Short Description

KaKeeware AntiAttach is a small piece of code that shows how to detect that your process is about to be monitored by debugger (i.e. debugger is being attached).

Full Description

This antidebugging trick works, because anytime a debugger is attaching itself to a debugee, system creates a new thread, which starts at DbgUiRemoteBreakin (ntdll!DbgUiRemoteBreakin) function in debugee's process space. By overwriting the entry point of the function we may control the flow of the code being executed.
In order to understand this process better, you can have a look at ntdll functions that start with a Dbg prefix. The story goes like this: when the process is about to be debugged, ntdll!DbgUiDebugActiveProcess calls ntdll!DbgUiIssueRemoteBreakin and this one creates a thread that starts at ntdll!DbgUiRemoteBreakin. The new thread is created via a call to ntdll!RtlCreateUserThread. When started, ntdll!DbgUiRemoteBreakin calls ntdll!DbgBreakPoint which is actually just a pair of 2 instructions: int3 and ret.

Source (antiattach.zip) is available below.

If you happen to use my code, it would be nice if you credit KaKeeware.

How to test?

Run AntiAttach:

Run any usermode debugger (OllyDbg, WinDbg, MS Visual Studio Debugger, etc.) and try to attach debugger to AntiAttach process. See what happens:

Requirements

Windows XP or newer (thx to ppl pointing out that it doesn't work on W2K)

License

Freeware (+sources freely available)

Download

antiattach.zip