I'm trying to catch debug events using WaitForDebugEvent but on the Microsoft website it say "Only the thread that created the process being debugged can call WaitForDebugEvent."
So I'm trying to find a way to catch debug events without creating the process.
Here is my code for attaching the debugger. It works fine:
NTSTATUS Status = SysNtCreateDebugObject(&DebugObject, DEBUG_ALL_ACCESS, &ObjectAttributes, FALSE);
if (!NT_SUCCESS(Status))
{
printf("Unable to create debug object: 0x%x\n", Status);
CloseHandle(ProcessHandle);
return 0;
}
printf("Created debug object\n");
Status = SysNtDebugActiveProcess(ProcessHandle, DebugObject);
if (!NT_SUCCESS(Status))
{
printf("Unable to debug process: 0x%x\n", Status);
CloseHandle(DebugObject);
CloseHandle(ProcessHandle);
return 0;
}
of couse. you have 2 choise: or call
NTSYSAPI
VOID
NTAPI
DbgUiSetThreadDebugObject(
_In_ HANDLE DebugObject
);
and then use DbgUiWaitStateChange or WaitForDebugEvent
or direct call NtWaitForDebugEvent
NTSYSCALLAPI
NTSTATUS
NTAPI
NtWaitForDebugEvent(
_In_ HANDLE DebugObjectHandle,
_In_ BOOLEAN Alertable,
_In_opt_ PLARGE_INTEGER Timeout,
_Out_ PDBGUI_WAIT_STATE_CHANGE StateChange
);
the DbgUiSetThreadDebugObject save DebugObjectHandle in thread TEB and DbgUiWaitStateChange get it ( via DbgUiGetThreadDebugObject ) and call NtWaitForDebugEvent.
the WaitForDebugEvent call DbgUiWaitStateChange and then convert DBGUI_WAIT_STATE_CHANGE to DEBUG_EVENT