.process (show the current process and switch to another process)

Command
.process
Syntax
.process [type (pid)] [process id (hex value)]
Description
Shows or changes the current process. This command can only be used in Debugger Mode. Please take a look at the Remarks for more information.
If you want to change the process to a new process, after using the '.process' command, you should use the 'g' command.
Parameters
[type (pid)] (optional)
Currently, the only available option is pid, which shows that you want to specify a process id at the second parameter.
[process id (hex value)] (optional)
The process id of the process to switch on its memory layout.
If you don't specify any parameters to the '.process' command, it shows the current process.
Examples
The following command shows the current process.
1
0: kHyperDbg> .process
2
current process id : 1ddc
Copied!
The following commands change the current process to 0x1ddc.
1
0: kHyperDbg> .process pid 1ddc
2
press 'g' to continue the debuggee, if the pid is valid then the debuggee will be automatically paused when it attached to the target process
3
​
4
0: kHyperDbg> g
5
Debuggee is running...
6
fffff801`68d91262    0F 01 C1                            vmcall
Copied!
IOCTL
This commands works over serial by sending the serial packets to the remote computer.
First of all, you should fill the following structure, set the ProcessId to your target process (if you want to change the current process) and set GetRemotePid to false, and leave the Result.
If you want to get the current process id, then set the GetRemotePid to true and leave the ProcessId.
1
typedef struct _DEBUGGEE_CHANGE_PROCESS_PACKET {
2
​
3
  BOOLEAN GetRemotePid;
4
  UINT32 ProcessId;
5
  UINT32 Result;
6
​
7
} DEBUGGEE_CHANGE_PROCESS_PACKET, *PDEBUGGEE_CHANGE_PROCESS_PACKET;
Copied!
After that, send the above structure to the debuggee when debuggee is paused and waiting for new command on vmx-root mode.
You should send the above structure with DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_MODE_CHANGE_PROCESS as RequestedAction and DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT as PacketType.
In return, the debuggee sends the above structure with the following type.
1
DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_CHANGING_PROCESS
Copied!
In the returned structure, the Result is filled by the kernel.
If the Result is DEBUGEER_OPERATION_WAS_SUCCESSFULL, then the operation was successful, and you should use the 'g' command to move to the new process. Otherwise, the returned result is an error, and the current process is not changed. If you want the current process, then if the Result is DEBUGEER_OPERATION_WAS_SUCCESSFULL, then the current process id is stored at ProcessId.
The following function is responsible for changing the core in the debugger.
1
BOOLEAN KdSendSwitchProcessPacketToDebuggee(BOOLEAN GetRemotePid, UINT32 NewPid);
Copied!
Remarks
By default, HyperDbg is spinning on vmx-root, and the default process is the system process pid = 4. Thus, the cr3 is the system process's cr3. When you change the process using the '.process' command, HyperDbg is spinning on vmx-root with the target process's kernel cr3 (not the system's cr3).
This command won't switch to the new process. It changes the cr3 (memory layout).
The current implementation of the '.process' command for changing the process (not getting the current process) is unsafe and might cause the system to halt in rare cases.
Requirements
None
Related
None

.status (show the debugger status)

.formats (show number formats)

Last modified 1d ago

Copy link

Contents