HDBG is a project developped by porting FDBG.

Both HDBG and FDBG are debuggers for ring3 applications, and their interface, output, input are very close.

HDBG talks with small bare metal hypervisor (type 1) so there is no need to call any ms windows debug API. Process being debugged (debuggee) is created without DEBUG_PROCESS fdwCreate flag (attaching to a running thread is done even without calling any ms windows API, to do attaching there is need to tell only Process Id / Thread Id to the hypervisor). Then hypervisor intercepts various events from the debuggee and its child processes, hypervisor freezes/unfreezes wanted threads, reads/writes memory of wanted process, reads/modifies registers of wanted thread. Everything is done by direct calls to hypervisor instead of ms windows API. HDBG never uses KERNEL32.WaitForEvent, KERNEL32.ContinueDebugEvent, KERNEL32.ReadProcessMemory, KERNEL32.WriteProcessMemory, KERNEL32.GetThreadContext, KERNEL32.SetThreadContext either their NTDLL.DLL equivalents either direct SYSCALL.

The tasks doing by hypervisor are very stealth, there is no one sign in ms windows internals about debugging (no debug port, no PEB.BeingDebugged, NtSetInformationThread with HideFromDebugger does nothing).

When accessing memory of any process, every access (reading/writing) is done silently so no one bit in paging tables of the process is modified (like accessed bit, dirty bit).

Hypervisor stores private copy of thread registers when the exuction of the thread is frozen so it records more registers than ms windows thread context (e.g. hypervisor saves/restores more extended debug registers like all last branch from/to MSRs).

Freezing execution of given thread (or more threads e.g. all threads of given process, or even all ring3 threads of all ring3 processes) is done using pure hypervisor technology, so nothing like calling KERNEL32.SuspendThread either increasing thread suspend count.

Hypervisor uses private paging tables and may be started / stopped from running ms windows x64, the OS is live while doing debugging (because HDBG debugs only ring3 processes/threads there is no need to freeze any ring0 service, OS is normally running, there is no need to connect the system to another PC using any cable, you are using only 1 PC with 1 screen + 1 keyboard + 1 mouse).

Hypervisor watches running OS and extracts necessary things on the fly, you may completely prevent to deliver any event (like exception) to the OS as well you may inject fake events to the OS.

HDBG is not free (unlike FDBG).

videos: debugging HideFromDebugger - please switch to HD quality and full screen, else you won't be able to read anything (link added 2011-03-18)
you can download the HideFromDebugger sample from the fdbg for windows package which contains a lot of antidebug samples


screenshot of an older version of HDBG when doing few single steps (trace into) and int3 breakpoints (step over)