├── Kernel debug check.sln
├── Kernel debug check
├── DriverEntry.cpp
├── Kernel debug check.vcxproj
├── Kernel debug check.vcxproj.filters
├── KernelDebugCheck.hpp
├── Kerneldebugcheck.inf
├── NtApiDef.h
└── Struct.h
└── README.md
/Kernel debug check.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.31624.102
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Kernel debug check", "Kernel debug check\Kernel debug check.vcxproj", "{300F0D8F-A1CF-4126-A19D-27D6D29157FA}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|ARM = Debug|ARM
11 | Debug|ARM64 = Debug|ARM64
12 | Debug|x64 = Debug|x64
13 | Debug|x86 = Debug|x86
14 | Release|ARM = Release|ARM
15 | Release|ARM64 = Release|ARM64
16 | Release|x64 = Release|x64
17 | Release|x86 = Release|x86
18 | EndGlobalSection
19 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
20 | {300F0D8F-A1CF-4126-A19D-27D6D29157FA}.Debug|ARM.ActiveCfg = Debug|ARM
21 | {300F0D8F-A1CF-4126-A19D-27D6D29157FA}.Debug|ARM.Build.0 = Debug|ARM
22 | {300F0D8F-A1CF-4126-A19D-27D6D29157FA}.Debug|ARM.Deploy.0 = Debug|ARM
23 | {300F0D8F-A1CF-4126-A19D-27D6D29157FA}.Debug|ARM64.ActiveCfg = Debug|ARM64
24 | {300F0D8F-A1CF-4126-A19D-27D6D29157FA}.Debug|ARM64.Build.0 = Debug|ARM64
25 | {300F0D8F-A1CF-4126-A19D-27D6D29157FA}.Debug|ARM64.Deploy.0 = Debug|ARM64
26 | {300F0D8F-A1CF-4126-A19D-27D6D29157FA}.Debug|x64.ActiveCfg = Debug|x64
27 | {300F0D8F-A1CF-4126-A19D-27D6D29157FA}.Debug|x64.Build.0 = Debug|x64
28 | {300F0D8F-A1CF-4126-A19D-27D6D29157FA}.Debug|x64.Deploy.0 = Debug|x64
29 | {300F0D8F-A1CF-4126-A19D-27D6D29157FA}.Debug|x86.ActiveCfg = Debug|Win32
30 | {300F0D8F-A1CF-4126-A19D-27D6D29157FA}.Debug|x86.Build.0 = Debug|Win32
31 | {300F0D8F-A1CF-4126-A19D-27D6D29157FA}.Debug|x86.Deploy.0 = Debug|Win32
32 | {300F0D8F-A1CF-4126-A19D-27D6D29157FA}.Release|ARM.ActiveCfg = Release|ARM
33 | {300F0D8F-A1CF-4126-A19D-27D6D29157FA}.Release|ARM.Build.0 = Release|ARM
34 | {300F0D8F-A1CF-4126-A19D-27D6D29157FA}.Release|ARM.Deploy.0 = Release|ARM
35 | {300F0D8F-A1CF-4126-A19D-27D6D29157FA}.Release|ARM64.ActiveCfg = Release|ARM64
36 | {300F0D8F-A1CF-4126-A19D-27D6D29157FA}.Release|ARM64.Build.0 = Release|ARM64
37 | {300F0D8F-A1CF-4126-A19D-27D6D29157FA}.Release|ARM64.Deploy.0 = Release|ARM64
38 | {300F0D8F-A1CF-4126-A19D-27D6D29157FA}.Release|x64.ActiveCfg = Release|x64
39 | {300F0D8F-A1CF-4126-A19D-27D6D29157FA}.Release|x64.Build.0 = Release|x64
40 | {300F0D8F-A1CF-4126-A19D-27D6D29157FA}.Release|x64.Deploy.0 = Release|x64
41 | {300F0D8F-A1CF-4126-A19D-27D6D29157FA}.Release|x86.ActiveCfg = Release|Win32
42 | {300F0D8F-A1CF-4126-A19D-27D6D29157FA}.Release|x86.Build.0 = Release|Win32
43 | {300F0D8F-A1CF-4126-A19D-27D6D29157FA}.Release|x86.Deploy.0 = Release|Win32
44 | EndGlobalSection
45 | GlobalSection(SolutionProperties) = preSolution
46 | HideSolutionNode = FALSE
47 | EndGlobalSection
48 | GlobalSection(ExtensibilityGlobals) = postSolution
49 | SolutionGuid = {BFAB07A1-E8A3-4DC1-9329-5A75146BFD80}
50 | EndGlobalSection
51 | EndGlobal
52 |
--------------------------------------------------------------------------------
/Kernel debug check/DriverEntry.cpp:
--------------------------------------------------------------------------------
1 | #include "KernelDebugCheck.hpp"
2 |
3 |
4 | VOID OnDriverUnload(IN PDRIVER_OBJECT pDriverObject)
5 | {
6 | UNREFERENCED_PARAMETER(pDriverObject);
7 |
8 | DbgPrint("[BAD BOB] Driver unload!\n");
9 | }
10 |
11 | NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegistryPath)
12 | {
13 | UNREFERENCED_PARAMETER(pRegistryPath);
14 | if (!pDriverObject)
15 | return STATUS_FAILED_DRIVER_ENTRY;
16 |
17 | DbgPrint("[BAD BOB] Check hardware Breakpoint ->\t 0x%p", KDCheck::CheckHardwareBreakpoint());
18 | DbgPrint("[BAD BOB] Hypervisor debugger enable ->\t 0x%p", KDCheck::HypDebugIsEnable());
19 | DbgPrint("[BAD BOB] Running under debug mode ->\t 0x%p", KDCheck::DebugModeIsEnable());
20 | DbgPrint("[BAD BOB] Debug mode informathion ->\t 0x%p", KDCheck::KernelDebugEnable());
21 | DbgPrint("[BAD BOB] Trigger debugger ->\t 0x%p", KDCheck::DebugTrigger());
22 | DbgPrint("[BAD BOB] Debug flag ->\t 0x%p", KDCheck::DebugFlagCheck());
23 | DbgPrint("[BAD BOB] STATUS disable kernel debugger ->\t 0x%p", KDCheck::DisableKernelDebug());
24 |
25 | pDriverObject->DriverUnload = &OnDriverUnload;
26 | return STATUS_SUCCESS;
27 | }
--------------------------------------------------------------------------------
/Kernel debug check/Kernel debug check.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 | Debug
22 | ARM
23 |
24 |
25 | Release
26 | ARM
27 |
28 |
29 | Debug
30 | ARM64
31 |
32 |
33 | Release
34 | ARM64
35 |
36 |
37 |
38 | {300F0D8F-A1CF-4126-A19D-27D6D29157FA}
39 | {1bc93793-694f-48fe-9372-81e2b05556fd}
40 | v4.5
41 | 12.0
42 | Debug
43 | Win32
44 | Kernel_debug_check
45 | $(LatestTargetPlatformVersion)
46 |
47 |
48 |
49 | Windows10
50 | true
51 | WindowsKernelModeDriver10.0
52 | Driver
53 | KMDF
54 | Universal
55 |
56 |
57 | Windows10
58 | false
59 | WindowsKernelModeDriver10.0
60 | Driver
61 | KMDF
62 | Universal
63 |
64 |
65 | Windows10
66 | true
67 | WindowsKernelModeDriver10.0
68 | Driver
69 | KMDF
70 | Universal
71 |
72 |
73 | Windows10
74 | false
75 | WindowsKernelModeDriver10.0
76 | Driver
77 | KMDF
78 | Universal
79 | false
80 |
81 |
82 | Windows10
83 | true
84 | WindowsKernelModeDriver10.0
85 | Driver
86 | KMDF
87 | Universal
88 |
89 |
90 | Windows10
91 | false
92 | WindowsKernelModeDriver10.0
93 | Driver
94 | KMDF
95 | Universal
96 |
97 |
98 | Windows10
99 | true
100 | WindowsKernelModeDriver10.0
101 | Driver
102 | KMDF
103 | Universal
104 |
105 |
106 | Windows10
107 | false
108 | WindowsKernelModeDriver10.0
109 | Driver
110 | KMDF
111 | Universal
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
121 |
122 | DbgengKernelDebugger
123 |
124 |
125 | DbgengKernelDebugger
126 |
127 |
128 | DbgengKernelDebugger
129 |
130 |
131 | DbgengKernelDebugger
132 |
133 |
134 | DbgengKernelDebugger
135 |
136 |
137 | DbgengKernelDebugger
138 |
139 |
140 | DbgengKernelDebugger
141 |
142 |
143 | DbgengKernelDebugger
144 |
145 |
146 |
147 | stdcpp17
148 |
149 |
150 |
151 |
152 | stdc17
153 |
154 |
155 | DriverEntry
156 |
157 |
158 |
159 |
160 | DriverEntry
161 |
162 |
163 | Level3
164 |
165 |
166 | false
167 |
168 |
169 |
170 |
171 |
172 |
173 |
174 |
175 |
176 |
177 |
178 |
179 |
180 |
181 |
182 |
183 |
184 |
185 |
186 |
--------------------------------------------------------------------------------
/Kernel debug check/Kernel debug check.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
10 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
11 |
12 |
13 | {8E41214B-6785-4CFE-B992-037D68949A14}
14 | inf;inv;inx;mof;mc;
15 |
16 |
17 | {b0202ed1-7089-4a1d-90c3-6974940dc241}
18 |
19 |
20 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
21 | h;hpp;hxx;hm;inl;inc;xsd
22 |
23 |
24 |
25 |
26 | Driver Files
27 |
28 |
29 |
30 |
31 | Driver Files
32 |
33 |
34 |
35 |
36 | Header Files
37 |
38 |
39 | Kernel debug check
40 |
41 |
42 | Header Files
43 |
44 |
45 |
--------------------------------------------------------------------------------
/Kernel debug check/KernelDebugCheck.hpp:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "NtApiDef.h"
3 |
4 | namespace KDCheck
5 | {
6 | bool CheckHardwareBreakpoint()
7 | {
8 | /*
9 | Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats -> Festi botnet
10 |
11 |
12 | */
13 | return __readdr(0) || __readdr(1) || __readdr(2) || __readdr(3);
14 | }
15 |
16 | DWORD DisableKernelDebug()
17 | {
18 | return NT_SUCCESS(KdDisableDebugger());
19 |
20 | // https://www.godeye.club/2021/06/03/002-mhyprot-insider-callbacks.html
21 |
22 | }
23 |
24 | bool HypDebugIsEnable()
25 | {
26 | //https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/sysinfo/hypervisor_query.htm
27 |
28 |
29 | SYSTEM_HYPERVISOR_QUERY_INFORMATION HypQueryInformathion{ -1 };
30 | ULONG retLenth = NULL;
31 |
32 | NtQuerySystemInformation(
33 | SystemHypervisorDetailInformation,
34 | &HypQueryInformathion,
35 | sizeof(SYSTEM_HYPERVISOR_QUERY_INFORMATION),
36 | &retLenth
37 | );
38 |
39 | return HypQueryInformathion.HypervisorDebuggingEnabled;
40 | }
41 |
42 | bool DebugModeIsEnable()
43 | {
44 | //https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/sysinfo/codeintegrity.htm
45 |
46 |
47 |
48 | SYSTEM_CODEINTEGRITY_INFORMATION sys_code_int_inform = { -1 };
49 |
50 |
51 | SYSTEM_CODEINTEGRITY_INFORMATION cInfo;
52 | cInfo.Length = sizeof(cInfo);//set size and it don't work without this
53 |
54 | NtQuerySystemInformation(
55 | SystemCodeIntegrityInformation,
56 | &cInfo,
57 | sizeof(cInfo),
58 | NULL
59 | );
60 |
61 | return cInfo.CodeIntegrityOptions & CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED;
62 | }
63 | bool DebugFlagCheck()
64 | {
65 | SYSTEM_KERNEL_DEBUGGER_FLAGS flag_debugger{ 0 };
66 |
67 | NtQuerySystemInformation(
68 | SystemKernelDebuggerFlags,
69 | &flag_debugger,
70 | sizeof(flag_debugger),
71 | NULL
72 | );
73 |
74 | return flag_debugger.KernelDebuggerIgnoreUmExceptions;
75 |
76 |
77 |
78 | }
79 |
80 | bool KernelDebugEnable()
81 | {
82 | SYSTEM_KERNEL_DEBUGGER_INFORMATION kernel_debug_informathion{ -1 };
83 | NtQuerySystemInformation(
84 | SystemKernelDebuggerInformationEx,
85 | &kernel_debug_informathion,
86 | sizeof(kernel_debug_informathion),
87 | NULL
88 | );
89 |
90 | return
91 | kernel_debug_informathion.KernelDebuggerEnabled;
92 |
93 | }
94 |
95 | bool DebugTrigger()
96 | {
97 |
98 | /*
99 | https://pastebin.com/6kbt1Vka
100 |
101 | */
102 | NTSTATUS status = ZwSystemDebugControl(SysDbgBreakPoint /* Anything but 0x1D */,
103 | 0,
104 | 0,
105 | 0,
106 | 0,
107 | 0);
108 |
109 | return status != STATUS_DEBUGGER_INACTIVE;
110 | }
111 | }
--------------------------------------------------------------------------------
/Kernel debug check/Kerneldebugcheck.inf:
--------------------------------------------------------------------------------
1 | ;
2 | ; Kerneldebugcheck.inf
3 | ;
4 |
5 | [Version]
6 | Signature="$WINDOWS NT$"
7 | Class=Sample ; TODO: edit Class
8 | ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid
9 | Provider=%ManufacturerName%
10 | CatalogFile=Kerneldebugcheck.cat
11 | DriverVer= ; TODO: set DriverVer in stampinf property pages
12 | PnpLockDown=1
13 |
14 | [DestinationDirs]
15 | DefaultDestDir = 12
16 | Kerneldebugcheck_Device_CoInstaller_CopyFiles = 11
17 |
18 | ; ================= Class section =====================
19 |
20 | [ClassInstall32]
21 | Addreg=SampleClassReg
22 |
23 | [SampleClassReg]
24 | HKR,,,0,%ClassName%
25 | HKR,,Icon,,-5
26 |
27 | [SourceDisksNames]
28 | 1 = %DiskName%,,,""
29 |
30 | [SourceDisksFiles]
31 | Kerneldebugcheck.sys = 1,,
32 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames
33 |
34 | ;*****************************************
35 | ; Install Section
36 | ;*****************************************
37 |
38 | [Manufacturer]
39 | %ManufacturerName%=Standard,NT$ARCH$
40 |
41 | [Standard.NT$ARCH$]
42 | %Kerneldebugcheck.DeviceDesc%=Kerneldebugcheck_Device, Root\Kerneldebugcheck ; TODO: edit hw-id
43 |
44 | [Kerneldebugcheck_Device.NT]
45 | CopyFiles=Drivers_Dir
46 |
47 | [Drivers_Dir]
48 | Kerneldebugcheck.sys
49 |
50 | ;-------------- Service installation
51 | [Kerneldebugcheck_Device.NT.Services]
52 | AddService = Kerneldebugcheck,%SPSVCINST_ASSOCSERVICE%, Kerneldebugcheck_Service_Inst
53 |
54 | ; -------------- Kerneldebugcheck driver install sections
55 | [Kerneldebugcheck_Service_Inst]
56 | DisplayName = %Kerneldebugcheck.SVCDESC%
57 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER
58 | StartType = 3 ; SERVICE_DEMAND_START
59 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL
60 | ServiceBinary = %12%\Kerneldebugcheck.sys
61 |
62 | ;
63 | ;--- Kerneldebugcheck_Device Coinstaller installation ------
64 | ;
65 |
66 | [Kerneldebugcheck_Device.NT.CoInstallers]
67 | AddReg=Kerneldebugcheck_Device_CoInstaller_AddReg
68 | CopyFiles=Kerneldebugcheck_Device_CoInstaller_CopyFiles
69 |
70 | [Kerneldebugcheck_Device_CoInstaller_AddReg]
71 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller"
72 |
73 | [Kerneldebugcheck_Device_CoInstaller_CopyFiles]
74 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll
75 |
76 | [Kerneldebugcheck_Device.NT.Wdf]
77 | KmdfService = Kerneldebugcheck, Kerneldebugcheck_wdfsect
78 | [Kerneldebugcheck_wdfsect]
79 | KmdfLibraryVersion = $KMDFVERSION$
80 |
81 | [Strings]
82 | SPSVCINST_ASSOCSERVICE= 0x00000002
83 | ManufacturerName="" ;TODO: Replace with your manufacturer name
84 | ClassName="Samples" ; TODO: edit ClassName
85 | DiskName = "Kerneldebugcheck Installation Disk"
86 | Kerneldebugcheck.DeviceDesc = "Kerneldebugcheck Device"
87 | Kerneldebugcheck.SVCDESC = "Kerneldebugcheck Service"
88 |
--------------------------------------------------------------------------------
/Kernel debug check/NtApiDef.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "Struct.h"
3 |
4 | EXTERN_C NTSTATUS NTAPI NtQuerySystemInformation(
5 | SYSTEM_INFORMATION_CLASS SystemInformationClass,
6 | PVOID SystemInformation,
7 | ULONG SystemInformationLength,
8 | PULONG ReturnLength
9 | );
10 |
11 | EXTERN_C NTSTATUS NTAPI ZwSystemDebugControl(unsigned long ControlCode,
12 | void* InputBuffer,
13 | unsigned long InputBufferLength,
14 | void* OutputBuffer,
15 | unsigned long OutputBufferLength,
16 | unsigned long* pResultLength);
17 |
--------------------------------------------------------------------------------
/Kernel debug check/Struct.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include
9 |
10 |
11 | #define CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED 0x00000080
12 |
13 |
14 | typedef enum _SYSDBG_COMMAND {
15 | SysDbgQueryModuleInformation,
16 | SysDbgQueryTraceInformation,
17 | SysDbgSetTracepoint,
18 | SysDbgSetSpecialCall,
19 | SysDbgClearSpecialCalls,
20 | SysDbgQuerySpecialCalls,
21 | SysDbgBreakPoint,
22 | SysDbgQueryVersion,
23 | SysDbgReadVirtual,
24 | SysDbgWriteVirtual,
25 | SysDbgReadPhysical,
26 | SysDbgWritePhysical,
27 | SysDbgReadControlSpace,
28 | SysDbgWriteControlSpace,
29 | SysDbgReadIoSpace,
30 | SysDbgWriteIoSpace,
31 | SysDbgReadMsr,
32 | SysDbgWriteMsr,
33 | SysDbgReadBusData,
34 | SysDbgWriteBusData,
35 | SysDbgCheckLowMemory,
36 | SysDbgEnableKernelDebugger,
37 | SysDbgDisableKernelDebugger,
38 | SysDbgGetAutoKdEnable,
39 | SysDbgSetAutoKdEnable,
40 | SysDbgGetPrintBufferSize,
41 | SysDbgSetPrintBufferSize,
42 | SysDbgGetKdUmExceptionEnable,
43 | SysDbgSetKdUmExceptionEnable,
44 | SysDbgGetTriageDump,
45 | SysDbgGetKdBlockEnable,
46 | SysDbgSetKdBlockEnable,
47 | } SYSDBG_COMMAND, * PSYSDBG_COMMAND;
48 |
49 |
50 | typedef enum _SYSTEM_INFORMATION_CLASS
51 | {
52 | SystemBasicInformation, // q: SYSTEM_BASIC_INFORMATION
53 | SystemProcessorInformation, // q: SYSTEM_PROCESSOR_INFORMATION
54 | SystemPerformanceInformation, // q: SYSTEM_PERFORMANCE_INFORMATION
55 | SystemTimeOfDayInformation, // q: SYSTEM_TIMEOFDAY_INFORMATION
56 | SystemPathInformation, // not implemented
57 | SystemProcessInformation, // q: SYSTEM_PROCESS_INFORMATION
58 | SystemCallCountInformation, // q: SYSTEM_CALL_COUNT_INFORMATION
59 | SystemDeviceInformation, // q: SYSTEM_DEVICE_INFORMATION
60 | SystemProcessorPerformanceInformation, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION
61 | SystemFlagsInformation, // q: SYSTEM_FLAGS_INFORMATION
62 | SystemCallTimeInformation, // not implemented // SYSTEM_CALL_TIME_INFORMATION // 10
63 | SystemModuleInformation, // q: RTL_PROCESS_MODULES
64 | SystemLocksInformation, // q: RTL_PROCESS_LOCKS
65 | SystemStackTraceInformation, // q: RTL_PROCESS_BACKTRACES
66 | SystemPagedPoolInformation, // not implemented
67 | SystemNonPagedPoolInformation, // not implemented
68 | SystemHandleInformation, // q: SYSTEM_HANDLE_INFORMATION
69 | SystemObjectInformation, // q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATION
70 | SystemPageFileInformation, // q: SYSTEM_PAGEFILE_INFORMATION
71 | SystemVdmInstemulInformation, // q
72 | SystemVdmBopInformation, // not implemented // 20
73 | SystemFileCacheInformation, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemCache)
74 | SystemPoolTagInformation, // q: SYSTEM_POOLTAG_INFORMATION
75 | SystemInterruptInformation, // q: SYSTEM_INTERRUPT_INFORMATION
76 | SystemDpcBehaviorInformation, // q: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires SeLoadDriverPrivilege)
77 | SystemFullMemoryInformation, // not implemented
78 | SystemLoadGdiDriverInformation, // s (kernel-mode only)
79 | SystemUnloadGdiDriverInformation, // s (kernel-mode only)
80 | SystemTimeAdjustmentInformation, // q: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION (requires SeSystemtimePrivilege)
81 | SystemSummaryMemoryInformation, // not implemented
82 | SystemMirrorMemoryInformation, // s (requires license value "Kernel-MemoryMirroringSupported") (requires SeShutdownPrivilege) // 30
83 | SystemPerformanceTraceInformation, // q; s: (type depends on EVENT_TRACE_INFORMATION_CLASS)
84 | SystemObsolete0, // not implemented
85 | SystemExceptionInformation, // q: SYSTEM_EXCEPTION_INFORMATION
86 | SystemCrashDumpStateInformation, // s (requires SeDebugPrivilege)
87 | SystemKernelDebuggerInformation, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION
88 | SystemContextSwitchInformation, // q: SYSTEM_CONTEXT_SWITCH_INFORMATION
89 | SystemRegistryQuotaInformation, // q: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege)
90 | SystemExtendServiceTableInformation, // s (requires SeLoadDriverPrivilege) // loads win32k only
91 | SystemPrioritySeperation, // s (requires SeTcbPrivilege)
92 | SystemVerifierAddDriverInformation, // s (requires SeDebugPrivilege) // 40
93 | SystemVerifierRemoveDriverInformation, // s (requires SeDebugPrivilege)
94 | SystemProcessorIdleInformation, // q: SYSTEM_PROCESSOR_IDLE_INFORMATION
95 | SystemLegacyDriverInformation, // q: SYSTEM_LEGACY_DRIVER_INFORMATION
96 | SystemCurrentTimeZoneInformation, // q
97 | SystemLookasideInformation, // q: SYSTEM_LOOKASIDE_INFORMATION
98 | SystemTimeSlipNotification, // s (requires SeSystemtimePrivilege)
99 | SystemSessionCreate, // not implemented
100 | SystemSessionDetach, // not implemented
101 | SystemSessionInformation, // not implemented
102 | SystemRangeStartInformation, // q: SYSTEM_RANGE_START_INFORMATION // 50
103 | SystemVerifierInformation, // q: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege)
104 | SystemVerifierThunkExtend, // s (kernel-mode only)
105 | SystemSessionProcessInformation, // q: SYSTEM_SESSION_PROCESS_INFORMATION
106 | SystemLoadGdiDriverInSystemSpace, // s (kernel-mode only) (same as SystemLoadGdiDriverInformation)
107 | SystemNumaProcessorMap, // q
108 | SystemPrefetcherInformation, // q: PREFETCHER_INFORMATION; s: PREFETCHER_INFORMATION // PfSnQueryPrefetcherInformation
109 | SystemExtendedProcessInformation, // q: SYSTEM_PROCESS_INFORMATION
110 | SystemRecommendedSharedDataAlignment, // q
111 | SystemComPlusPackage, // q; s
112 | SystemNumaAvailableMemory, // 60
113 | SystemProcessorPowerInformation, // q: SYSTEM_PROCESSOR_POWER_INFORMATION
114 | SystemEmulationBasicInformation, // q
115 | SystemEmulationProcessorInformation,
116 | SystemExtendedHandleInformation, // q: SYSTEM_HANDLE_INFORMATION_EX
117 | SystemLostDelayedWriteInformation, // q: ULONG
118 | SystemBigPoolInformation, // q: SYSTEM_BIGPOOL_INFORMATION
119 | SystemSessionPoolTagInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION
120 | SystemSessionMappedViewInformation, // q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION
121 | SystemHotpatchInformation, // q; s
122 | SystemObjectSecurityMode, // q // 70
123 | SystemWatchdogTimerHandler, // s (kernel-mode only)
124 | SystemWatchdogTimerInformation, // q (kernel-mode only); s (kernel-mode only)
125 | SystemLogicalProcessorInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION
126 | SystemWow64SharedInformationObsolete, // not implemented
127 | SystemRegisterFirmwareTableInformationHandler, // s (kernel-mode only)
128 | SystemFirmwareTableInformation, // SYSTEM_FIRMWARE_TABLE_INFORMATION
129 | SystemModuleInformationEx, // q: RTL_PROCESS_MODULE_INFORMATION_EX
130 | SystemVerifierTriageInformation, // not implemented
131 | SystemSuperfetchInformation, // q; s: SUPERFETCH_INFORMATION // PfQuerySuperfetchInformation
132 | SystemMemoryListInformation, // q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires SeProfileSingleProcessPrivilege) // 80
133 | SystemFileCacheInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as SystemFileCacheInformation)
134 | SystemThreadPriorityClientIdInformation, // s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires SeIncreaseBasePriorityPrivilege)
135 | SystemProcessorIdleCycleTimeInformation, // q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[]
136 | SystemVerifierCancellationInformation, // not implemented // name:wow64:whNT32QuerySystemVerifierCancellationInformation
137 | SystemProcessorPowerInformationEx, // not implemented
138 | SystemRefTraceInformation, // q; s: SYSTEM_REF_TRACE_INFORMATION // ObQueryRefTraceInformation
139 | SystemSpecialPoolInformation, // q; s (requires SeDebugPrivilege) // MmSpecialPoolTag, then MmSpecialPoolCatchOverruns != 0
140 | SystemProcessIdInformation, // q: SYSTEM_PROCESS_ID_INFORMATION
141 | SystemErrorPortInformation, // s (requires SeTcbPrivilege)
142 | SystemBootEnvironmentInformation, // q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION // 90
143 | SystemHypervisorInformation, // q; s (kernel-mode only)
144 | SystemVerifierInformationEx, // q; s: SYSTEM_VERIFIER_INFORMATION_EX
145 | SystemTimeZoneInformation, // s (requires SeTimeZonePrivilege)
146 | SystemImageFileExecutionOptionsInformation, // s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires SeTcbPrivilege)
147 | SystemCoverageInformation, // q; s // name:wow64:whNT32QuerySystemCoverageInformation; ExpCovQueryInformation
148 | SystemPrefetchPatchInformation, // not implemented
149 | SystemVerifierFaultsInformation, // s (requires SeDebugPrivilege)
150 | SystemSystemPartitionInformation, // q: SYSTEM_SYSTEM_PARTITION_INFORMATION
151 | SystemSystemDiskInformation, // q: SYSTEM_SYSTEM_DISK_INFORMATION
152 | SystemProcessorPerformanceDistribution, // q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION // 100
153 | SystemNumaProximityNodeInformation, // q
154 | SystemDynamicTimeZoneInformation, // q; s (requires SeTimeZonePrivilege)
155 | SystemCodeIntegrityInformation, // q: SYSTEM_CODEINTEGRITY_INFORMATION // SeCodeIntegrityQueryInformation
156 | SystemProcessorMicrocodeUpdateInformation, // s
157 | SystemProcessorBrandString, // q // HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23
158 | SystemVirtualAddressInformation, // q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires SeIncreaseQuotaPrivilege) // MmQuerySystemVaInformation
159 | SystemLogicalProcessorAndGroupInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX // since WIN7 // KeQueryLogicalProcessorRelationship
160 | SystemProcessorCycleTimeInformation, // q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[]
161 | SystemStoreInformation, // q; s // SmQueryStoreInformation
162 | SystemRegistryAppendString, // s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS // 110
163 | SystemAitSamplingValue, // s: ULONG (requires SeProfileSingleProcessPrivilege)
164 | SystemVhdBootInformation, // q: SYSTEM_VHD_BOOT_INFORMATION
165 | SystemCpuQuotaInformation, // q; s // PsQueryCpuQuotaInformation
166 | SystemNativeBasicInformation, // not implemented
167 | SystemSpare1, // not implemented
168 | SystemLowPriorityIoInformation, // q: SYSTEM_LOW_PRIORITY_IO_INFORMATION
169 | SystemTpmBootEntropyInformation, // q: TPM_BOOT_ENTROPY_NT_RESULT // ExQueryTpmBootEntropyInformation
170 | SystemVerifierCountersInformation, // q: SYSTEM_VERIFIER_COUNTERS_INFORMATION
171 | SystemPagedPoolInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool)
172 | SystemSystemPtesInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes) // 120
173 | SystemNodeDistanceInformation, // q
174 | SystemAcpiAuditInformation, // q: SYSTEM_ACPI_AUDIT_INFORMATION // HaliQuerySystemInformation -> HalpAuditQueryResults, info class 26
175 | SystemBasicPerformanceInformation, // q: SYSTEM_BASIC_PERFORMANCE_INFORMATION // name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformation
176 | SystemQueryPerformanceCounterInformation, // q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION // since WIN7 SP1
177 | SystemSessionBigPoolInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION // since WIN8
178 | SystemBootGraphicsInformation, // q; s: SYSTEM_BOOT_GRAPHICS_INFORMATION (kernel-mode only)
179 | SystemScrubPhysicalMemoryInformation, // q; s: MEMORY_SCRUB_INFORMATION
180 | SystemBadPageInformation,
181 | SystemProcessorProfileControlArea, // q; s: SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA
182 | SystemCombinePhysicalMemoryInformation, // s: MEMORY_COMBINE_INFORMATION, MEMORY_COMBINE_INFORMATION_EX, MEMORY_COMBINE_INFORMATION_EX2 // 130
183 | SystemEntropyInterruptTimingCallback,
184 | SystemConsoleInformation, // q: SYSTEM_CONSOLE_INFORMATION
185 | SystemPlatformBinaryInformation, // q: SYSTEM_PLATFORM_BINARY_INFORMATION
186 | SystemThrottleNotificationInformation,
187 | SystemHypervisorProcessorCountInformation, // q: SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION
188 | SystemDeviceDataInformation, // q: SYSTEM_DEVICE_DATA_INFORMATION
189 | SystemDeviceDataEnumerationInformation,
190 | SystemMemoryTopologyInformation, // q: SYSTEM_MEMORY_TOPOLOGY_INFORMATION
191 | SystemMemoryChannelInformation, // q: SYSTEM_MEMORY_CHANNEL_INFORMATION
192 | SystemBootLogoInformation, // q: SYSTEM_BOOT_LOGO_INFORMATION // 140
193 | SystemProcessorPerformanceInformationEx, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX // since WINBLUE
194 | SystemSpare0,
195 | SystemSecureBootPolicyInformation, // q: SYSTEM_SECUREBOOT_POLICY_INFORMATION
196 | SystemPageFileInformationEx, // q: SYSTEM_PAGEFILE_INFORMATION_EX
197 | SystemSecureBootInformation, // q: SYSTEM_SECUREBOOT_INFORMATION
198 | SystemEntropyInterruptTimingRawInformation,
199 | SystemPortableWorkspaceEfiLauncherInformation, // q: SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION
200 | SystemFullProcessInformation, // q: SYSTEM_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin)
201 | SystemKernelDebuggerInformationEx, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX
202 | SystemBootMetadataInformation, // 150
203 | SystemSoftRebootInformation,
204 | SystemElamCertificateInformation, // s: SYSTEM_ELAM_CERTIFICATE_INFORMATION
205 | SystemOfflineDumpConfigInformation,
206 | SystemProcessorFeaturesInformation, // q: SYSTEM_PROCESSOR_FEATURES_INFORMATION
207 | SystemRegistryReconciliationInformation,
208 | SystemEdidInformation,
209 | SystemManufacturingInformation, // q: SYSTEM_MANUFACTURING_INFORMATION // since THRESHOLD
210 | SystemEnergyEstimationConfigInformation, // q: SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION
211 | SystemHypervisorDetailInformation, // q: SYSTEM_HYPERVISOR_DETAIL_INFORMATION
212 | SystemProcessorCycleStatsInformation, // q: SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION // 160
213 | SystemVmGenerationCountInformation,
214 | SystemTrustedPlatformModuleInformation, // q: SYSTEM_TPM_INFORMATION
215 | SystemKernelDebuggerFlags,
216 | SystemCodeIntegrityPolicyInformation, // q: SYSTEM_CODEINTEGRITYPOLICY_INFORMATION
217 | SystemIsolatedUserModeInformation, // q: SYSTEM_ISOLATED_USER_MODE_INFORMATION
218 | SystemHardwareSecurityTestInterfaceResultsInformation,
219 | SystemSingleModuleInformation, // q: SYSTEM_SINGLE_MODULE_INFORMATION
220 | SystemAllowedCpuSetsInformation,
221 | SystemDmaProtectionInformation, // q: SYSTEM_DMA_PROTECTION_INFORMATION
222 | SystemInterruptCpuSetsInformation, // q: SYSTEM_INTERRUPT_CPU_SET_INFORMATION // 170
223 | SystemSecureBootPolicyFullInformation, // q: SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION
224 | SystemCodeIntegrityPolicyFullInformation,
225 | SystemAffinitizedInterruptProcessorInformation,
226 | SystemRootSiloInformation, // q: SYSTEM_ROOT_SILO_INFORMATION
227 | SystemCpuSetInformation, // q: SYSTEM_CPU_SET_INFORMATION // since THRESHOLD2
228 | SystemCpuSetTagInformation, // q: SYSTEM_CPU_SET_TAG_INFORMATION
229 | SystemWin32WerStartCallout,
230 | SystemSecureKernelProfileInformation, // q: SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION
231 | SystemCodeIntegrityPlatformManifestInformation, // q: SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION // since REDSTONE
232 | SystemInterruptSteeringInformation, // 180
233 | SystemSupportedProcessorArchitectures,
234 | SystemMemoryUsageInformation, // q: SYSTEM_MEMORY_USAGE_INFORMATION
235 | SystemCodeIntegrityCertificateInformation, // q: SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION
236 | SystemPhysicalMemoryInformation, // q: SYSTEM_PHYSICAL_MEMORY_INFORMATION // since REDSTONE2
237 | SystemControlFlowTransition,
238 | SystemKernelDebuggingAllowed,
239 | SystemActivityModerationExeState, // SYSTEM_ACTIVITY_MODERATION_EXE_STATE
240 | SystemActivityModerationUserSettings, // SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS
241 | SystemCodeIntegrityPoliciesFullInformation,
242 | SystemCodeIntegrityUnlockInformation, // SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION // 190
243 | SystemIntegrityQuotaInformation,
244 | SystemFlushInformation, // q: SYSTEM_FLUSH_INFORMATION
245 | MaxSystemInfoClass
246 | } SYSTEM_INFORMATION_CLASS;
247 |
248 |
249 | typedef struct _SYSTEM_HYPERVISOR_QUERY_INFORMATION
250 | {
251 | BOOLEAN HypervisorConnected;
252 | BOOLEAN HypervisorDebuggingEnabled;
253 | BOOLEAN HypervisorPresent;
254 | UCHAR Spare0[5];
255 | ULONGLONG EnabledEnlightenments;
256 |
257 | } SYSTEM_HYPERVISOR_QUERY_INFORMATION, * PSYSTEM_HYPERVISOR_QUERY_INFORMATION;
258 |
259 |
260 | typedef struct _SYSTEM_CODEINTEGRITY_INFORMATION {
261 | ULONG Length;
262 | ULONG CodeIntegrityOptions;
263 | } SYSTEM_CODEINTEGRITY_INFORMATION;
264 |
265 |
266 | typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION
267 | {
268 | BOOLEAN KernelDebuggerEnabled;
269 | BOOLEAN KernelDebuggerNotPresent;
270 | } SYSTEM_KERNEL_DEBUGGER_INFORMATION, * PSYSTEM_KERNEL_DEBUGGER_INFORMATION;
271 |
272 | typedef struct _SYSTEM_KERNEL_DEBUGGER_FLAGS
273 | {
274 | BOOLEAN KernelDebuggerIgnoreUmExceptions;
275 | } SYSTEM_KERNEL_DEBUGGER_FLAGS, * PSYSTEM_KERNEL_DEBUGGER_FLAGS;
276 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # KenelDebugCheck
--------------------------------------------------------------------------------