HyperDbg Documentation
HyperDbgResearchDownloadSource code
Search…
HyperDbg
Getting Started
Quick Start
FAQ
Build & Install
Attach to HyperDbg
Using HyperDbg
Prerequisites
User-mode Debugging
Kernel-mode Debugging
Commands
Debugging Commands
Meta Commands
Extension Commands
Scripting Language
Commands Map
Tips & Tricks
Considerations
Nested-Virtualization Environments
Misc
Contribution
Style Guide
Logo & Artworks
Design
Features
VMM (Module)
Control over NMIs
VMX root-mode compatible message tracing
Design of !epthook
Design of !epthook2
Design of !monitor
Design of !syscall & !sysret
Design of !exception & !interrupt
Debugger Internals
Links
Twitter
YouTube
Doxygen
Contribution
Powered By GitBook
Design of !syscall & !sysret
Design of !syscall and !sysret command
The idea of these commands are derived from this blog post :
Syscall Hooking via Extended Feature Enable Register (EFER) - Reverse Engineering
Reverse Engineering
If you want a comprehensive explanation, please read the above link but a short explanation described here.
This command unsets the Syscall Enable Bit (SE Bit) in EFER MSR.
If we unset this bit, then execution of SYSCALL or SYSRET causes a #UD or undefined opcode exception.
We can intercept #UDs using the Exception Bitmap of VMCS. In the vm-exit, we can check whether the generated #UD was because of SYSCALL or SYSRET instructions, and if it was true, then we emulate the user-to-kernel or kernel-to-user act of these instructions. If it was not because of SYSCALL or SYSRET, we inject #UD back to the guest.
The check for these instructions is performed by checking the memory content of the GUEST_RIP field of VMCS.
PatchGuard detects this command, so it's essential to attach a Windbg kernel debugger so the PatchGuard won't start, and you can use this command without any problem.
Previous
Design of !monitor
Next
Design of !exception & !interrupt
Last modified 11mo ago
Copy link
Edit on GitHub