HyperDbg Debugger is a free (as in free beer), open-source, community-driven, hypervisor-assisted, user-mode, and kernel-mode Windows debugger with a focus on using modern hardware technologies. It is a debugger designed for analyzing, fuzzing, and reversing.
You can follow HyperDbg on Twitter or Mastodon to get notified about new releases, or join any of the HyperDbg groups, where you can ask developers and open-source reversing enthusiasts for help setting up and using HyperDbg.
HyperDbg is designed with a focus on using modern hardware technologies to provide new features to the debuggers' world. It operates on top of Windows by virtualizing an already running system using Intel VT-x and EPT. This debugger aims not to use any APIs and software debugging mechanisms, but instead, it uses Second Layer Page Table (a.k.a. Extended Page Table or EPT) extensively to monitor both kernel and user executions.
HyperDbg comes with features like hidden hooks, which are as fast as old inline hooks, but also stealth. It mimics hardware debug registers for (read & write) to a specific location, but this time invisible for both the Windows kernel and the programs, and of course, without any limitation in size or count!
Using TLB-splitting and having features such as measuring code coverage and monitoring all mov(s) to/from memory by a function, makes HyperDbg a unique debugger.
Although it has novel features, HyperDbg tries to be as stealthy as possible. It doesn’t use any debugging APIs to debug Windows or any application, so classic anti-debugging methods won’t detect it. Also, it resists the exploitation of time delta methods (e.g., RDTSC/RDTSCP) to detect the presence of hypervisors, therefore making it much harder for applications, packers, protectors, malware, anti-cheat engines, etc. to discover the debugger.
HyperDbg is harder to set up and use, and also requires deeper low-level system knowledge compared to traditional debuggers. However, it provides two major advantages:
Full System & OS Control
HyperDbg operates at the hypervisor level, giving you powerful capabilities that are simply not possible with classic debuggers. This allows you to leverage hardware-assisted features for advanced reverse engineering and debugging scenarios.
Stealth & Detection Resistance
Since HyperDbg doesn't rely on standard OS debugging APIs, it is generally much harder (though not impossible) to detect. This makes it a strong choice when working against anti-debugging protections.
These advantages open up entirely new debugging and reverse engineering techniques that go beyond what conventional debuggers can offer.
You can download the latest compiled binary files from releases; otherwise, if you want to build HyperDbg, you should clone HyperDbg with the --recursive flag.
git clone --recursive https://github.com/HyperDbg/HyperDbg.git
Please visit Build & Install and Quick Start for a detailed explanation of how to start with HyperDbg. You can also see the FAQ for more information, or if you previously used other native debuggers like GDB, LLDB, or WinDbg, you could see the command map.
The OpenSecurityTraining2's "Reversing with HyperDbg (Dbg3301)" tutorial series, available on OST2's website (preferred) and YouTube is the recommended way to get started with and learn HyperDbg. It guides you through the initial steps of using HyperDbg, covering essential concepts, principles, and debugging functionalities, along with practical examples and numerous reverse engineering methods that are unique to HyperDbg.
If you're interested in understanding the internal design and architecture of hypervisors and HyperDbg, you can read the Hypervisor From Scratch tutorials.
In case you use one of HyperDbg's components in your work, please consider citing our papers.
1. HyperDbg: Reinventing Hardware-Assisted Debugging (CCS'22) [arXiv]
@inproceedings{karvandi2022hyperdbg,
title={HyperDbg: Reinventing Hardware-Assisted Debugging},
author={Karvandi, Mohammad Sina and Gholamrezaei, MohammadHosein and Khalaj Monfared, Saleh and Meghdadizanjani, Soroush and Abbassi, Behrooz and Amini, Ali and Mortazavi, Reza and Gorgin, Saeid and Rahmati, Dara and Schwarz, Michael},
booktitle={Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security},
pages={1709--1723},
year={2022}
}
Other paper built upon HyperDbg...
2. hwdbg: Debugging Hardware Like Software (EuroSec'25) [PDF]
@inproceedings{karvandi2025hwdbg,
title={hwdbg: Debugging Hardware Like Software},
author={Karvandi, Mohammad Sina and Meghdadizanjani, Soroush and Monfared, Saleh Khalaj and van der Kouwe, Erik and Slowinska, Asia},
booktitle={Proceedings of the 18th European Workshop on Systems Security},
pages={56--62},
year={2025}
}
3. HyperEvade: Countering Anti-Debugging Techniques and Enhancing Transparency in Nested Virtualization using HyperDbg (DEBT'25) [PDF]
@article{ruytenberg2026hyperevade,
title={HyperEvade: Countering Anti-Debugging Techniques and Enhancing Transparency in Nested Virtualization using HyperDbg},
author={Ruytenberg, Bj{\"o}rn and Karvandi, Mohammad Sina},
journal={Journal of Object Technology},
volume={25},
number={1},
pages={1--3},
year={2026},
publisher={Association Internationale pour les Technologies Objets}
}
4. Digital Hole: Bypassing Commercial Audio DRM Solutions with DReaMcatcher (EuroSys'26) [PDF]
@inproceedings{ruytenberg2026digital,
title={Digital Hole: Bypassing Commercial Audio DRM Solutions with DReaMcatcher},
author={Ruytenberg, Bj{\"o}rn and Karvandi, Mohammad Sina and Bos, Herbert and van der Kouwe, Erik and Slowinska, Asia},
booktitle={Proceedings of the 21st European Conference on Computer Systems},
pages={484--496},
year={2026}
}
5. TRM: An Efficient Hypervisor-Based Framework For Malware Analysis and Memory Reconstruction (AsiaCCS'26) [PDF]
@inproceedings{karvandi2026trm,
title={TRM: An Efficient Hypervisor-Based Framework For Malware Analysis and Memory Reconstruction},
author={Karvandi, Mohammad Sina and Meghdadizanjani, Soroush and Arasteh, Sima and Monfared, Saleh Khalaj and Fallah, Mohammad K and Gorgin, Saeid and Lee, Jeong-A and Slowinska, Asia and van der Kouwe, Erik},
booktitle={Proceedings of the ACM Asia Conference on Computer and Communications Security},
pages={68--82},
year={2026}
}
You can also read this article as it describes the overall architecture, technical difficulties, design decisions, and internals of HyperDbg Debugger, this article about our efforts on vm-exit transparency, this article about chasing bugs within hypervisors, and this article about new reverse engineering techniques introduced in HyperDbg. More articles, posts, and resources are available at the awesome repo, and in addition, the slides repo provides presentation slides for further reference.
$ claude mcp add HyperDbg \
-- python -m otcore.mcp_server <graph>