comment $ --------------------------------------------------- Debugger "On-Attach" detection method --------------------------------------------------- by Piotr Bania http://www.piotrbania.com All rights reserved! Disclaimer ---------- Author takes no responsibility for any actions with provided informations or codes. The copyright for any material created by the author is reserved. Any duplication of codes or texts provided here in electronic or printed publications is not permitted without the author's agreement. Info ---- This code presents pretty effective and nasty debugger "on attach" detection. When debugger (every which uses debug apis) attach to the target process NtContinue function is executed, this acts BEFORE debugger stops on DebugBreak, so we have the ability to do some nasty things while debugger is still loading the process, i think you know what possibilities it gives. So here it comes, have fun: $ include my_macro.inc @get_api_addr "NTDLL.DLL","NtContinue" xchg ebx,eax call a1 dd 0 a1: push PAGE_READWRITE push 5 push ebx @callx VirtualProtect @check 0,"Error: cannot deprotect the region!" lea edi,_NtContinue_b mov ecx,0Fh mov esi,ebx rep movsb lea eax,_NtContinue mov edi,ebx call make_jump @debug "attach debugger to me now!",MB_ICONINFORMATION exit: mov byte ptr [flag],1 push 0 @callx ExitProcess make_jump: pushad mov byte ptr [edi],0E9h sub eax,edi sub eax,5 mov dword ptr [edi+1],eax popad ret flag db 0 _NtContinue: pushad cmp byte ptr [flag],0 jne we_q @debug "Debugger found!",MB_ICONERROR we_q: popad _NtContinue_b: db 0Fh dup (0) comment $ 77F5B638 > B8 20000000 MOV EAX,20 77F5B63D BA 0003FE7F MOV EDX,7FFE0300 77F5B642 FFD2 CALL EDX 77F5B644 C2 0800 RETN 8 $ end start