waliedassar

DebuggerIs32Bit

Dec 1st, 2012
302
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3.  
  4. //As of the 64-bit versions of Windows, a new flag (0x4) has been introduced in the "_DEBUG_OBJECT" structure. This flag is set if the debugger is a 32-bit debugger. I prefer to call it DebuggerIs32Bit.
  5.  
  6. //For example,
  7. //64-bit WinDbg debugging 32-bit calc.exe---> The flag is not set.
  8. //32-bit WinDbg debugging 32-bit calc.exe---> The flag is set.
  9.  
  10.  
  11. nt!NtCreateDebugObject+0xe8:
  12. fffff800`036b7ce8 65488b042588010000 mov rax,qword ptr gs:[188h] ;RAX is now _ETHREAD
  13. fffff800`036b7cf1 488b4870 mov rcx,qword ptr [rax+70h] ;RCX is now _EPROCESS
  14. fffff800`036b7cf5 48399120030000 cmp qword ptr [rcx+320h],rdx ; if(_EPROCESS->Wow64Process)
  15. fffff800`036b7cfc 7405 je nt!NtCreateDebugObject+0x103 (fffff800`036b7d03)
  16.  
  17. nt!NtCreateDebugObject+0xfe:
  18. fffff800`036b7cfe 4183496004 or dword ptr [r9+60h],4 ;Sets the DebuggerIs32Bit
  19.  
  20.  
  21.  
  22.  
  23.  
  24. typedef struct _DEBUG_OBJECT
  25. {
  26. KEVENT EventsPresent;
  27. FAST_MUTEX Mutex;
  28. LIST_ENTRY EventList;
  29. union
  30. {
  31. ULONG Flags;
  32. struct
  33. {
  34. UCHAR DebuggerInactive:1;
  35. UCHAR KillProcessOnExit:1;
  36. UCHAR DebuggerIs32Bit:1; //The new flag
  37. };
  38. };
  39. } DEBUG_OBJECT, *PDEBUG_OBJECT;
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×