code retrieves offset +30 from the Thread Environment Block (TEB) data struc-
ture, which points to the current process’s PEB. Then the sequence reads a byte
at offset +2, which indicates whether a debugger is present or not. Embedding
this sequence within a program is risky because it is difficult to predict what
would happen if Microsoft changes one of these data structures in a future
release of the operating system. Such a change could cause the program to
crash or terminate even when no debugger is present.
The only tool you have for evaluating the likeliness of these two data struc-
tures to change is to look at past versions of the operating systems. The fact is
that this particular API hasn’t changed between Windows NT 4.0 (released in
1996) and Windows Server 2003. This is good because it means that this imple-
mentation would work on all relevant versions of the system. This is also a
solid indicator that these are static data structures that are not likely to change.
On the other hand, always remember what your investment banker keeps
telling you: “past performance is not indicative of future results.” Just because
Microsoft hasn’t changed these data structures in the past 7 years doesn’t nec-
essarily mean they won’t change them in the next 7 years.
Finally, implementing this approach would require that you have the ability
to somehow incorporate assembly language code into your program. This is
not a problem with most C/C++ compilers (the Microsoft compiler supports
the _asmkeyword for adding inline assembly language code), but it might not
be possible in every programming language or development platform.
SystemKernelDebuggerInformation
The NtQuerySystemInformationnative API can be used to determine if a
kernel debugger is attached to the system. This function supports several differ-
ent types of information requests. The SystemKernelDebuggerInformation
request code can obtain information from the kernel on whether a kernel debug-
ger is currently attached to the system.
ZwQuerySystemInformation(SystemKernelDebuggerInformation,
(PVOID) &DebuggerInfo, sizeof(DebuggerInfo), &ulReturnedLength);The following is a definition of the data structure returned by the System
KernelDebuggerInformationrequest:
typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION {
BOOLEAN DebuggerEnabled;
BOOLEAN DebuggerNotPresent;
} SYSTEM_KERNEL_DEBUGGER_INFORMATION,
*PSYSTEM_KERNEL_DEBUGGER_INFORMATION;To determine whether a kernel debugger is attached to the system, the
DebuggerEnabledshould be checked. Note that SoftICE will not be detected
Antireversing Techniques 333