http://www.openrce.org/rss/feeds/blog OpenRCE: The Open Reverse Code Engineering Community Mon, 29 Aug 2005 12:12:56 -0500 https://www.openrce.org/blog/view/36/Detecting_debugger_attach jt <email-suppressed@example.com> Piotr brought up an interesting issue about userland debuggers in his blog.<br /> <br /> This issue is quite complicated because in windows, userland debugger attach is implemented as a thread fired by user-mode APC. This APC starts by calling ntdll!LdrInitializeThunk and then the new threads context is feeded to NtContinue. If the context eip is examined, it can be seen that it points to ntdll!DbgUiRemoteBreakin. This function then finally executes ntdll!DbgBreakPoint. So, in summary: for detecting userland debugger before DbgBreakPoint, hook can be inserted anywhere in the path from KiUserApcDispatcher -&gt; DbgBreakPoint. This clearly returns to normal hook detection problem which is.. interesting.<br />