.start (start a new process)

Description of the '.start' command in HyperDbg.

Command

.start

Syntax

.start [path Path (string)] [Parameters (string)]

Description

Starts a program with the specific parameters and breaks when the PE file reaches the entrypoint.

The user-mode debugger is still in the beta version and not stable. We decided to exclude it from this release and release it in future versions. If you want to test the user-mode debugger in VMI Mode, you should build HyperDbg with special instructions. Please follow the instruction here.

In contrast with the kernel debugger, the user debugger is still very basic and needs a lot of tests and improvements. We highly recommend not to run the user debugger in your bare metal system. Instead, run it on a supported virtual machine to won't end up with a Blue Screen of Death (BSOD) in your primary device. Please keep reporting the issues to improve the user debugger.

This command won't use any Windows API for intercepting and pausing threads, and everything is done at the hypervisor level.

Parameters

[path Path (string)]

The target file path

[Parameters (string)] (optional)

The parameter(s) to the file

Examples

Imagine we want to start a program without parameters.

0: kHyperDbg> .start path C:\file\my_file.exe

If your file path contains a space character, you should write the path between two quotes; otherwise, it will be interpreted as parameters.

0: kHyperDbg> .start path "C:\my files\my file.exe"

If you want to pass parameters to your target file. Imagine we want to pass -m 1 -o out.txt parameters to our exe file.

0: kHyperDbg> .start path "C:\my files\my file.exe" -m 1 -o out.txt

IOCTL

This function works by calling DeviceIoControl with IOCTL = IOCTL_DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS. You have to send it in the following structure.

typedef struct _DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS
{
    BOOLEAN                                              IsStartingNewProcess;
    UINT32                                               ProcessId;
    UINT32                                               ThreadId;
    BOOLEAN                                              Is32Bit;
    BOOLEAN                                              IsPaused; // used in switching to threads
    DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_TYPE Action;
    UINT32                                               CountOfActiveDebuggingThreadsAndProcesses; // used in showing the list of active threads/processes
    UINT64                                               Token;
    UINT64                                               Result;

} DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS, *PDEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS;

First, you should create a process in the suspended state, then you should fill the ProcessId and ThreadId, set the IsStartingNewProcess to TRUE and Action to DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_ATTACH in the above structure, when the IOCTL returns from the kernel, other parts are filled with appropriate data from the process.

After getting the results from the kernel and if the Result is equal to DEBUGGER_OPERATION_WAS_SUCCESSFULL you should pass this IOCTL to the kernel again, but this time, change the Action to DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_REMOVE_HOOKS.

The Action can be from the following enum:

typedef enum _DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_TYPE
{
    DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_ATTACH,
    DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_DETACH,
    DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_REMOVE_HOOKS,
    DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_KILL_PROCESS,
    DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_PAUSE_PROCESS,
    DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_SWITCH_BY_PROCESS_OR_THREAD,
    DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_QUERY_COUNT_OF_ACTIVE_DEBUGGING_THREADS,

} DEBUGGER_ATTACH_DETACH_USER_MODE_PROCESS_ACTION_TYPE;

Remarks

This command will continue the debuggee for some time (in Debugger Mode). This means that you lose the current context (registers & memory) after executing this command.