Different signatures in HyperDbg
There are a few signatures in HyperDbg that demonstrate basic debugging details from the debuggee. In this document, we'll talk about these signatures and their meanings.
If you're not connected to any instance of HyperDbg, or if you're debugging the local computer in VMI Mode, then you'll see the following signature.
When you're connected to a remote debuggee in Debugger Mode by using the '.debug' command, you'll see the
kHyperDbgsignature. The first number is the current operating core number. For example, the following signature shows that we're running our commands in core
0x2. Note that the core number is in hex format.
User-mode debugging has two different signatures, the first signature is for 32-bit module debugging, and the second signature is for 64-bit module debugging.
The signature for 32-bit debugging is
u86HyperDbgwhile the first number shows the active Process Id and the second number is the Thread Id. For example, the following signature is a 32-bit debugging for a process with Process Id equal to
0x228cand Thread Id equal to
0x13fc. The Process Id and the Thread Id are in hex format.
The signature for 64-bit debugging is
u64HyperDbg. The numbers are exactly like 32-bit debugging. The first number shows the active Process Id and the second number is the Thread Id. For example, the following signature is a 64-bit debugging for Process Id equal to
0x2300and Thread Id equal to
0x1620. The Process Id and the Thread ID are in hex format.
If you're connected to a remote machine using '.listen', and '.connect' commands, the signature starts with the IP of the debuggee and the port of the connection to the debuggee. For example, in the following signature, we're connected to a debuggee with an IP address equal to
192.168.1.10, and the port address for the connection
50000. The IP address and the port number are in decimal format.