http://www.woodmann.com/collaborative/tools/index.php?title=AttachAnyway&action=feed&feed=atom 2009-11-21T23:46:30Z Update Notification Feed for AttachAnyway MediaWiki 1.11.2 via WikiArticleFeeds 0.6.3 (+ dELTA mods) http://www.woodmann.com/collaborative/tools/index.php/AttachAnyway 2009-11-21T23:46:00Z

<p><b>Most recent version:</b><br /> <i>0.3</i> </p><p><b>Most recent release date:</b><br /> <i>September 7, 2005</i> </p><p><b>Description:</b><br /> <i>AttachAnyway is a PoC OllyDbg plugin designed to show how to remove a process' hook on NtContinue by the anti-debugger-attach method devised by Piotr Bania here:<br /><br />http://pb.specialised.info/all/anti-dattach.asm<br /><br />This is not intended to be a universal plugin for all anti-attach methods, just one example of how you can do it. It works by enumerating all processes, searching their virtual memory space for a JMP hook on the NtContinue method, then replacing the jump with the original bytes from a non-hooked process, then calling the OllyDbg Attachtoactiveprocess API.<br /><br />attach-test.exe is an assembled version of Piotr's anti-dattach.asm you can use to test the plugin with.</i> </p> <pre>