Event forwarding

Event forwarding is a feature designed to make HyperDbg a tool for log gathering and analyzing system behavior. This way, you can use HyperDbg for purposes.

You can use event forwarding to forward the event monitoring result from your internal system to an external source, e.g., File, NamedPipe, TCP Socket, or DLL (binary) module.

Thanks a lot to for his valuable suggestions that make this feature available.

Starting from HyperDbg v0.10, support for DLL modules is added to HyperDbg.

Output command

A new command called "" was added to the HyperDbg to create remote sources.

In order to use event forwarding, you should perform the following steps. All of them are done using the command.

First, you should create an output source.

Second, you should open the remote source.

Third, you can use your event source in all of the events.

Fourth, you should close the source when you no longer want to use the source.

Output argument on event

When you create your event, then you can specify output { OutputName } to your event and use the event forwarding.

HyperDbg supports multiple output sources, which means that you can send the result of a single event to multiple locations.

You can create unlimited output sources, but you can use a limited number of output sources for a single event.

Remarks

Format (plain-text and JSON)

Examples

The following repository contains some examples of listening on a named pipe as a server or listening on TCP sockets to use event forwarding.

Assume that we want to send the results of syscall (syscall numbers in rax) to several sources. The following video shows how to redirect these events to the file, TCP Socket, named pipe.

Demo

Watch the video - How to use event forwarding.