search

HyperDbg / HyperDbg

State-of-the-art native debugging tools
https://hyperdbg.org
GNU General Public License v3.0
2.93k stars 379 forks source link

I'm still confuse to used HyperDbg on host OR on VM. #207

Closed abdurrashid402 closed 1 year ago

abdurrashid402 commented 1 year ago

Hi there, I want to user HyperDbg in my research "kernel rootkit detection". But After reading docs I'm still confused whether I use HyperDbg directly on Host (windows 10) or should I install hypervisor ( V-box or VMWare etc) and use HyperDbg in VM to look for rootkit kernel operation?

SinaKarvandi commented 1 year ago

Hi, Thanks for creating this issue.

Both of them are possible. If you want to run HyperDbg in a local debugging style (same as WinDbg's local debugging), you can use HyperDbg in VMI mode. If you want to debug a Virtual Machine (in Debugger Mode), you can run HyperDbg's application on the host (to control the VM e.g. send commands to the guest) and HyperDbg's drivers and hypervisor on the target guest (nested-virtualization). In short, HyperDbg in the host is just a simple application that gets the commands from the user and sends them to the guest. It won't load any driver or hypervisor on the host.

Please note that HyperDbg is currently supported only in physical machines (local debugging) and VMWare Workstation or Fusion, or other VMWare products. VBox is not supported yet.

Let me know if you still have a problem understanding these concepts.

abdurrashid402 commented 1 year ago

@SinaKarvandi so you means I can use HyperDbg on host ( windows 10) to Debug guest ( VMware based windows 10)? If so, Is VMware (Type II ) provide hardware assisted virtualization? can I access kernel operation for Guest VM ( where I will execute rootkits)?

SinaKarvandi commented 1 year ago

Hi again,

so you means I can use HyperDbg on host ( windows 10) to Debug guest ( VMware based windows 10)? Yes :)

If so, Is VMware (Type II ) provide hardware assisted virtualization? Yes; it provides nested-virtualization capabilities which is enough for HyperDbg. Just make sure to activate it in the VM settings.

can I access kernel operation for Guest VM ( where I will execute rootkits)? Yes, you can access the guest's kernel mode and user-mode addresses. Exactly like WinDbg.

abdurrashid402 commented 1 year ago

Thanks! One more Question ?

Yes; it provides nested-virtualization capabilities which is enough for HyperDbg. Just make sure to activate it in the VM settings.

I don't use nested Virtualization My setup shown in fig below. So debugger mode will be using for this ? Also is there any video availble for support ? image

.

SinaKarvandi commented 1 year ago

HyperDbg is not able to run a guest without support for nested virtualization in the guest. Btw, nested virtualization is easily available in almost all of the configs in VMWare products.

Also is there any video availble for support ? Soon, we'll publish some videos, but nothing yet.

abdurrashid402 commented 1 year ago

Oaky alright and Thanks !