.start (start a new process)

Description of the '.start' command in HyperDbg.

Command

.start

Syntax

.start [path Path (string)] [Parameters (string)]

Description

Starts a program with the specific parameters and breaks when the PE file reaches the entrypoint.

The user-mode debugger is still in the beta version and not stable. We decided to exclude it from this release and release it in future versions. If you want to test the user-mode debugger in VMI Mode, you should build HyperDbg with special instructions. Please follow the instruction here.

In contrast with the kernel debugger, the user debugger is still very basic and needs a lot of tests and improvements. We highly recommend not to run the user debugger in your bare metal system. Instead, run it on a supported virtual machine so you won't end up with a Blue Screen of Death (BSOD) in your primary device. Please keep reporting the issues to improve the user debugger.

This command won't use any Windows API for intercepting and pausing threads, and everything is done at the hypervisor level.

Parameters

[path Path (string)]

The target file path

[Parameters (string)] (optional)

The parameter(s) to the file

Examples

Imagine we want to start a program without parameters.

0: kHyperDbg> .start path C:\file\my_file.exe

If your file path contains a space character, you should write the path between two quotes; otherwise, it will be interpreted as parameters.

0: kHyperDbg> .start path "C:\my files\my file.exe"

If you want to pass parameters to your target file. Imagine we want to pass -m 1 -o out.txt parameters to our exe file.

0: kHyperDbg> .start path "C:\my files\my file.exe" -m 1 -o out.txt

SDK

To start a process in the target debuggee, you need to use the following function in libhyperdbg:

BOOLEAN
hyperdbg_u_start_process(const WCHAR * path);

To start a process in the target debuggee with custom arguments, you need to use the following function in libhyperdbg:

BOOLEAN
hyperdbg_u_start_process_with_args(const WCHAR * path, const WCHAR * arguments);

Remarks

This command will continue the debuggee for some time (in Debugger Mode). This means that you lose the current context (registers & memory) after executing this command.