waliedassar

DebuggerIs32Bit

Dec 1st, 2012
325
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3.  
  4. //As of the 64-bit versions of Windows, a new flag (0x4) has been introduced in the "_DEBUG_OBJECT" structure. This flag is set if the debugger is a 32-bit debugger. I prefer to call it DebuggerIs32Bit.
  5.  
  6. //For example,
  7. //64-bit WinDbg debugging 32-bit calc.exe---> The flag is not set.
  8. //32-bit WinDbg debugging 32-bit calc.exe---> The flag is set.
  9.  
  10.  
  11. nt!NtCreateDebugObject+0xe8:
  12. fffff800`036b7ce8 65488b042588010000 mov rax,qword ptr gs:[188h] ;RAX is now _ETHREAD
  13. fffff800`036b7cf1 488b4870 mov rcx,qword ptr [rax+70h] ;RCX is now _EPROCESS
  14. fffff800`036b7cf5 48399120030000 cmp qword ptr [rcx+320h],rdx ; if(_EPROCESS->Wow64Process)
  15. fffff800`036b7cfc 7405 je nt!NtCreateDebugObject+0x103 (fffff800`036b7d03)
  16.  
  17. nt!NtCreateDebugObject+0xfe:
  18. fffff800`036b7cfe 4183496004 or dword ptr [r9+60h],4 ;Sets the DebuggerIs32Bit
  19.  
  20.  
  21.  
  22.  
  23.  
  24. typedef struct _DEBUG_OBJECT
  25. {
  26. KEVENT EventsPresent;
  27. FAST_MUTEX Mutex;
  28. LIST_ENTRY EventList;
  29. union
  30. {
  31. ULONG Flags;
  32. struct
  33. {
  34. UCHAR DebuggerInactive:1;
  35. UCHAR KillProcessOnExit:1;
  36. UCHAR DebuggerIs32Bit:1; //The new flag
  37. };
  38. };
  39. } DEBUG_OBJECT, *PDEBUG_OBJECT;
RAW Paste Data