waliedassar

NtSystemDebugControl + KdPitchDebugger

Jul 3rd, 2013
1,438
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3.  
  4. //Using the "NtSystemDebugControl" function with the "ControlCode" parameter set to any value
  5. //but 0x1D.
  6. //If KdPitchDebugger is set to true (i.e. No Kernel Debugger is attached), then an error
  7. // 0xC0000354 STATUS_DEBUGGER_INACTIVE is returned.
  8. //On the other hand, if KdPitchDebugger is set to false, a check for the "SeDebugPrivilege"
  9. //privilege is conducted, a sign of presence of Kernel and/or UserMode debugger(s).
  10.  
  11. extern "C"
  12. {
  13.     int __stdcall ZwSystemDebugControl(unsigned long ControlCode,
  14.                                    void* InputBuffer,
  15.                        unsigned long InputBufferLength,
  16.                        void* OutputBuffer,
  17.                        unsigned long OutputBufferLength,
  18.                        unsigned long* pResultLength);
  19. }
  20.  
  21.  
  22. //Tested with Win7 - SP1
  23. void main()
  24. {
  25.     unsigned long In=0;
  26.     unsigned long Out;
  27.     unsigned long Result;
  28.     int retValue = ZwSystemDebugControl(0x6 /* Anything but 0x1D */,
  29.                                         0,
  30.                         0,
  31.                         0,
  32.                         0,
  33.                         0);
  34.     printf("return value is %x\r\n",retValue);
  35.     if(retValue == 0xC0000354) printf("No Kernel Debugger\r\n");
  36.     else
  37.     {
  38.         printf("Kernel Debugger present\r\n");
  39.         if(retValue != 0xC0000022) printf("UserMode Debugger present as well\r\n");
  40.     }
  41. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×