Using HyperDbg

bc (clear and remove breakpoints)

Description of 'bc' command in HyperDbg.

Command

bc

Syntax

bc [breakpoint id (hex value)]

Description

Clears and removes a breakpoint (0xcc).

Parameters

[breakpoint id (hex value)]

The breakpoint id of the target breakpoint. You can see a list of breakpoints and breakpoint ids using the 'bl' command.

Examples

Imagine we have the following active breakpoints.

0: kHyperDbg> bl
id address status
-- --------------- --------
01 fffff801639b1030 enabled
02 fffff801639b1035 enabled
03 fffff801639b103a enabled
04 fffff801639b103f enabled

After executing the following command, it's now removed.

0: kHyperDbg> bc 2

If you see the list of active breakpoints again, you can see that it's removed.

0: kHyperDbg> bl
id address status
-- --------------- --------
01 fffff801639b1030 enabled
03 fffff801639b103a enabled
04 fffff801639b103f enabled

IOCTL

This commands works over serial by sending the serial packets to the remote computer.

First of all, you should fill the following structure, set the BreakpointId to your special breakpoint id, which is derived from the 'bl' command.

typedef struct _DEBUGGEE_BP_LIST_OR_MODIFY_PACKET {
UINT64 BreakpointId;
DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST Request;
UINT32 Result;
} DEBUGGEE_BP_LIST_OR_MODIFY_PACKET, *PDEBUGGEE_BP_LIST_OR_MODIFY_PACKET;

In the request field, choose one of the actions from the following enum.

typedef enum _DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST {
DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST_LIST_BREAKPOINTS,
DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST_ENABLE,
DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST_DISABLE,
DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST_CLEAR,
} DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST;

In the case of Request:

  • If you want to list all the active breakpoint, then choose DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST_LIST_BREAKPOINTS.

  • If you want to enable a breakpoint, then choose DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST_ENABLE.

  • If you want to disable a breakpoint, then choose DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST_DISABLE.

  • If you want to list clear and remove a breakpoint, then choose DEBUGGEE_BREAKPOINT_MODIFICATION_REQUEST_CLEAR.

Note that if you want to list breakpoints, there is no need to fill BreakpointIdand HyperDbg will ignore it.

The next step is sending the above structure to the debuggee when debuggee is paused and waiting for new command on vmx-root mode.

You should send the above structure with DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_LIST_OR_MODIFY_BREAKPOINTS as RequestedAction and DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT as PacketType.

In return, the debuggee sends the above structure with the following type.

DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_LIST_OR_MODIFY_BREAKPOINTS

In the returned structure, the Result is filled by the kernel.

If the Result is DEBUGEER_OPERATION_WAS_SUCCESSFULL, then the operation was successful. Otherwise, the returned result is an error.

The following function is responsible for sending list/modify breakpoint buffers in the debugger.

BOOLEAN KdSendListOrModifyPacketToDebuggee(PDEBUGGEE_BP_LIST_OR_MODIFY_PACKET ListOrModifyPacket);

Remarks

This command is guaranteed to keep debuggee in a halt state (in Debugger Mode); thus, nothing will change during its execution.

Requirements

None

bp (set breakpoint)

bl (list breakpoints)

be (enable breakpoints)

bd (disable breakpoints)