HyperDbg Documentation
HyperDbg Documentation
HyperDbg
Download
Source code
Blog
HyperDbg
Getting Started
Quick Start
FAQ
Build & Install
Attach to HyperDbg
Using HyperDbg
Prerequisites
Examples
Commands
Debugging Commands
load (load the kernel modules)
unload (unload the kernel modules)
events (show and modify active/disabled events)
print (evaluate and print expression in debuggee)
p (step-over)
t (step-in)
bp (set breakpoint)
g (continue debuggee or processing kernel packets)
~ (display and change the current operating core)
? (evaluate and execute expressions and scripts in debuggee)
pause (break to the debugger and pause processing kernel packets)
status (show the debuggee status)
sleep (wait for specific time in the .script command)
test (test functionalities)
lm (view loaded modules)
db, dc, dd, dq (read virtual memory)
eb, ed, eq (edit virtual memory)
sb, sd, sq (search virtual memory)
u, u2 (disassemble virtual address)
cpu (check cpu supported technologies)
rdmsr (read model-specific register)
wrmsr (write model-specific register)
flush (remove pending kernel buffers and messages)
output (create output source for event forwarding)
settings (configures different options and preferences)
exit (exit from the debugger)
Meta Commands
Extension Commands
Scripting Language
Tips & Tricks
Considerations
Nested-Virtualization Environments
Misc
Contribution
Style Guide
Logo & Artworks
Design
Features
Debugger Internals
Script Engine
Links
Twitter
Releases
Doxygen
Contribution
Blog
Powered by GitBook

lm (view loaded modules)

Description of 'lm' command in HyperDbg.

Command

lm

Syntax

lm [module name]

lm

Description

Shows the loaded modules' base address, size, name, full path.

Parameters

[module name] (optional)

The name or a part of the name that will be searched through all the modules and only those which match will be showed.

Examples

The following command shows all the modules in the system.

HyperDbg> lm
start                   size    name            path
​
fffff80434200000        11235328        ntoskrnl.exe    \SystemRoot\system32\ntoskrnl.exe
fffff8043415c000        671744  hal.dll \SystemRoot\system32\hal.dll
fffff80437a00000        45056   kd.dll  \SystemRoot\system32\kd.dll
fffff80437a10000        2101248 mcupdate_GenuineIntel.dll       \SystemRoot\system32\mcupdate_GenuineIntel.dll
fffff80437c70000        393216  msrpc.sys       \SystemRoot\System32\drivers\msrpc.sys
fffff80437c40000        172032  ksecdd.sys      \SystemRoot\System32\drivers\ksecdd.sys
fffff80437c20000        69632   werkernel.sys   \SystemRoot\System32\drivers\werkernel.sys
fffff80437d10000        425984  CLFS.SYS        \SystemRoot\System32\drivers\CLFS.SYS
fffff80437ce0000        159744  tm.sys  \SystemRoot\System32\drivers\tm.sys
fffff80437d80000        106496  PSHED.dll       \SystemRoot\system32\PSHED.dll
fffff80437da0000        45056   BOOTVID.dll     \SystemRoot\system32\BOOTVID.dll
fffff80437ec0000        462848  FLTMGR.SYS      \SystemRoot\System32\drivers\FLTMGR.SYS
fffff80437db0000        1069056 clipsp.sys      \SystemRoot\System32\drivers\clipsp.sys
fffff80437f40000        57344   cmimcext.sys    \SystemRoot\System32\drivers\cmimcext.sys
fffff80437f50000        49152   ntosext.sys     \SystemRoot\System32\drivers\ntosext.sys
​
...

The following example shows the modules that contain "nt" in their path or name.

HyperDbg> lm nt
start                   size    name            path
​
fffff80434200000        11235328        ntoskrnl.exe    \SystemRoot\system32\ntoskrnl.exe
fffff80437a10000        2101248 mcupdate_GenuineIntel.dll       \SystemRoot\system32\mcupdate_GenuineIntel.dll
fffff80437f50000        49152   ntosext.sys     \SystemRoot\System32\drivers\ntosext.sys
fffff804382b0000        106496  SgrmAgent.sys   \SystemRoot\system32\drivers\SgrmAgent.sys
fffff804383c0000        372736  intelpep.sys    \SystemRoot\System32\drivers\intelpep.sys
​
...

IOCTL

This function work by calling NtQuerySystemInformation and does not gets the address from the kernel, so it doesn't have any IOCTL.

Remarks

This command will continue the debuggee for some time (in Debugger Mode). This means that you lose the current context (registers & memory) after executing this command.

Requirements

None

Related

None

Previous
test (test functionalities)
Next
db, dc, dd, dq (read virtual memory)
Last updated 1 week ago
Edit on GitHub
Contents
Command
Syntax
Description
Parameters
Examples
IOCTL
Remarks
Requirements
Related