DownloadResearchTutorialhwdbg

!vmcall (hook hypercalls)

Description of the '!vmcall' command in HyperDbg.

Command

!vmcall

Syntax

!vmcall [pid ProcessId (hex)] [core CoreId (hex)] [imm IsImmediate (yesno)] [sc EnableShortCircuiting (onoff)] [stage CallingStage (prepostall)] [buffer PreAllocatedBuffer (hex)] [script { Script (string) }] [asm condition { Condition (assembly/hex) }] [asm code { Code (assembly/hex) }] [output {OutputName (string)}]

Description

Triggers when the debugging machine executes VMCALL instruction.

By using this command, you also receive HyperDbg's hypercalls. You shouldn't modify them.

Parameters

[pid ProcessId (hex)] (optional)

Optional value to trigger the event in just a specific process. Add pid xx to your command; thus, the command will be executed if the process id is equal to xx. If you don't specify this option, then by default, you receive events on all processes.

Still, in the case of user-mode debugging, HyperDbg will apply it only to the current active debugging process (not all the processes). In that case, you can specify pid all to intercept events from the entire system.

[core CoreId (hex)] (optional)

Optional value to trigger the event in just a specific core. Add core xx to your command thus command will be executed if core id is equal to xx. If you don't specify this option, then by default, you receive events on all cores.

[imm IsImmediate (yesno)] (optional)

Optional value in which yes means the results (printed texts in scripts) should be delivered immediately to the debugger. no means that the results can be accumulated and delivered as a couple of messages when the buffer is full; thus, it's substantially faster, but it's not real-time. By default, this value is set to yes.

[sc EnableShortCircuiting (onoff)] (optional)

Optional value to ignore the emulation (skip execution) of the event. Add sc on to your command thus whenever the event is triggered, the effects and the execution of the actual event will be ignored. For more information, please read this article. If you don't specify this option, then by default, all the events will be emulated (executed). By default, this value is set to off.

[stage CallingStage (prepostall)] (optional)

Optional value to configure the calling stage of the event. To trigger the event before the emulation, include stage pre in your command. Conversely, using stage post will cause the event to be triggered after the emulation. Additionally, using stage all will trigger the event both before and after the emulation. For more information, please read this article. By default, this value is set to pre.

[buffer PreAllocatedBuffer (hex)] (optional)

Optional value which reserves a safe pre-allocated buffer to be accessed within the event codes.

[script { Script (string) }] (optional)

A HyperDbg script will be executed each time the event is triggered.

[asm condition { Condition (assembly/hex) }] (optional)

Optional assembly codes which check for conditions in assembly.

[asm code { Code (assembly/hex) }] (optional)

Optional assembly codes will be executed each time the event is triggered.

[output {OutputName (string)}] (optional)

Optional output resource name for forwarding events.

Context

As the Context ($context pseudo-register in the event's script, r8 in custom code, and rdx in condition code register) to the event trigger, HyperDbg sends NULL.

Short-circuiting

This event supports 'event short-circuiting', which means that you can configure HyperDbg to ignore its execution and its effects. For additional details, please refer to the article provided here.

Calling Stages

This event supports different calling stages. The 'pre' calling stage is triggered prior to running the VMCALL instruction, whereas the 'post' calling stage is triggered subsequent to running the VMCALL instruction; thus, you can read/modify the memory or registers or ignore the event in the 'pre' stage, and view/modify the results in the 'post' stage. In addition, the 'all' calling stage will trigger the event in both cases. For more information, please refer to the article provided here.

Debugger

This event supports three debugging mechanisms.

  • Break

  • Script

  • Custom Code

Please read "How to create a condition?" if you need a conditional event, a conditional event can be used in all "Break", "Script", and "Custom Code".

Break

We want to break and get control over all hypercalls (VMCALLs) execution in our system.

HyperDbg> !vmcall

Imagine we want to break on all VMCALL executions of a process id 0x490 in core 2.

HyperDbg> !vmcall pid 490 core 2

Script

Using the following command, you can use HyperDbg's Script Engine. You should replace the string between braces (HyperDbg Script Here) with your script. You can find script examples here.

HyperDbg> !vmcall script { HyperDbg Script Here }

The above command when messages don't need to be delivered immediately.

HyperDbg> !vmcall script { HyperDbg Script Here } imm no

Script (From File)

If you saved your script into a file then you can add file: instead of a script and append the file path to it. For example, the following examples show how you can run a script from file:c:\users\sina\desktop\script.txt.

HyperDbg> !vmcall script {file:c:\users\sina\desktop\script.txt}

You can use event forwarding to forward the event monitoring results from this event and other events to an external source, e.g., File, NamedPipe, or TCP Socket. This way, you can use HyperDbg as a monitoring tool and gather your target system's behavior and use it later or analyze it on other systems.

Custom Code

Please read "How to create an action?" to get an idea about how to run the custom buffer code in HyperDbg.

Your custom code will be executed in vmx-root mode. Take a look at this topic for more information. Running code in vmx-root is considered "unsafe".

Run Custom Code (Unconditional)

Monitoring process id 0x490 for VMCALL instruction execution and run 3 nops whenever the event is triggered. Take a look at Run Custom Code for more information.

HyperDbg> !vmcall pid 490 code {90 90 90}

Or if you want to use assembly codes directly, you can add an asm before the code.

HyperDbg> !vmcall pid 490 asm code {nop; nop; nop}

Run Custom Code (Conditional)

Monitoring process id 0x490 for VMCALL instruction execution and run 3 nops whenever the event condition is triggered and runs 3 nops whenever the event is triggered. Take a look at Run Custom Code and how to create a condition for more information.

HyperDbg> !vmcall pid 490 code {90 90 90} condition {90 90 90}

Or if you want to use assembly codes directly, you can add an asm before the condition and also before the code.

HyperDbg> !vmcall pid 490 asm code {nop; nop; nop} asm condition {nop; nop; nop}

Keep in mind that a conditional event can be used in Breaking to Debugger and Running Script too.

IOCTL

This command uses the same method to send IOCTL for regular events.

As EventType use VMCALL_INSTRUCTION_EXECUTION in DEBUGGER_GENERAL_EVENT_DETAIL.

Design

This command uses VMCALL (EXIT_REASON_VMCALL - 18) vm-exit to implement hypercall hooks.

Remarks

This command creates an event. Starting from HyperDbg v0.7, events are guaranteed to keep the debuggee in a halt state (in the Debugger Mode); thus, nothing will change during its execution and the context (registers and memory) remain untouched. You can visit instant events for more information.

Requirements

None

Related

None

Previous!pmc (hook RDPMC instruction execution)Next!exception (hook first 32 entries of IDT)

Last updated