Windows API : EventPairHandles

An EventPair Object is an event constructed by two _KEVENT structures which are conventionally named High and Low. There is a relation between generic Event Objects and Debuggers cause they have to create a custom event called DebugEvent able to handle exceptions. Due to the presence of events owned by the Debugger, every information relative to the events of a normal process differs from a debugged process.

Code Snippets

#define WIN32_LEAN_AND_MEAN
#include <stdio.h>
#include <iostream>
#include <stdlib.h>
#include <windows.h>
#include "defs.h"


#pragma comment(lib,"ntdll.lib")
#pragma comment(lib,"psapi.lib")


void QueryProcessHeapMethod(void)
{
    PDEBUG_BUFFER buffer;
    buffer = RtlCreateQueryDebugBuffer(0,FALSE);
    RtlQueryProcessHeapInformation(buffer);

    if (buffer->RemoteSectionBase == (PVOID) 0x50000062){
        MessageBoxA(NULL,"Debugged","Warning",MB_OK);
    }
    else {
        MessageBoxA(NULL,"Not Debugged","Warning",MB_OK);
    }
    if (buffer->EventPairHandle == (PVOID) 0x00002b98) {
        MessageBoxA(NULL,"Debugged","Warning",MB_OK);
    }
    else {
        MessageBoxA(NULL,"Not Debugged","Warning",MB_OK);
        printf("EventPairHandle= %x",(int)buffer->EventPairHandle);
    }
}
int main()
{
    QueryProcessHeapMethod();
    return (EXIT_SUCCESS);
}

Additional Resources

Subscribe to our Newsletter and don't miss important updates