Switching to a Specific Process or Thread

Using the '.process', and the '.thread' commands

PreviousShowing & Modifying Registers and Flags NextMapping Data & Create Structures, and Enums From Symbols

Last updated 3 years ago

Switching to a Specific Process or Thread

Using the '.process', and the '.thread' commands

Switching to new processes/threads is useful when debugging a particular process or a user-mode application. These switchings are possible through the '' and '' commands.

In HyperDbg, there are different implementations of these switchings. You can read more about these differences .

In this example, we walk through a C code to show how to use these commands.

Imagine we compiled the following program. It's an infinite loop that prints a counter every 1000000000 times.

#include <Windows.h>
#include <conio.h>
#include <iostream>

int main() {

	bool Test = true;
	UINT64 Counter = 0;

	while (Test) {

		if (Counter % 1000000000 == 0) {
			printf("Thread is running (%lld)...\n", Counter);
		}
		Counter++;
	}

	printf("Thread is closed!\n");
	_getch();
}

After compiling and running the above code, we use the command shown in the picture to view the list of processes and other information about the processes running in the system.

3: kHyperDbg> .process list

We find our target program which its name is "Test.exe". Then, we see a list of running threads based on this process. For this purpose, we used the process object address (nt!_EPROCESS).

3: kHyperDbg> .thread list process ffff948cc16c3080

Now, we can switch to the target thread and continue the debuggee. Whenever the system reaches the target thread, it will be halted again and run new commands.

3: kHyperDbg> .thread tid b10

After analyzing the program, we find the jumps in the assembly code. You can also see the calls that are probably a link to the printf function.

2: kHyperDbg> u2 00e249f6

Then, we step through the instructions to better understand how this program works.

After some investigation, we can conclude that the guilty jump is located at 0xe24a31, so we'll modify the memory and patch it by using nop instructions(0x90).

2: kHyperDbg> eb 00e24a31 90 90

If we continue the debuggee again, you can see that the patched program jumps out of the infinite loop and show the 'thread is closed!' message.

It was a simple example of how to use thread and process switching commands in HyperDbg. You can think about different approaches that you can use to change the program's execution flow (like changing the RFLAGS, etc.) or analyze any other programs.

PreviousShowing & Modifying Registers and Flags NextMapping Data & Create Structures, and Enums From Symbols

Last updated 3 years ago