.working on a project for a spectrography cherry group I found a bug in Windows (W2K SP4, XP SP3, Vista 32/64 SP1), well actually two bugs: one in Windows, another in OllyDbg.
if PAGE_GUARD page is created by VirtualAlloc() call, ReadProcessMemory() turns off the guard page status without any exception and returns a failure status indicator. however, the second call of ReadProcessMemory()returns a positive status (because PAGE_GUARD was turned off), so when the application will try to access to that page - there will be no exception (as it's supposed to be), because there is no guard anymore.
so, it's easy to create a sensor to detect debuggers/dumpers. allocate a page with PAGE_GUARD attribute and check it from time to time: just install SEH handler and read the content. no exception means we're fucked, oh, sorry, dumped. I tested PE-TOOLS and other popular dumpers and they all were detected.
OllyDbg stops when the application accesses PAGE_GUARD, giving the message "Break-on-access when reading" in the status bar, and does not allow us to pass the exception to the application. even we go to options->exceptions and add 0x80000001 (STATUS_GUARD_PAGE) exception to the list, Olly will ignore it! guess, PAGE_GUARD is just a part of "memory-breakpoint" engine, so no way to pass PAGE_GUARD exception to the application, so it's easy to detect the debugger (I tested OllyDbg 1.10).
to demonstrate these bugs I wrote a simple POC, please download it and tell me that do you think. thanks.
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}