# Switching to a Specific Process or Thread

Switching to new processes/threads is useful when debugging a particular process or a user-mode application. These switchings are possible through the '[.process](https://docs.hyperdbg.org/commands/meta-commands/.process)' and '[.thread](https://docs.hyperdbg.org/commands/meta-commands/.thread)' commands.

In HyperDbg, there are different implementations of these switchings. You can read more about these differences [here](https://docs.hyperdbg.org/tips-and-tricks/considerations/difference-between-process-and-thread-switching-commands).

In this example, we walk through a C code to show how to use these commands.

Imagine we compiled the following program. It's an infinite loop that prints a counter every **1000000000** times.

```clike
#include <Windows.h>
#include <conio.h>
#include <iostream>

int main() {

	bool Test = true;
	UINT64 Counter = 0;

	while (Test) {

		if (Counter % 1000000000 == 0) {
			printf("Thread is running (%lld)...\n", Counter);
		}
		Counter++;
	}

	printf("Thread is closed!\n");
	_getch();
}
```

After compiling and running the above code, we use the command shown in the picture to view the list of processes and other information about the processes running in the system.

```
3: kHyperDbg> .process list
```

![View process list](https://1255335821-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M2wWz6ePF27bvsJcWed%2Fuploads%2FZLntEYKxHg9OHoqIQr5v%2F1-process-list.png?alt=media\&token=63f5f729-f52b-41c0-a1f5-b59c2cba9229)

We find our target program which its name is "**Test.exe**". Then, we see a list of running threads based on this process. For this purpose, we used the process object address (`nt!_EPROCESS`).

```
3: kHyperDbg> .thread list process ffff948cc16c3080
```

![View list of threads of a process](https://1255335821-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M2wWz6ePF27bvsJcWed%2Fuploads%2Fd87XqGm5h9Yz6VfhstAE%2F2-find-threads-of-test-process.png?alt=media\&token=644a3401-02a0-428a-a6a4-8b157aca7c56)

Now, we can switch to the target thread and continue the debuggee. Whenever the system reaches the target thread, it will be halted again and run new commands.

Note that it's a 32-bit program, so we use the '[u2](https://docs.hyperdbg.org/commands/debugging-commands/u)', which is the 32-bit version of the disassembler in this case.

```
3: kHyperDbg> .thread tid b10
```

![Switch to a new thread](https://1255335821-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M2wWz6ePF27bvsJcWed%2Fuploads%2FXN2R4Jhbk4SNMjKJAfKi%2F3-switch-to-the-target-thread.png?alt=media\&token=4a6ad583-53c0-4b0b-b7fe-a01e8b294bf1)

After analyzing the program, we find the jumps in the assembly code. You can also see the calls that are probably a link to the `printf` function.

```
2: kHyperDbg> u2 00e249f6
```

![Disassemble the target thread](https://1255335821-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M2wWz6ePF27bvsJcWed%2Fuploads%2FDHl1p1UVkZUUvP46RPjN%2F4-disassembling-and-finding-jumps.png?alt=media\&token=38f991c0-bcb1-41d4-8808-d80cdf7464e5)

Then, we step through the instructions to better understand how this program works.

![Step through the instructions](https://1255335821-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M2wWz6ePF27bvsJcWed%2Fuploads%2FElFY0V8alLNe4FjOLD0p%2F5-stepping-and-investigate-the-test-program.png?alt=media\&token=ff4091ff-6e8d-40ea-b69a-4bc58ed38aa2)

After some investigation, we can conclude that the guilty jump is located at `0xe24a31`, so we'll modify the memory and patch it by using nop instructions(0x90).

```
2: kHyperDbg> eb 00e24a31 90 90
```

![Patch the program's execution flow](https://1255335821-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M2wWz6ePF27bvsJcWed%2Fuploads%2FWJrjJNvSaopX0vBMxvdc%2F6-patch-the-target-jump.png?alt=media\&token=119cfa86-ef09-4452-b0f1-4e58c7984809)

If we continue the debuggee again, you can see that the patched program jumps out of the infinite loop and show the '**thread is closed!**' message.

![The result of patched program](https://1255335821-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M2wWz6ePF27bvsJcWed%2Fuploads%2F5eaTlC1G8xnARBrZefF9%2F7-result-of-patching-target-program.png?alt=media\&token=321c07d8-fd0f-435a-aefb-92f3df8b7b81)

It was a simple example of how to use thread and process switching commands in HyperDbg. You can think about different approaches that you can use to change the program's execution flow (like changing the RFLAGS, etc.) or analyze any other programs.