The following articles describe HyperDbg's Script Engine.
The evaluation engine is open-source, and it is available in the evaluation repository.
HyperDbg uses a MASM-like (Windbg) syntax to evaluate script expressions.
The following keywords are valid in Script Engine.
Pointer-sized data from the specified address.
High 16 bits
Low 16 bits
Low 8 bits
Low 16 bits
Low 32 bits
Flip each and every bit
True/False logic flipping
If you want to read strings and wide-strings, you can use Printf function.
The following operators are supported on the script engine.
* / %
Bitwise AND Operator
Bitwise XOR Operator (exclusive OR)
Bitwise OR Operator
Here are the currently supported pseudo-registers supported by the script engine.
The process ID (PID) of the current process.
The address of the current process (that is, the address of the
The thread ID for the current thread.
The address of the current thread. In kernel-mode debugging, this address is the address of the
The address of the process environment block (PEB) of the current process.
The address of the thread environment block (TEB) of the current thread.
The instruction pointer register (rip).
The pre-allocated buffer if the user requests a safe buffer.
The context of the triggered event (It has a different meaning in each event).
Some of the above pseudo-registers are not supported either in kernel-mode or user-mode. If you use these registers, then it returns
By default, HyperDbg interprets the numbers as hex (base 16). If you want to specify other forms of a number, you should use MASM prefixes. In all MASM expressions, numeric values are interpreted as numbers in the current radix (16, 10, or 8). You can override the default radix by specifying the 0x prefix (hexadecimal), the 0n prefix (decimal), the 0t prefix (octal), or the 0y prefix (binary).
The following functions are supported in Script Engine.