Comment on page
.start (start a new process)
Description of the '.start' command in HyperDbg.
.start
.start [path Path (string)] [Parameters (string)]
Starts a program with the specific parameters and breaks when the PE file reaches the entrypoint.
The user-mode debugger is still in the beta version and not stable. We decided to exclude it from this release and release it in future versions. If you want to test the user-mode debugger in VMI Mode, you should build HyperDbg with special instructions. Please follow the instruction here.
In contrast with the kernel debugger, the user debugger is still very basic and needs a lot of tests and improvements. We highly recommend not to run the user debugger in your bare metal system. Instead, run it on a supported virtual machine to won't end up with a Blue Screen of Death (BSOD) in your primary device. Please keep reporting the issues to improve the user debugger.
This command won't use any Windows API for intercepting and pausing threads, and everything is done at the hypervisor level.
[path Path (string)]
The target file path
[Parameters (string)] (optional)
The parameter(s) to the file
Imagine we want to start a program without parameters.
0: kHyperDbg> .start path C:\file\my_file.exe
If your file path contains a space character, you should write the path between two quotes; otherwise, it will be interpreted as parameters.
0: kHyperDbg> .start path "C:\my files\my file.exe"
If you want to pass parameters to your target file. Imagine we want to pass
-m 1 -o out.txt parameters to our exe file.0: kHyperDbg> .start path "C:\my files\my file.exe" -m 1 -o out.txt
This function works by calling DeviceIoControl with
IOCTL = IOCTL_DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS. You have to send it in the following structure.typedef struct _DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS
{
BOOLEAN IsStartingNewProcess;
UINT32 ProcessId;
UINT32 ThreadId;
BOOLEAN Is32Bit;
BOOLEAN IsPaused; // used in switching to threads
DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_TYPE Action;
UINT32 CountOfActiveDebuggingThreadsAndProcesses; // used in showing the list of active threads/processes
UINT64 Token;
UINT64 Result;
} DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS, *PDEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS;
First, you should create a process in the suspended state, then you should fill the ProcessId and ThreadId, set the IsStartingNewProcess to
TRUE and Action to DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_ATTACH in the above structure, when the IOCTL returns from the kernel, other parts are filled with appropriate data from the process.After getting the results from the kernel and if the Result is equal to
DEBUGGER_OPERATION_WAS_SUCCESSFULL you should pass this IOCTL to the kernel again, but this time, change the Action to DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_REMOVE_HOOKS.The Action can be from the following enum:
typedef enum _DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_TYPE
{
DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_ATTACH,
DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_DETACH,
DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_REMOVE_HOOKS,
DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_KILL_PROCESS,
DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_PAUSE_PROCESS,
DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_SWITCH_BY_PROCESS_OR_THREAD,
DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_QUERY_COUNT_OF_ACTIVE_DEBUGGING_THREADS,
} DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_TYPE;
This command will continue the debuggee for some time (in Debugger Mode). This means that you lose the current context (registers & memory) after executing this command.
None
Last modified 4mo ago