Querying process information using the NtQueryInformationProcess function gives us another way to identify if the process is under a debugger. As sourced from MSDN, the NtQueryInformationProcess syntax declaration is the following:
NTSTATUS WINAPI NtQueryInformationProcess( _In_ HANDLE ProcessHandle, _In_ PROCESSINFOCLASS ProcessInformationClass, _Out_ PVOID ProcessInformation, _In_ ULONG ProcessInformationLength, _Out_opt_ PULONG ReturnLength );
More information about this function can be found at https://docs.microsoft.com/en-us/windows/desktop/api/winternl/nf-winternl-ntqueryinformationprocess.
Specific information is returned based on what ID is supplied in the second argument, PROCESSINFOCLASS. PROCESSINFOCLASS is an enumerated list of IDs that we want to query. The IDs we need in order to determine whether the process is being debugged are the following:
- ProcessDebugPort (7)
- ProcessDebugObjectHandle (30)
- ProcessDebugFlags (31)
In essence, if the output result, filled in the ProcessInformation from the third argument, gives us a non-zero result, then it means that the process is being debugged.