HyperDbg Documentation
HyperDbgDownloadSource codeBlog
Search…
HyperDbg
Getting Started
Quick Start
FAQ
Build & Install
Attach to HyperDbg
Using HyperDbg
Prerequisites
User-mode Debugging
Kernel-mode Debugging
Commands
Debugging Commands
Meta Commands
Extension Commands
Scripting Language
Tips & Tricks
Considerations
Nested-Virtualization Environments
Misc
Contribution
Style Guide
Logo & Artworks
Design
Features
Debugger Internals
Events
Conditions
Actions
IOCTL requests for events
Kernel Debugger
Design perspective
Connection
Script Engine
Links
Twitter
YouTube
Doxygen
Contribution
Powered By GitBook
Connection
The connection mechanism of HyperDbg in Debugger mode
Currently, the only way to communicate to the kernel debugger is over the serial port. For future versions, we will add other IRQL-compatible mechanisms to communicate.
For this purpose, we used kdserial from Windows SDK to connect to the debuggee. The connection over the serial port is initialized from the user-mode controller of HyperDbg.
First, we let Windows to initialize the serial port from standard entry points like CreateFile. After that, we set the baud-rate and timeout details. We let Windows initialize the handle because this way, we make sure that Windows won't give the handle of this device to any other application and no other application is able to send anything over this port.
The mechanism to pause the debuggee is also implemented in user-mode. It is because we are not trying to handle each pause requests from the debugger in polling mode as this is not an optimized way.
Instead of this, we use the interrupt-mode of the serial device in the user-mode. This way, whenever the debugger needs to pause the debuggee, first it sends a request, and as it's in interrupt-mode, then Windows notifies the user-mode application about the new request from the debugger.
Debugger Connection
If the request is valid, then the user-mode application sends an IOCTL to the kernel, and from that IOCTL, we execute a VMCALL to enter all cores to the vmx-root mode.
In vmx-root mode, we halt all cores, and as the IF flag of RFLAGS is cleared, so no interrupt is allowed and this way, we halt all the cores and check for a new command from the debugger in polling mode.
Previous
Design perspective
Next - Design
Script Engine
Last modified 6mo ago
Copy link
Edit on GitHub