-------------------------------------------------- Set Breakpoints -----------------------------------------------------

x86

bu notepad!WinMain; sxe -c ".reload /user; g" bpe; ad /q ImageFileName; bu nt!PspInsertProcess "r? @$t0 = (nt!_EPROCESS *)@ecx; as /ma ${/v:ImageFileName} @@(@$t0->ImageFileName); .block { .if ($spat(\"${ImageFileName}\", \"notepad*\")) { ad ${/v:ImageFileName}; .process /r /p @$t0; eb @@c++(&@$peb->BeingDebugged) 1; gc } .else { ad ${/v:ImageFileName}; gc } }"; g

x64

bu notepad!WinMain; sxe -c ".reload /user; g" bpe; ad /q ImageFileName; bu nt!PspInsertProcess "r? @$t0 = (nt!_EPROCESS *)@rcx; as /ma ${/v:ImageFileName} @@(@$t0->ImageFileName); .block { .if ($spat(\"${ImageFileName}\", \"notepad*\")) { ad ${/v:ImageFileName}; .process /r /p @$t0; eb @@c++(&@$peb->BeingDebugged) 1; gc } .else { ad ${/v:ImageFileName}; gc } }"; g


-------------------------------------------------- Remove Breakpoints --------------------------------------------------

bc *; sxe -c "" bpe


--------------------------------------- Registers that hold the nt!_EPROCESS structure ---------------------------------

x86

Windows Vista  : ecx; eax
Windows 7      : ecx; eax
Windows 8      : esi; edi
Windows 8.1    : ecx; edi
Windows 10     : ecx; edi

x64

Windows Vista  : rcx; rsi
Windows 7      : rcx; rsi
Windows 8      : rcx; rsi
Windows 8.1    : rcx; r14
Windows 10     : rcx; rsi


------------------------------------------------------- Contact --------------------------------------------------------

www.andreybazhan.com
contact@andreybazhan.com
twitter.com/AndreyBazhan
ua.linkedin.com/in/andreybazhan
github.com/AndreyBazhan