NtSystemDebugControl + KdPitchDebugger

1. //http://waleedassar.blogspot.com
2. //http://www.twitter.com/waleedassar
3.  
4. //Using the "NtSystemDebugControl" function with the "ControlCode" parameter set to any value
5. //but 0x1D.
6. //If KdPitchDebugger is set to true (i.e. No Kernel Debugger is attached), then an error
7. // 0xC0000354 STATUS_DEBUGGER_INACTIVE is returned.
8. //On the other hand, if KdPitchDebugger is set to false, a check for the "SeDebugPrivilege"
9. //privilege is conducted, a sign of presence of Kernel and/or UserMode debugger(s).
10.  
11. extern "C"
12. {
13.     int __stdcall ZwSystemDebugControl(unsigned long ControlCode,
14.                                    void* InputBuffer,
15.                        unsigned long InputBufferLength,
16.                        void* OutputBuffer,
17.                        unsigned long OutputBufferLength,
18.                        unsigned long* pResultLength);
19. }
20.  
21.  
22. //Tested with Win7 - SP1
23. void main()
24. {
25.     unsigned long In=0;
26.     unsigned long Out;
27.     unsigned long Result;
28.     int retValue = ZwSystemDebugControl(0x6 /* Anything but 0x1D */,
29.                                         0,
30.                         0,
31.                         0,
32.                         0,
33.                         0);
34.     printf("return value is %x\r\n",retValue);
35.     if(retValue == 0xC0000354) printf("No Kernel Debugger\r\n");
36.     else
37.     {
38.         printf("Kernel Debugger present\r\n");
39.         if(retValue != 0xC0000022) printf("UserMode Debugger present as well\r\n");
40.     }
41. }