Description of '.process, .process2' commands in HyperDbg.
Last updated
.process
.process2
.process
.process [list]
.process [pid ProcessId (hex)]
.process [process Eprocess (hex)]
.process2 [pid ProcessId (hex)]
.process2 [process Eprocess (hex)]
Shows or changes the current process. These commands are logically designed to be used in . You can use the '' and the '' commands in . However, you can use it to view the list of the processes in both and .
Important: the implementation of these commands is different. Please visit to be aware of the differences and to know when you should use the '.process' command and when you should use the alternative '.process2' command.
If you want to change the process to a new process, after using the '.process' or the '.process2' commands, you should use the '' command.
[list]
[pid ProcessId (hex)]
The process Id to switch on its memory layout.
[process Eprocess (hex)]
The _EPROCESS of the process to switch on its memory layout.
If you don't specify any parameters to the '.process' or the '.process2' commands, it shows current process.
The following command shows the current process.
The following command shows the list of active processes.
The following commands change the current process to 0x1ddc.
The following commands change the current process to a process with _EPROCESS equals to ffff948cc2349280.
This commands works over serial by sending the serial packets to the remote computer.
First of all, you should fill the following structure, set the ProcessId or Process to your target process (if you want to change the current process), set the ActionType to DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_PERFORM_SWITCH and leave the Result.
This is the enum for action type.
If you want to get the current process id and _EPROCESS, then set the ActionType to DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_GET_PROCESS_DETAILS and leave the ProcessId and Process.
If you want to see the list of processes, you should set the ActionType to DEBUGGEE_DETAILS_AND_SWITCH_PROCESS_GET_PROCESS_LISTand also fill the below structure with offsets derived from the PDB file in addition to the address of nt!PsActiveProcessHead.
When you set IsSwitchByClkIntr to TRUE, the semantics for the '.process' is used and if you set it to FALSE then the '.process2''s semantic is used for the process switch request.
After that, send the above structure to the debuggee when debuggee is paused and waiting for new command on vmx-root mode.
You should send the above structure with DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_MODE_CHANGE_PROCESS as RequestedAction and DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT as PacketType.
In return, the debuggee sends the above structure with the following type.
In the returned structure, the Result is filled by the kernel.
The following function is responsible for changing the core in the debugger.
If you've entered an invalid address as _EPROCESS or an invalid process id, HyperDbg keeps checking for the target address or PID, and whenever the debugger is paused again, it won't check for the process anymore.
If you use the '.process2' command, HyperDbg guarantees that the target process won't get the chance to be executed while the switch is performed. However, make sure that your target process is not currently processing on any cores in the processor.
None
It shows the list of processes (see ).
If the Result is DEBUGEER_OPERATION_WAS_SUCCESSFULL, the operation was successful, and you should use the '' command to move to the new process. Otherwise, the returned result is an error, and the current process is not changed. If you want the current process, then if the Result is DEBUGEER_OPERATION_WAS_SUCCESSFULL, then the current process id is stored at ProcessIdand the process object address is stored at Process.
If you want to see a list of processes, you need to load the public symbol file (PDB) for the ntoskrnl.exe using the '' command.
The difference between these commands (.process and .process2) is explained .
It also means that if you press the '' command and an event or a breakpoint is triggered before switching to the new process, switching will be ignored, and you need to re-switch to the target process and use the '.process' or '.process2' commands again.
Some processes might never trigger even if their process id or EPROCESS is valid. It is because in these cases, Windows halts or suspends those processes and never switches to them. In these cases, you can switch to the memory layout of the target process by changing cr3 to your target cr3. For more details, please visit .
