I have been exploring some anti-debug techniques listed in the CheckPoint Anti-Debug Knowledge Base. This one really caught my attention. It uses the Kernel32.GetWriteWatch API to detect changes to a memory region (including changes made by debuggers).

Using this API is more efficient than manually calculating checksums, and it can be used to protect sensitive code (e.g. hooks and shellcodes).

I developed this small sample that protects a shellcode (which executes calc.exe). In case the process is attached to a debugger and breakpoints are set at the region containing the shellcode, our watchdog thread catches the tampering and logs an event.