view system state (registers, memory, variables)
An example of valid expressions to read the state of the system

Examples

1
? printf("Result : %s", @rcx));
2
? printf("Process name: %s", $pname);
3
? print(dq(@rcx));
4
? print($proc+@rdx);
5
? print(poi(@rax+a0));
6
? printf("Result : %ws", poi($proc+10));
7
? printf("Result : %s", poi($proc+10));
8
? print(dw(NtCreateFile+10));
9
? print(dw(NtCreateFile+@rcx+($proc|3+poi(poi(@rax)))));
Copied!

Description

1
? printf("Result : %s", @rcx);
Copied!
Print data as an ASCII string pointed by rcx register.
1
? printf("Process name: %s", $pname);
Copied!
Print the process name.
1
? print(dq(@rcx));
Copied!
Print data as an 8-byte hex, pointed by rcx register.
1
? print($proc+@rdx);
Copied!
Print value pointed by [email protected] which $proc is equivalent to current _EPROCESS added to the rdx register.
1
? print(poi(@rax+a0));
Copied!
Print value of an address, which first, rax register is added with 0xa0 constant then a dereference occurs and the target is shown as a QWORD hex.
1
? print("Result : %ws", poi($proc+10));
2
? printf("Result : %s", poi($proc+10));
Copied!
Two values, first is $proc (current _EPROCESS) added with 0x10, then a dereference occurs, and the target pointer in the dereferenced location is shown as a wide-char string.
Second is $proc (current _EPROCESS) added with 0x10, then a dereference occurs, and the target pointer in the dereferenced location is shown as an ASCII string.
1
? print(dw(NtCreateFile+10));
Copied!
One value, which is NtCreateFile location that added with 0x10, then a DWORD value from the target address (NtCreateFile+10) is shown.
1
? print(dw(NtCreateFile+@rcx+($proc|3+poi(poi(@rax)))));
Copied!
Print the DWORD data located at NtCreateFile added to rcx register, then all of them are added to the result of rax register dereferenced twice and added to the $proc which is bitwise OR (|) by 3.
By default, HyperDbg interprets the numbers as hex (base 16). If you want to specify other forms of a number, you should use MASM prefixes. In all MASM expressions, numeric values are interpreted as numbers in the current radix (16, 10, or 8). You can override the default radix by specifying the 0x prefix (hexadecimal), the 0n prefix (decimal), the 0t prefix (octal), or the 0y prefix (binary).
Last modified 3mo ago
Copy link
Edit on GitHub