.process (show the current process and switch to another process)

Description of '.process' command in HyperDbg.

Command

.process

Syntax

.process [type (pid)] [process id (hex value)]

Description

Shows or changes the current process. This command can only be used in Debugger Mode. Please take a look at the Remarks for more information.

If you want to change the process to a new process, after using the '.process' command, you should use the 'g' command.

Parameters

[type (pid)] (optional)

Currently, the only available option is pid, which shows that you want to specify a process id at the second parameter.

[process id (hex value)] (optional)

The process id of the process to switch on its memory layout.

If you don't specify any parameters to the '.process' command, it shows the current process.

Examples

The following command shows the current process.

HyperDbg> .process
current process id : 1ddc

The following commands change the current process to 0x1ddc.

HyperDbg> .process pid 1ddc
press 'g' to continue the debuggee, if the pid is valid then the debuggee will be automatically paused when it attached to the target process
HyperDbg> g
Debuggee is running...
fffff801`68d91262 0F 01 C1 vmcall

IOCTL

This commands works over serial by sending the serial packets to the remote computer.

First of all, you should fill the following structure, set the ProcessId to your target process (if you want to change the current process) and set GetRemotePid to false, and leave the Result.

If you want to get the current process id, then set the GetRemotePid to true and leave the ProcessId.

typedef struct _DEBUGGEE_CHANGE_PROCESS_PACKET {
BOOLEAN GetRemotePid;
UINT32 ProcessId;
UINT32 Result;
} DEBUGGEE_CHANGE_PROCESS_PACKET, *PDEBUGGEE_CHANGE_PROCESS_PACKET;

After that, send the above structure to the debuggee when debuggee is paused and waiting for new command on vmx-root mode.

You should send the above structure with DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_ON_VMX_ROOT_MODE_CHANGE_PROCESS as RequestedAction and DEBUGGER_REMOTE_PACKET_TYPE_DEBUGGER_TO_DEBUGGEE_EXECUTE_ON_VMX_ROOT as PacketType.

In return, the debuggee sends the above structure with the following type.

DEBUGGER_REMOTE_PACKET_REQUESTED_ACTION_DEBUGGEE_RESULT_OF_CHANGING_PROCESS

In the returned structure, the Result is filled by the kernel.

If the Result is DEBUGEER_OPERATION_WAS_SUCCESSFULL, then the operation was successful, and you should use the 'g' command to move to the new process. Otherwise, the returned result is an error, and the current process is not changed. If you want the current process, then if the Result is DEBUGEER_OPERATION_WAS_SUCCESSFULL, then the current process id is stored at ProcessId.

The following function is responsible for changing the core in the debugger.

BOOLEAN KdSendSwitchProcessPacketToDebuggee(BOOLEAN GetRemotePid, UINT32 NewPid);

Remarks

By default, HyperDbg is spinning on vmx-root, and the default process is the system process pid = 4. Thus, the cr3 is the system process's cr3. When you change the process using the '.process' command, HyperDbg is spinning on vmx-root with the target process's kernel cr3 (not the system's cr3).

This command won't switch to the new process. It changes the cr3 (memory layout).

The current implementation of the '.process' command for changing the process (not getting the current process) is unsafe and might cause the system to halt in rare cases.

Requirements

None

None