What function(s) can I use from inside my driver to find out if there is a WinDbg session attached ?
or better said what is the kernel equivalent to user space anti-attach code?
Take a look at
https://msdn.microsoft.com/en-us/library/windows/hardware/ff544697(v=vs.85).
aspx You should understand that this is a stupid thing to do. First since
all drivers live in the kernel space, if your code is not “perfect” you
could well be creating a bug that will be hard to determine, except that
your code will be suspect since you don’t allow debugging of it. Second, if
I really care there are multiple ways of writing a driver that will allow me
to find out what your driver is doing, so the anti-attach is meaningless.
Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Friday, January 23, 2015 10:19 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Detect Windbg Session from driver
What function(s) can I use from inside my driver to find out if there is a
WinDbg session attached ?
or better said what is the kernel equivalent to user space anti-attach code?
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
“Second, if I really care there are multiple ways of writing a driver that will allow me to find out what your driver is doing” - Don Burn
How?
If you cannot figure this out, then you definitely should not be doing
anti-attach!!! Remember, this is the whole kernel you are blocking
debugging of, to protect what your code which you think is too important, or
else the code is malicious and you don’t want someone to debug it. If you
cannot figure out how with all the drivers in the same address space, that
one could find out what another driver is doing, then you really need to
step back and think about what you are doing.
Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Friday, January 23, 2015 10:35 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Detect Windbg Session from driver
“Second, if I really care there are multiple ways of writing a driver that
will allow me to find out what your driver is doing” - Don Burn
How?
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Kernel space is global, blah blah, provide a code example and back up your words or I will be the one thinking you don’t know what you’re doing…
Seriously? Is this the best you’ve got?
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Friday, January 23, 2015 7:48 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Detect Windbg Session from driver
Kernel space is global, blah blah, provide a code example and back up your
words or I will be the one thinking you don’t know what you’re doing…
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
“Remember, this is the whole kernel you are blocking debugging of”
I’m not “blocking” anything Don Burn, read the link you sent me - NOTHING GETS BLOCKED. It “indicates whether a kernel debugger is currently attached”. NO BLOCKING INVOLVED.
“If you cannot figure out how with all the drivers in the same address space”
OK, so another driver can read addresses to get instructions. IDA’S NET RESULT IS THE SAME. If you cannot figure out that by “WinDbg session” in my original post I REFER TO DYNAMIC DEBUGGING ONLY - then we’ve nothing to speak of mate.
Personally, I don’t even think you know how to code what you speak of DON BURN. I think the majority of people on this list would rather convince me why I should quit now, than GIVE DIRECT ANSWERS TO QUESTIONS. Thank goodness for the Russian and Chinese language kernel dev forums though. I’ll direct my future inquieries there as to mitigate THE WASTE OF TIME FOUND HERE.
At one time in the dim dark past, people learning programming at many places
actually had to write the core of a debugger without any “special
instructions” as a class lesson. You can write code that will insert a call
into your driver from another driver, you can with some smarts single step,
you definitely can access the registers, stack and memory of another driver.
No I won’t give you the code. I make my living by developing Windows kernel
code, and I did this effort for a client who had to legally prove that an
idiot who was blocking the debugging of his driver, was the cause of a
failure that would commonly appear to be their driver. In the end the idiot
was sued, by my client and some of his customers, and no longer works in the
industry.
Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Friday, January 23, 2015 11:26 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Detect Windbg Session from driver
“Remember, this is the whole kernel you are blocking debugging of”
I’m not “blocking” anything Don Burn, read the link you sent me - NOTHING
GETS BLOCKED. It “indicates whether a kernel debugger is currently
attached”. NO BLOCKING INVOLVED.
“If you cannot figure out how with all the drivers in the same address
space”
OK, so another driver can read addresses to get instructions. IDA’S NET
RESULT IS THE SAME. If you cannot figure out that by “WinDbg session” in my
original post I REFER TO DYNAMIC DEBUGGING ONLY - then we’ve nothing to
speak of mate.
Personally, I don’t even think you know how to code what you speak of DON
BURN. I think the majority of people on this list would rather convince me
why I should quit now, than GIVE DIRECT ANSWERS TO QUESTIONS. Thank goodness
for the Russian and Chinese language kernel dev forums though. I’ll direct
my future inquieries there as to mitigate THE WASTE OF TIME FOUND HERE.
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
I recently watched an American English movie where the quote applies here. The gangster said - “you aint got no game you all talk jack! Keep it in the office cuz out here u gone get run over son!”
Just so you know - IT HAS NOTHING TO DO WITH MY ORIGINAL QUESTION. IDA’S NET RESULT IS THE FUCKING SAME. IT HAS NOTHING TO DO WITH WINDBG - NOTHING GETS BLOCKED.
Now you’ll see a 10 page circle jerk of these idiots patting each other on the back, stroking each others cocks on how smart they are and how stupid I am. In the end, we’ll just post on the Russian/Chinese forums where you don’t get these time wasting, egoistic complications.
Feel free to go away. You’re very rude, and won’t be missed.
-p
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Friday, January 23, 2015 8:55 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Detect Windbg Session from driver
I recently watched an American English movie where the quote applies here. The gangster said - “you aint got no game you all talk jack! Keep it in the office cuz out here u gone get run over son!”
Just so you know - IT HAS NOTHING TO DO WITH MY ORIGINAL QUESTION. IDA’S NET RESULT IS THE FUCKING SAME. IT HAS NOTHING TO DO WITH WINDBG - NOTHING GETS BLOCKED.
Now you’ll see a 10 page circle jerk of these idiots patting each other on the back, stroking each others cocks on how smart they are and how stupid I am. In the end, we’ll just post on the Russian/Chinese forums where you don’t get these time wasting, egoistic complications.
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
xxxxx@gmail.com wrote:
What function(s) can I use from inside my driver to find out if there is a WinDbg session attached ?
or better said what is the kernel equivalent to user space anti-attach code?
If installing your device means I cannot debug MY driver, I will sue you.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.