determine if process is attached on remote debugger

OSR_Community_User · July 30, 2010, 8:15am

Hello

In kernel mode, I would like to implement a function IOCTL to determine if the calling process is attached on remote process user debugger (ex.Visual studio) ?

It would have determined compatible for all versions of Windows (xp,vista,seven);

thank you ;

Doron_Holan · July 30, 2010, 10:41am

Why?

d

dent from a phpne with no keynoard

-----Original Message-----
From: xxxxx@sivaller.no-ip.org
Sent: July 30, 2010 5:15 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] determine if process is attached on remote debugger

Hello

In kernel mode, I would like to implement a function IOCTL to determine if the calling process is attached on remote process user debugger (ex.Visual studio) ?

It would have determined compatible for all versions of Windows (xp,vista,seven);

thank you ;

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · July 30, 2010, 11:06am

because I need it to make my API function in trial version that allows its execution only if it is attached a remote debugger.
I want detect in kernel mode because in user-mode the developper can always set the variable peb-> beingdebugging to false obtained from GetCurrentPeb (of head).
The variableBeingDebugging is only changed when the processus is detached or attached from debugger ,which is not good.

OSR_Community_User · July 30, 2010, 11:14am

Sorry, an error has slipped into my post.

I mean, the developer fix the variable “beingdebugged” at true to do believe that it is debugging mode.

Ken_Johnson · July 31, 2010, 1:29am

A user with physical access to the machine will always be able to fake out any such mechanism given enough involvement. Moving your logic to the kernel has absolutely no bearing on this fact (and confers many negative consequences in that any bug you have may crash the machine or open a security hole, etc).

S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@sivaller.no-ip.org
Sent: Friday, July 30, 2010 8:15 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] determine if process is attached on remote debugger

Sorry, an error has slipped into my post.

I mean, the developer fix the variable “beingdebugged” at true to do believe that it is debugging mode.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Pavel_A1 · July 31, 2010, 11:09am

wrote in message news:xxxxx@ntdev…
> Sorry, an error has slipped into my post.
>
> I mean, the developer fix the variable “beingdebugged” at true to do
> believe that it is debugging mode.
>

The user can make their own little app to be a debugger of their another
app,
and get away with it.
You need to test that the debugger process is something monstrouos, like
VS

Good luck.
– pa

OSR_Community_User · August 2, 2010, 4:22am

but we can not answered my question, how do you know in kernel-mode if the calling process is attached to the debugger?

tahnk you

Ken_Johnson · August 2, 2010, 1:39pm

To the best of my knowledge, we do not expose a supported and documented mechanism for making such a determination. This is not a subject about which driver software is intended to be sensitive to.

S (Msft)

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@sivaller.no-ip.org
Sent: Monday, August 02, 2010 1:22 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] determine if process is attached on remote debugger

but we can not answered my question, how do you know in kernel-mode if the calling process is attached to the debugger?

tahnk you

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Gary_Little-3 · August 2, 2010, 1:47pm

I don’t know. Since you didn’t chain the rest of the thread, I have no idea
WHAT the original question was or is. My question is why do you want to
know, and really, why should you care? If you do succeed in determining that
a kernel debugger is attached, and manage to block, how do you intend to use
WinDbg for debug when your bashful driver decides to take a crap?

Gary G. Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@sivaller.no-ip.org
Sent: Monday, August 02, 2010 3:22 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] determine if process is attached on remote debugger

but we can not answered my question, how do you know in kernel-mode if the
calling process is attached to the debugger?

tahnk you

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer