.just found a way how to prevent attaching to the process. it's easy. when debugger is attaching to process, a new thread is created. NTDLL!DbgBreakPoint function is called and it's called by not-exported KERNEL32!_BaseAttachComplete@4. the problem is that the thread is created inside the debugged process, so the debugged process can change NTDLL!DbgBreakPoint to intercept it and terminate the system thread preventing attaching.
to demonstrate the idea I wrote a simple crack-me. for more details visit my blog. thanks for attention.
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}