API tools faq
paste
Advertisement
waliedassar

DebuggerIs32Bit

waliedassar
Dec 1st, 2012
617
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 1.34 KB | None | 0 0
raw download clone embed print report
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3.  
  4. //As of the 64-bit versions of Windows, a new flag (0x4) has been introduced in the "_DEBUG_OBJECT" structure. This flag is set if the debugger is a 32-bit debugger. I prefer to call it DebuggerIs32Bit.
  5.  
  6. //For example,
  7. //64-bit WinDbg debugging 32-bit calc.exe---> The flag is not set.
  8. //32-bit WinDbg debugging 32-bit calc.exe---> The flag is set.
  9.  
  10.  
  11. nt!NtCreateDebugObject+0xe8:
  12. fffff800`036b7ce8 65488b042588010000 mov rax,qword ptr gs:[188h] ;RAX is now _ETHREAD
  13. fffff800`036b7cf1 488b4870 mov rcx,qword ptr [rax+70h] ;RCX is now _EPROCESS
  14. fffff800`036b7cf5 48399120030000 cmp qword ptr [rcx+320h],rdx ; if(_EPROCESS->Wow64Process)
  15. fffff800`036b7cfc 7405 je nt!NtCreateDebugObject+0x103 (fffff800`036b7d03)
  16.  
  17. nt!NtCreateDebugObject+0xfe:
  18. fffff800`036b7cfe 4183496004 or dword ptr [r9+60h],4 ;Sets the DebuggerIs32Bit
  19.  
  20.  
  21.  
  22.  
  23.  
  24. typedef struct _DEBUG_OBJECT
  25. {
  26. KEVENT EventsPresent;
  27. FAST_MUTEX Mutex;
  28. LIST_ENTRY EventList;
  29. union
  30. {
  31. ULONG Flags;
  32. struct
  33. {
  34. UCHAR DebuggerInactive:1;
  35. UCHAR KillProcessOnExit:1;
  36. UCHAR DebuggerIs32Bit:1; //The new flag
  37. };
  38. };
  39. } DEBUG_OBJECT, *PDEBUG_OBJECT;
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!