (hook system-calls)
      • !sysret, !sysret2 (hook SYSRET instruction execution)
      • !mode (detect kernel-to-user and user-to-kernel transitions)
      • !cpuid (hook CPUID instruction execution)
      • !msrread (hook RDMSR instruction execution)
      • !msrwrite (hook WRMSR instruction execution)
      • !tsc (hook RDTSC/RDTSCP instruction execution)
      • !pmc (hook RDPMC instruction execution)
      • !vmcall (hook hypercalls)
      • !exception (hook first 32 entries of IDT)
      • !interrupt (hook external device interrupts)
      • !dr (hook access to debug registers)
      • !ioin (hook IN instruction execution)
      • !ioout (hook OUT instruction execution)
      • !hide (enable transparent-mode)
      • !unhide (disable transparent-mode)
      • !measure (measuring and providing details for transparent-mode)
      • !va2pa (convert a virtual address to physical address)
      • !pa2va (convert physical address to virtual address)
      • !dump (save the physical memory into a file)
      • !pcitree (show PCI/PCIe device tree)
      • !pcicam (dump the PCI/PCIe configuration space)
      • !idt (show Interrupt Descriptor Table entries)
      • !apic (dump local APIC entries in XAPIC and X2APIC modes)
      • !ioapic (dump I/O APIC)
    • Scripting Language
      • Assumptions & Evaluations
      • Variables & Assignments
      • Casting & Type-awareness
      • Conditionals & Loops
      • Constants & Functions
      • Debugger Script (DS)
      • Examples
        • view system state (registers, memory, variables)
        • change system state (registers, memory, variables)
        • trace function calls
        • pause the debugger conditionally
        • conditional breakpoints and events
        • patch the normal sequence of execution
        • access to a shared variable from different cores
        • count occurrences of events
      • Functions
        • debugger
          • pause
        • events
          • event_enable
          • event_disable
          • event_clear
          • event_sc
          • event_inject
          • event_inject_error_code
          • flush
        • exports
          • print
          • printf
        • interlocked
          • interlocked_compare_exchange
          • interlocked_decrement
          • interlocked_exchange
          • interlocked_exchange_add
          • interlocked_increment
        • memory
          • check_address
          • eb, ed, eq
          • eb_pa, ed_pa, eq_pa
          • memcpy
          • memcpy_pa
          • memcmp
          • virtual_to_physical
          • physical_to_virtual
        • diassembler
          • disassemble_len
          • disassemble_len32
        • spinlocks
          • spinlock_lock
          • spinlock_lock_custom_wait
          • spinlock_unlock
        • strings
          • strlen
          • wcslen
          • strcmp
          • strncmp
          • wcscmp
          • wcsncmp
    • Commands Map
  • Tips & Tricks
    • Considerations
      • Basic concepts in Intel VT-x
      • VMX root-mode vs VMX non-root mode
      • The "unsafe" behavior
      • Script engine in VMX non-root mode
      • Difference between process and thread switching commands
      • Accessing Invalid Address
      • Transparent Mode
    • Nested-Virtualization Environments
      • Supported Virtual Machines
      • Run HyperDbg on VMware
      • Run HyperDbg on Hyper-V
      • Supporting VMware/Hyper-V
      • VMware backdoor I/O ports
    • Misc
      • Event forwarding
      • Event short-circuiting
      • Event calling stage
      • Instant events
      • Message overflow
      • Customize build
        • Increase Communication Buffer Size
        • Number of EPT Hooks in One Page
        • Change Script Engine Limitations
      • Enable and disable events in Debugger Mode
      • Switch to New Process Layout
  • Contribution
    • Style Guide
      • Coding style
      • Command style
      • Doxygen style
    • Logo & Artworks
  • Design
    • Features
      • VMM (Module)
        • Control over NMIs
        • VMX root-mode compatible message tracing
        • Design of !epthook
        • Design of !epthook2
        • Design of !monitor
        • Design of !syscall & !sysret
        • Design of !exception & !interrupt
    • Debugger Internals
      • Events
      • Conditions
      • Actions
      • Kernel Debugger
        • Design Perspective
        • Connection
  • Links
    • Twitter
    • Telegram
    • Discord
    • Matrix
    • Mastodon
    • YouTube
    • hwdbg (Chip Debugger)
    • Doxygen
    • Contribution
Powered by GitBook
On this page
  • Command
  • Syntax
  • Description
  • Parameters
  • Context
  • Short-circuiting
  • Calling Stages
  • Debugger
  • Custom Code
  • IOCTL
  • Design
  • Remarks
  • Requirements
  • Related
Edit on GitHub
  1. Commands
  2. Extension Commands

!monitor (monitor read/write/execute to a range of memory)

Description of the '!monitor' command in HyperDbg.

Previous!epthook2 (hidden hook with EPT - detours)Next!syscall, !syscall2 (hook system-calls)

Last updated 6 months ago

Command

!monitor

Syntax

!monitor [Attribute (string)] [FromAddress (hex)] [ToAddress (hex)] [MemoryType (vapa)] [pid ProcessId (hex)] [core CoreId (hex)] [imm IsImmediate (yesno)] [sc EnableShortCircuiting (onoff)] [stage CallingStage (prepostall)] [buffer PreAllocatedBuffer (hex)] [script { Script (string) }] [asm condition { Condition (assembly/hex) }] [asm code { Code (assembly/hex) }] [output {OutputName (string)}]

!monitor [MemoryType (vapa)] [Attribute (string)] [FromAddress (hex)] [l Length (hex)] [MemoryType (vapa)] [pid ProcessId (hex)] [core CoreId (hex)] [imm IsImmediate (yesno)] [sc EnableShortCircuiting (onoff)] [stage CallingStage (prepostall)] [buffer PreAllocatedBuffer (hex)] [script { Script (string) }] [asm condition { Condition (assembly/hex) }] [asm code { Code (assembly/hex) }] [output {OutputName (string)}]

Description

Monitors read or write or execute (or a combination of these operations) to a range of addresses. If any read or write or execute happens on the specified address range (memory), it will be triggered.

It is exactly like read/write/execute of Hardware Debug Registers but without any size and count limitation.

Please note that if you encounter an invalid address error when applying monitor hooks to a valid range, it is likely due to the page being paged-out or inaccessible in memory, often as a result of . This situation occurs because EPT hooks primarily work based on physical addresses, not virtual addresses. To resolve this issue, you can use the '' command. about tricks to make addresses available.

Parameters

[Attribute (string)]

Can be one of these values (or a combination of these attributes like 'rw', 'rx', 'wx', 'rwx', etc.):

r: trigger in the case of reading.

w: trigger in the case of writing.

x: trigger in the case of executing.

[FromAddress (hex)]

The start virtual/physical address of where it needs to be monitored for reading or writing or executing (or a custom combination of these attributes). You have the option to utilize this parameter for either requesting the last address of the range or specifying the length (next parameter).

[l Length (hex)]

The start virtual/physical address of where it needs to be monitored for reading or writing or executing (or a custom combination of these attributes). You have the option to utilize this parameter for either requesting the length of monitoring memory or specifying the last address (previous parameter).

[ToAddress (hex)]

The end of the virtual/physical address of where it needs to be monitored for reading or writing or executing (or a custom combination of these attributes).

[MemoryType (vapa)] (optional)

Can be one of these values depending on whether the FromAddress and ToAddress are virtual addresses or physical addresses.

va: the address is a virtual address

pa: the address is a physical address

If you do not specify this event, it assumes that the address is a virtual address.

[pid ProcessId (hex)] (optional)

Optional value to trigger the event in just a specific process. Add pid xx to your command; thus, the command will be executed if the process id is equal to xx. If you don't specify this option, then by default, you receive events on all processes.

Still, in the case of user-mode debugging, HyperDbg will apply it only to the current active debugging process (not all the processes). In that case, you can specify pid all to intercept events from the entire system.

[core CoreId (hex)] (optional)

Optional value to trigger the event in just a specific core. Add core xx to your command thus command will be executed if core id is equal to xx. If you don't specify this option, then by default, you receive events on all cores.

[imm IsImmediate (yesno)] (optional)

Optional value in which yes means the results (printed texts in scripts) should be delivered immediately to the debugger. no means that the results can be accumulated and delivered as a couple of messages when the buffer is full; thus, it's substantially faster, but it's not real-time. By default, this value is set to yes.

[sc EnableShortCircuiting (onoff)] (optional)

[stage CallingStage (prepostall)] (optional)

[buffer PreAllocatedBuffer (hex)] (optional)

[script { Script (string) }] (optional)

[asm condition { Condition (assembly/hex) }] (optional)

[asm code { Code (assembly/hex) }] (optional)

[output {OutputName (string)}] (optional)

Context

As the Context ($context pseudo-register in the event's script, r8 in custom code, and rdx in condition code register) to the event trigger, HyperDbg sends the virtual address (or physical address depending on the 'MemoryType' parameter) of the memory that has accessed and triggered this event.

It's a virtual address (or physical address depending on the 'MemoryType' parameter) equal to or between [from address] and [to address], so it's not a constant address and might differ in the range you entered.

Short-circuiting

Short-Circuiting Behavior in Read/Write vs. Execution Events

When it comes to short-circuiting events, there are distinct behaviors for reads/writes and executions.

  1. Short-circuiting for Reads/Writes: In this scenario, short-circuiting involves disregarding the execution of commands that read from or write to memory, such as MOV instructions. It is as if these instructions were never executed, and memory modifications are not performed.

  2. Short-circuiting for Execution: Short-circuiting events for execution operate differently. It involves blocking the execution at the target address. For instance, if you wish to prevent execution on a specific page, you can achieve this by short-circuiting the event. Here is an example:

!monitor x 7e0000 7e0999 pid 3a4c script {
  event_sc(1);
  printf("target address execution is blocked: %llx\n", $context);
}

By adding event_sc(1);, HyperDbg is instructed to block execution, preventing any code within the target page from running.

If event_sc(1); is not used, HyperDbg will allow the target to execute normally for just one instruction before triggering again. The event will then be triggered for the next instruction, and so on. In essence, without event_sc(1);, it is like stepping through the instructions one by one, with each instruction in the target address range triggering the event. Conversely, specifying event_sc(1); will effectively block execution, preventing the target code on the target page from running.

Calling Stages

For the Execute calling stage, the 'pre' calling stage is triggered prior to running the instruction that its execution leads to triggering the event, whereas the 'post' calling stage is triggered subsequent to running the target instruction. In addition, the 'all' calling stage will trigger the event in both cases.

Debugger

This event supports three debugging mechanisms.

  • Break

  • Script

  • Custom Code

Break

Imagine we want to put a monitor writes but not reads/executes on address from fffff800`4ed60000 to fffff800`4ed60100 , this will break to the debugger and gives the control back to us.

HyperDbg> !monitor w fffff800`4ed60000 fffff800`4ed60100

If we want reads but not writes/executes the memory with the length of 500 bytes.

HyperDbg> !monitor r fffff800`4ed60000 l 500

If we want reads but not writes/executes.

HyperDbg> !monitor r fffff800`4ed60000 fffff800`4ed60100

If we want both reads and writes but not the executes.

HyperDbg> !monitor rw fffff800`4ed60000 fffff800`4ed60100

Alternatively, we can use nt!Kd_DEFAULT_Mask too.

HyperDbg> !monitor rw nt!Kd_DEFAULT_Mask nt!Kd_DEFAULT_Mask+4

If we want to monitor any execution of instructions from this range, we can use the following command.

HyperDbg> !monitor x fffff800`7bd40000 fffff800`7bd40100

If we want to monitor any execution of instructions from the start address plus 0x7560 bytes, we can use the following command.

HyperDbg> !monitor x fffff800`7bd40000 l 7560

If we want to monitor any reads, writes, or executions of instructions from a PE section in the user-mode, we can use the following command.

HyperDbg> !monitor rwx 00007ff8`349f2000 00007ff8`349f8000

If we want to monitor any reads, or writes, from a physical address, we can use the following command.

HyperDbg> !monitor pa rw fc010000 l 00004000

Script

HyperDbg> !monitor w fffff800`4ed60000 fffff800`4ed60100 script { HyperDbg Script Here }

The above command is used when messages don't need to be delivered immediately.

HyperDbg> !monitor w fffff800`4ed60000 fffff800`4ed60100 script { HyperDbg Script Here } imm no

Script (From File)

If you saved your script into a file, then you can add file: instead of a script and append the file path to it. For example, the following examples show how you can run a script from file:c:\users\sina\desktop\script.txt.

HyperDbg> !monitor w fffff800`4ed60000 fffff800`4ed60100 script {file:c:\users\sina\desktop\script.txt}

Custom Code

Run Custom Code (Unconditional)

HyperDbg> !monitor rw fffff800`4ed60000 fffff800`4ed60100 code {90 90 90}

Or if you want to use assembly codes directly, you can add an asm before the code.

HyperDbg> !monitor rw fffff800`4ed60000 fffff800`4ed60100 asm code {nop; nop; nop}

Run Custom Code (Conditional)

HyperDbg> !monitor rx fffff800`4ed60000 fffff800`4ed60100 code {90 90 90} condition {90 90 90}

Or if you want to use assembly codes directly, you can add an asm before the condition and also before the code.

HyperDbg> !monitor rx fffff800`4ed60000 fffff800`4ed60100 asm code {nop; nop; nop} asm condition {nop; nop; nop}

Keep in mind that a conditional event can be used in Breaking to Debugger and Running Script too.

IOCTL

As EventType you can use one of the following events:

HIDDEN_HOOK_READ_AND_WRITE_AND_EXECUTE
HIDDEN_HOOK_READ_AND_WRITE
HIDDEN_HOOK_READ_AND_EXECUTE
HIDDEN_HOOK_WRITE_AND_EXECUTE
HIDDEN_HOOK_READ
HIDDEN_HOOK_WRITE
HIDDEN_HOOK_EXECUTE

After that, you can send the start address (from address) of where you want to monitor in OptionalParam1and end address (to address) of where you want to monitor in OptionalParam2address DEBUGGER_GENERAL_EVENT_DETAIL. and OptionalParam3 can be either a virtual address or a physical address depending on the following enum:

typedef enum _DEBUGGER_HOOK_MEMORY_TYPE
{
    DEBUGGER_MEMORY_HOOK_VIRTUAL_ADDRESS,
    DEBUGGER_MEMORY_HOOK_PHYSICAL_ADDRESS
} DEBUGGER_HOOK_MEMORY_TYPE;

Design

Remarks

Starting from v0.4, the support for execution interception or the 'x' attribute string is added to the HyperDbg debugger.

Starting from v0.9 the support for monitor physical memory is added to this command.

You shouldn't use any of !monitor, !epthook, and !epthook2 commands on the same page (4KB) simultaneously. For example, when you put a hidden hook (!epthook2) on 0x10000005, you shouldn't use any of !monitor or !epthook commands on the address starting from 0x10000000 to 0x10000fff.

You can use !epthook (just !epthook not !epthook2 and not !monitor) on two or more addresses on the same page (means that you can use the !epthook multiple times for addresses between a single page or putting multiple hidden breakpoints on a single page). But you can't use !monitor or !epthook2 twice on the same page.

Using the 'pid' parameter does not make sense if you specify a physical address as the 'MemoryType' and it is ignored.

Requirements

Post-Nehalem Processor (EPT)

Related

Optional value to ignore the emulation (skip execution) of the event. Add sc on to your command thus whenever the event is triggered, the effects and the execution of the actual event will be ignored. For more information, please read article. If you don't specify this option, then by default, all the events will be emulated (executed). By default, this value is set to off.

Optional value to configure the of the event. To trigger the event before the emulation, include stage pre in your command. Conversely, using stage post will cause the event to be triggered after the emulation. Additionally, using stage all will trigger the event both before and after the emulation. For more information, please read article. By default, this value is set to pre.

Optional value which reserves a safe to be accessed within the event codes.

A HyperDbg will be executed each time the event is triggered.

Optional assembly codes which check for in assembly.

Optional will be executed each time the event is triggered.

Optional output resource name for .

This event supports '', which means that you can configure HyperDbg to ignore its execution and its effects. For additional details, please refer to the article provided .

This event supports different . For the Read/Write calling stage, the 'pre' calling stage is triggered prior to the memory modification, whereas the 'post' calling stage is triggered subsequent to the memory modification. In addition, the 'all' calling stage will trigger the event in both cases. Using this mechanism you can see the memory before and after the modification (e.g., the MOV instruction modification).

You can the event in the 'pre' stage. For more information, please refer to the article provided .

Please read "" if you need a conditional event, a conditional event can be used in all "Break", "Script", and "Custom Code".

Using the following command, you can use HyperDbg's Script Engine. You should replace the string between braces (HyperDbg Script Here) with your script. You can find script examples .

You can use to forward the event monitoring results from this event and other events to an external source, e.g., File, NamedPipe, or TCP Socket. This way, you can use HyperDbg as a monitoring tool and gather your target system's behavior and use it later or analyze it on other systems.

Please read "" to get an idea about how to run a custom buffer code in HyperDbg.

Your custom code will be executed in vmx-root mode. Take a look at for more information. Running code in the VMX-root is considered "".

Monitoring reads and writes on an address range starting from fffff800`4ed60000 to fffff800`4ed60100 and run 3 nops whenever the event is triggered. Take a look at for more information.

Monitoring reads and executions on an address range starting from fffff800`4ed60000 to fffff800`4ed60100 and run 3 nops whenever the event condition is triggered and run 3 nops whenever the event is triggered. Take a look at and for more information.

This command uses the same method to .

Take a look at "" to see how it works.

If you need to reserve more pre-allocated pools for this command, you can use the '' command.

This command cannot be used simultaneously with the '' command.

If you want to monitor a large amount of memory, you have to consider tricks for . Please note that technically, you could use an unlimited amount of memory, but usually, in large memory ranges, there are page entries that are not available (paged out or never brought into memory by the OS). In those cases, you need to bring them into memory (force the OS to page them in) using the '' command. However, please consider that this command will inject a #PF (page fault) into the OS, and if the address is already valid, it disrupts OS semantics. The operating system does not expect to receive a page fault for a page that is already available, which might cause a triple fault and consequently a system restart or crash.

This command creates an . Starting from HyperDbg v0.7, events are guaranteed to keep the debuggee in a halt state (in the ); thus, nothing will change during its execution and the context (registers and memory) remain untouched. You can visit for more information.

demand paging
.pagein
Read more
this
calling stage
this
pre-allocated buffer
script
conditions
assembly codes
forwarding events
event short-circuiting
here
calling stages
ignore
here
How to create a condition?
here
event forwarding
How to create an action?
this topic
unsafe
Run Custom Code
Run Custom Code
how to create a condition
send IOCTL for regular events
Design of !monitor
prealloc
!mode
accessing invalid addresses
.pagein
event
Debugger Mode
instant events
prealloc (reserve pre-allocated pools)