search
DownloadResearchTutorialhwdbg
githubEdit

Signatures

Different signatures in HyperDbg

There are a few signatures in HyperDbg that demonstrate basic debugging details from the debuggee. In this document, we'll talk about these signatures and their meanings.

hashtag
Local Debugging (VMI Mode)

If you're not connected to any instance of HyperDbg, or if you're debugging the local computer in VMI Modearrow-up-right, then you'll see the following signature.

HyperDbg>

hashtag
Kernel Debugging (Debugger Mode)

When you're connected to a remote debuggee in Debugger Modearrow-up-right by using the '.debugarrow-up-right' command, you'll see the kHyperDbg signature. The first number is the current operating core number. For example, the following signature shows that we're running our commands in core 0x2. Note that the core number is in hex format.

2: kHyperDbg>

hashtag
User Debugging (VMI Mode)

User-mode debugging has two different signatures, the first signature is for 32-bit module debugging, and the second signature is for 64-bit module debugging.

hashtag
Debugging a 32-bit Module

The signature for 32-bit debugging is u86HyperDbg while the first number shows the active Process Id and the second number is the Thread Id. For example, the following signature is a 32-bit debugging for a process with Process Id equal to 0x228c and Thread Id equal to 0x13fc. The Process Id and the Thread Id are in hex format.

For a paused thread:

228c:13fc (paused) u86HyperDbg>

For a running thread:

228c:13fc (running) u86HyperDbg>

hashtag
Debugging a 64-bit Module

The signature for 64-bit debugging is u64HyperDbg . The numbers are exactly like 32-bit debugging. The first number shows the active Process ID, and the second number is the Thread ID. For example, the following signature is a 64-bit debugging for Process Id equal to 0x2300 and Thread Id equal to 0x1620. The Process ID and the Thread ID are in hex format.

For a paused thread:

For a running thread:

hashtag
Remote Debugging (VMI Mode)

If you're connected to a remote machine using '.listenarrow-up-right', and '.connectarrow-up-right' commands, the signature starts with the IP of the debuggee and the port of the connection to the debuggee. For example, in the following signature, we're connected to a debuggee with an IP address equal to 192.168.1.10, and the port address for the connection 50000. The IP address and the port number are in decimal format.

PreviousHow to create an action?NextUser-mode Debugging

Last updated