Hi!
I tried to use windows undocumenetd function
ZwQuerySystemInformation
With SystemKernelDebuggerInformation(35) as
“SystemInfoClass” and sturcture
SYSTEM_KERNEL_DEBUGGER_INFORMATION which contains the
following BOOLEAN parameters (according to the
undocumented information):
DebuggerEnabled
DebuggerNotPresent
I call this function (without a debugger running of
course) and the results are very strange:
In Windows 2000 All services packs and Windows XP all
service packs it returns DebuggerEnabled=FALSE,
DebuggerNotPresent=FALSE on Windows Server 2003 SP1 it
returnes DebuggerEnabled=FALSE,
DebuggerNotPresent=TRUE
Any idea? Did Microsoft chnaged this API? maybe some
filter/hooking softwares (like anti virus) considered
as a debugger now/before Windows Server 2003?
I know this function is undocumented but I still be
happy to know the reason (if any) for the change.
Note:
I took the function prototype and enum values from the
book “Windows NT/2000 NATIVE API REFERENCE” by Garry
Nebbett
can be watched here
http://cvs.sourceforge.net/viewcvs.py/line/un/include/UNDOCNT.H?rev=1.2
as well
Thanks
Alon
Do you Yahoo!?
Make Yahoo! your home page
http://www.yahoo.com/r/hs
If DebuggerEnabled is false then perhaps the value of DebuggerNotPresent
is irrelevant?
=====================
Mark Roddy
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alon
Sent: Wednesday, June 08, 2005 11:03 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] ZwQuerySystemInformation
SystemKernelDebuggerInformation - Different results
Hi!
I tried to use windows undocumenetd function ZwQuerySystemInformation
With SystemKernelDebuggerInformation(35) as “SystemInfoClass” and
sturcture SYSTEM_KERNEL_DEBUGGER_INFORMATION which contains the
following BOOLEAN parameters (according to the undocumented
information):
DebuggerEnabled
DebuggerNotPresent
I call this function (without a debugger running of
course) and the results are very strange:
In Windows 2000 All services packs and Windows XP all service packs it
returns DebuggerEnabled=FALSE, DebuggerNotPresent=FALSE on Windows
Server 2003 SP1 it returnes DebuggerEnabled=FALSE,
DebuggerNotPresent=TRUE
Any idea? Did Microsoft chnaged this API? maybe some filter/hooking
softwares (like anti virus) considered as a debugger now/before Windows
Server 2003?
I know this function is undocumented but I still be happy to know the
reason (if any) for the change.
Note:
I took the function prototype and enum values from the book “Windows
NT/2000 NATIVE API REFERENCE” by Garry Nebbett can be watched here
http://cvs.sourceforge.net/viewcvs.py/line/un/include/UNDOCNT.H?rev=1.2
as well
Thanks
Alon
Do you Yahoo!?
Make Yahoo! your home page
http://www.yahoo.com/r/hs
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@stratus.com To
unsubscribe send a blank email to xxxxx@lists.osr.com
C:\WINNT\system32>dumpbin /exports ntoskrnl.exe | grep Debugger
445 1AD 00073BBC KdDebuggerEnabled
446 1AE 00073BB8 KdDebuggerNotPresent
447 1AF 0002981A KdDisableDebugger
448 1B0 0002988A KdEnableDebugger
449 1B1 00073BC4 KdEnteredDebugger
469 1C5 0002B216 KeEnterKernelDebugger
Note that this is w2k OS. These variables are already there in w2k.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “Alon”
To: “Windows System Software Devs Interest List”
Sent: Wednesday, June 08, 2005 7:03 PM
Subject: [ntdev] ZwQuerySystemInformation SystemKernelDebuggerInformation -
Different results
> Hi!
>
> I tried to use windows undocumenetd function
> ZwQuerySystemInformation
> With SystemKernelDebuggerInformation(35) as
> “SystemInfoClass” and sturcture
> SYSTEM_KERNEL_DEBUGGER_INFORMATION which contains the
> following BOOLEAN parameters (according to the
> undocumented information):
> DebuggerEnabled
> DebuggerNotPresent
>
> I call this function (without a debugger running of
> course) and the results are very strange:
> In Windows 2000 All services packs and Windows XP all
> service packs it returns DebuggerEnabled=FALSE,
> DebuggerNotPresent=FALSE on Windows Server 2003 SP1 it
> returnes DebuggerEnabled=FALSE,
> DebuggerNotPresent=TRUE
>
> Any idea? Did Microsoft chnaged this API? maybe some
> filter/hooking softwares (like anti virus) considered
> as a debugger now/before Windows Server 2003?
>
> I know this function is undocumented but I still be
> happy to know the reason (if any) for the change.
>
> Note:
> I took the function prototype and enum values from the
> book “Windows NT/2000 NATIVE API REFERENCE” by Garry
> Nebbett
> can be watched here
> http://cvs.sourceforge.net/viewcvs.py/line/un/include/UNDOCNT.H?rev=1.2
> as well
>
> Thanks
>
> Alon
>
>
>
> __________________________________
> Do you Yahoo!?
> Make Yahoo! your home page
> http://www.yahoo.com/r/hs
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com