i started reading the MSJ may 1996 article and found another thing that can be used to check for a debugger in win9x:
Quote:
Windows 95 TIB fields
The 20h DWORD DebugContext field normally contains the value zero. However, when you're debugging the thread's process, this field contains a pointer to a structure that contains register values and is similar to, but not the same as, the CONTEXT structure defined in WINNT.H.
|
however, reading JuneMouse's (thx) post, kernel code is clearly checking something else, dereferencing a pointer in kernel32.dll memory? seems that this pointer points into kernel (so called 'kernel' memory under win9x hehe, >= 0x80000000) memory.
Dno, after researching for 30 mins, i dont have enough motivation to add support for this ancient architecture :P
anyone who does, read this article: hxxp://www.microsoft.com/msj/archive/S2CE.aspx
Quote:
|
The 30h PVOID* pProcess field contains a linear address for the process database representing the process that owns the thread. However, this is not the same as a process handle or process ID.
|
however,there is no info on the PDB format there...