Hi again!
well I understand these two variables are
already in w2k, so the question is why only in Windows
Server 2003 we get KdDebuggerNotPresent with the value
of TRUE and all the other of the OS is FALSE
You can run even a simple driver that just call this
function and look at the different results
Alon
“Maxim S. Shatskih” wrote
> in message
> news:…
> > C:\WINNT\system32>dumpbin /exports ntoskrnl.exe |
> grep Debugger
> > 445 1AD 00073BBC KdDebuggerEnabled
> > 446 1AE 00073BB8 KdDebuggerNotPresent
> > 447 1AF 0002981A KdDisableDebugger
> > 448 1B0 0002988A KdEnableDebugger
> > 449 1B1 00073BC4 KdEnteredDebugger
> > 469 1C5 0002B216 KeEnterKernelDebugger
> >
> > Note that this is w2k OS. These variables are
> already there in w2k.
> >
> > Maxim Shatskih, Windows DDK MVP
> > StorageCraft Corporation
> > xxxxx@storagecraft.com
> > http://www.storagecraft.com
> >
> > ----- Original Message -----
> > From: “Alon”
> > To: “Windows System Software Devs Interest List”
>
> > Sent: Wednesday, June 08, 2005 7:03 PM
> > Subject: [ntdev] ZwQuerySystemInformation
> SystemKernelDebuggerInformation
> -
> > Different results
> >
> >
> > > Hi!
> > >
> > > I tried to use windows undocumenetd function
> > > ZwQuerySystemInformation
> > > With SystemKernelDebuggerInformation(35) as
> > > “SystemInfoClass” and sturcture
> > > SYSTEM_KERNEL_DEBUGGER_INFORMATION which
> contains the
> > > following BOOLEAN parameters (according to the
> > > undocumented information):
> > > DebuggerEnabled
> > > DebuggerNotPresent
> > >
> > > I call this function (without a debugger running
> of
> > > course) and the results are very strange:
> > > In Windows 2000 All services packs and Windows
> XP all
> > > service packs it returns DebuggerEnabled=FALSE,
> > > DebuggerNotPresent=FALSE on Windows Server 2003
> SP1 it
> > > returnes DebuggerEnabled=FALSE,
> > > DebuggerNotPresent=TRUE
> > >
> > > Any idea? Did Microsoft chnaged this API? maybe
> some
> > > filter/hooking softwares (like anti virus)
> considered
> > > as a debugger now/before Windows Server 2003?
> > >
> > > I know this function is undocumented but I still
> be
> > > happy to know the reason (if any) for the
> change.
> > >
> > > Note:
> > > I took the function prototype and enum values
> from the
> > > book “Windows NT/2000 NATIVE API REFERENCE” by
> Garry
> > > Nebbett
> > > can be watched here
> > >
>
http://cvs.sourceforge.net/viewcvs.py/line/un/include/UNDOCNT.H?rev=1.2
> > > as well
> > >
> > > Thanks
> > >
> > > Alon
> > >
> > >
> > >
> > >
> > > Do you Yahoo!?
> > > Make Yahoo! your home page
> > > http://www.yahoo.com/r/hs
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> > >
> > > You are currently subscribed to ntdev as:
> xxxxx@storagecraft.com
> > > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> >
> >
>
Yahoo! Mail Mobile
Take Yahoo! Mail with you! Check email on your mobile phone.
http://mobile.yahoo.com/learn/mail
Alon,
I think Mark Roddy already explained why: DebuggerNotPresent is only valid
when DebuggerEnabled is true.
There are a couple of articles at OSR Online (registration required) that
might be helpful:
http://www.osronline.com/article.cfm?id=380 (see end of article, just
before Epilogue)
http://www.osronline.com/article.cfm?article=374 (see User Comments at
bottom of page)
These articles recommend using the Microsoft-supported variables
KD_DEBUGGER_ENABLED and KD_DEBUGGER_NOT_PRESENT to query the state of the
debugger.
-Dan
----- Original Message -----
Subject: Re: ZwQuerySystemInformation SystemKernelDebuggerInformation - Di
fferent results
From: Alon
> Date: Wed, 8 Jun 2005 12:51:02 -0700 (PDT)
> X-Message-Number: 40
>
> Hi again!
>
> well I understand these two variables are
> already in w2k, so the question is why only in Windows
> Server 2003 we get KdDebuggerNotPresent with the value
> of TRUE and all the other of the OS is FALSE
> You can run even a simple driver that just call this
> function and look at the different results
>
> Alon
>
>> “Maxim S. Shatskih” wrote
>> in message
>> news:…
>> > C:\WINNT\system32>dumpbin /exports ntoskrnl.exe |
>> grep Debugger
>> > 445 1AD 00073BBC KdDebuggerEnabled
>> > 446 1AE 00073BB8 KdDebuggerNotPresent
>> > 447 1AF 0002981A KdDisableDebugger
>> > 448 1B0 0002988A KdEnableDebugger
>> > 449 1B1 00073BC4 KdEnteredDebugger
>> > 469 1C5 0002B216 KeEnterKernelDebugger
>> >
>> > Note that this is w2k OS. These variables are
>> already there in w2k.
>> >
>> > Maxim Shatskih, Windows DDK MVP
>> > StorageCraft Corporation
>> > xxxxx@storagecraft.com
>> > http://www.storagecraft.com
>> >
>> > ----- Original Message -----
>> > From: “Alon”
>> > To: “Windows System Software Devs Interest List”
>>
>> > Sent: Wednesday, June 08, 2005 7:03 PM
>> > Subject: [ntdev] ZwQuerySystemInformation
>> SystemKernelDebuggerInformation
>> -
>> > Different results
>> >
>> >
>> > > Hi!
>> > >
>> > > I tried to use windows undocumenetd function
>> > > ZwQuerySystemInformation
>> > > With SystemKernelDebuggerInformation(35) as
>> > > “SystemInfoClass” and sturcture
>> > > SYSTEM_KERNEL_DEBUGGER_INFORMATION which
>> contains the
>> > > following BOOLEAN parameters (according to the
>> > > undocumented information):
>> > > DebuggerEnabled
>> > > DebuggerNotPresent
>> > >
>> > > I call this function (without a debugger running
>> of
>> > > course) and the results are very strange:
>> > > In Windows 2000 All services packs and Windows
>> XP all
>> > > service packs it returns DebuggerEnabled=FALSE,
>> > > DebuggerNotPresent=FALSE on Windows Server 2003
>> SP1 it
>> > > returnes DebuggerEnabled=FALSE,
>> > > DebuggerNotPresent=TRUE
>> > >
>> > > Any idea? Did Microsoft chnaged this API? maybe
>> some
>> > > filter/hooking softwares (like anti virus)
>> considered
>> > > as a debugger now/before Windows Server 2003?
>> > >
>> > > I know this function is undocumented but I still
>> be
>> > > happy to know the reason (if any) for the
>> change.
>> > >
>> > > Note:
>> > > I took the function prototype and enum values
>> from the
>> > > book “Windows NT/2000 NATIVE API REFERENCE” by
>> Garry
>> > > Nebbett
>> > > can be watched here
>> > >
>>
> http://cvs.sourceforge.net/viewcvs.py/line/un/include/UNDOCNT.H?rev=1.2
>> > > as well
>> > >
>> > > Thanks
>> > >
>> > > Alon