Skip to main content

Debuggers 3301: HyperDbg


OpenSecurityTraining2

About This Course

This tutorial is called "Debuggers 3301: HyperDbg" or "Reversing with HyperDbg" which is a comprehensive course focused on teaching reverse engineering techniques using a hypervisor-assisted, user-mode, and kernel-mode Windows debugger called "HyperDbg". This course is designed for individuals interested in analyzing, fuzzing, and reversing software using modern hardware technologies.

Throughout the course, you will learn how to leverage HyperDbg's unique features to conduct in-depth analysis of both kernel and user executions. The debugger operates on top of Windows by virtualizing a running system using Intel VT-x, without relying on APIs and traditional software debugging mechanisms. It extensively utilizes the Second Layer Page Table (Extended Page Table or EPT) to monitor and track code execution.

HyperDbg Debugger offers unique features such as hidden hooks that are both fast and stealthy, mimicking hardware debug registers without any limitations in size or count. Additionally, with capabilities like TLB-splitting, code coverage measurement, and monitoring mov(s) to/from memory by a function, HyperDbg stands out as a powerful and innovative debugger.

HyperDbg avoids using standard debugging APIs, making it undetectable by classic anti-debugging methods. It also resists time delta exploitation methods, such as RDTSC/RDTSCP, to detect the presence of hypervisors, further enhancing its ability to evade detection by applications, packers, protectors, malware, anti-cheat engines, and more.

Requirements

Participants should have a basic understanding of reverse engineering concepts and familiarity with Windows operating systems. Prior knowledge of assembly language and debugging techniques will be beneficial for getting the most out of this course.

If you need to brush up on reverse engineering fundamentals, we recommend exploring resources such as "Debuggers 1011: Introductory WinDbg " and "Debuggers 2011: Intermediate WinDbg " and also you should have knowledge of OS internals fundamentals (e.g. paging, interrupts, MSRs, port IO, etc), at least to the level covered in Arch2001.

Frequently Asked Questions

What learning paths is this class used in?

This class is particularly beneficial for individuals interested in the fields of Exploits, Reverse Engineering, Malware Analysis, and System Security Research.

Is prior experience in reverse engineering required?

While prior experience in reverse engineering is not mandatory, having a basic understanding of reverse engineering concepts and familiarity with Windows operating systems will enhance your learning experience in this course.

Can I apply the knowledge gained in this course to other debuggers?

While this course focuses on the HyperDbg Debugger and some of the concepts are unique to this debugger, but the skills and techniques learned can be applied to other debuggers and tools as well. The concepts covered in this course provide a solid foundation for understanding and working with various debugging and reverse engineering tools.

Course Staff

Sina Karvandi

Sina is an independent security researcher. He is particularly passionate about Windows Internals, hypervisors, and low-level programming. In addition to this, he is also interested in digital hardware design, microarchitecture, and microarchitectural security. As a developer of the HyperDbg debugger, Sina spends a significant amount of time creating open-source reverse engineering tools for the benefit of the community.

Enroll