MBEC, SLAT, and HyperDbg: Hypervisor-Based Kernel- and User-Mode Debugging

Virtualization has transformed low-level debugging, system analysis, and malware research. By placing a thin hypervisor beneath the OS, developers gain a vantage point the OS cannot access. This blue-pill approach enables fine-grained control over CPU state, memory, interrupts, and hardware events without relying on OS components, supporting transparent breakpoints, VM-exit triggers, memory shadowing, and instruction tracing with minimal interference.

We present HyperDbg, an open-source hypervisor-based debugger. Leveraging the former characteristics, unlike kernel debuggers that depend on drivers, APIs, or software breakpoints, HyperDbg operates entirely below the OS, combining virtualization-based introspection with interactive debugging. It inspects memory, CPU execution, and traps events without OS cooperation, bypassing anti-debugging and anti-analysis techniques.

Using modern virtualization extensions like Mode Based Execution Control (MBEC) on top of Second Level Address Translation (SLAT), HyperDbg enforces breakpoints and traps through hardware transitions, independent of OS APIs or exceptions. This allows stealthy, artifact-free binary analysis, providing a powerful platform for reverse engineering and research. In its first iteration, HyperDbg introduced a hypervisor-powered kernel debugger. With the recent release of v0.15, HyperDbg enables cross-boundary debugging from kernel-mode into user-mode. For this talk, we will add special focus on how we implemented cross-boundary debugging, and how it enables users to intercept user-mode process execution using virtualization techniques.

Resources:

• HyperDbg repository: https://github.com/HyperDbg/HyperDbg/

• Documentation: https://docs.hyperdbg.org/

• Kernel-mode debugger design: https://research.hyperdbg.org/debugger/kernel-debugger-design/

• Research paper: https://dl.acm.org/doi/abs/10.1145/3548606.3560649