Detect whether a process is being debugged; in kernel land

Is there a way to detect (in kernel-mode) that a debugger (in user-mode) is attached to another process (also in user-mode) on Windows ?

I cannot find any API or flag in the EPROCESS structure that would reveal this information. Ideally, I'm looking for a flag that cannot be altered from a program in user-mode, nonetheless I'm unaware if this information is also kept at kernel level.

Thanks !

Solution

exist (from xp) undocumented api

extern "C"
NTKERNELAPI
BOOLEAN
PsIsProcessBeingDebugged(PEPROCESS Process);

which return Process->DebugPort != NULL very simply and reliable api, can be used at any irql (because Process object in not paged memory).

Library: NtosKrnl.lib
IRQL: Any level

How to Enumerate Threads using CreateToolhelp32Snapshot and Python ctypes?
Problem when adding dependencies to pyinstaller using poetry to manage dependencies
Is there any way to run a Flutter app through background on macOS or Windows desktop?
How do I allocate space to call GetInterfaceInfo using the windows crate?
Are there issues with DTN_DATETIMECHANGE breakpoints and the date time picker control?
Rust Windows Crate CreateWindowExW
Docker compose V2: unknown shorthand flag 'f' (windows)
Unicode (utf-8) with git-bash
Cannot locate tkinter icon file when using pyinstaller with poetry on Windows10
Why my ActiveMQ doesn't start
How do I determine a mapped drive's actual path?
How to find version of an application installed using c#
How to detect Windows 8 Operating system using C# 4.0?
"Run with PowerShell" gives execution policy error but running directly in PowerShell window does not
Which comment style should I use in batch files?
What is the closest thing Windows has to fork()?
NPM: npm-cli.js not found when running npm
Can PyTorch GPU Use Shared GPU Memory (from RAM, shows in Windows Task Manage)?
Pipe dot graphviz with echo windows from command line gives corrupted output
How to modify ~/.ssh folder & files in windows?
How to save python script output in GitHub Actions running on windows-latest?
Why is my VS Code always opened with the default profile?
Where is MySQL's my.ini located on Windows?
nmake: using environment variables and falling back to default values
Build shared library with static library
many missing .lib files in the installed OpenCV3.2.0 for Windows 10 64bit
Why does a module from the WinApi crate not exist when its in the docs?
"continue" equivalent command in nested loop in Windows Batch
How to Intentionally cause Windows Heap Corruption?
Flutter sqflite database location on desktop