Debugger information from NtQueryInformationProcess

Querying process information using the NtQueryInformationProcess function gives us another way to identify if the process is under a debugger. As sourced from MSDN, the NtQueryInformationProcess syntax declaration is the following:

NTSTATUS WINAPI NtQueryInformationProcess(
  _In_       HANDLE ProcessHandle,
  _In_       PROCESSINFOCLASS ProcessInformationClass,
  _Out_      PVOID ProcessInformation,
  _In_       ULONG ProcessInformationLength,
  _Out_opt_  PULONG ReturnLength
);

More information about this function can be found at https://docs.microsoft.com/en-us/windows/desktop/api/winternl/nf-winternl-ntqueryinformationprocess.

Specific information is returned based on what ID is supplied in the second argument, PROCESSINFOCLASS. PROCESSINFOCLASS is an enumerated list of IDs that we want to query. The IDs we need in order to determine whether the process is being debugged are the following:

  • ProcessDebugPort (7)
  • ProcessDebugObjectHandle (30)
  • ProcessDebugFlags (31)

In essence, if the output result, filled in the ProcessInformation from the third argument, gives us a non-zero result, then it means that the process is being debugged.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.128.199.162