n this post i will share with you an Anti-Debugging trick that is very similar to the "PAGE_EXECUTE_WRITECOPY" trick mentioned here, where we had to flag code section as writeable such that any memory write to its page(s) would force OS to change the page protection from PAGE_EXECUTE_WRITECOPY to PAGE_EXECUTE_READWRITE. But in this case we don't have to make any modifications to the code section's page protection. We will just query the process for its current working set info. Among the stuff we receive querying the working set of a process are two fields, "Shared" and "ShareCount".
more here...........http://waleedassar.blogspot.com/2014/06/sharecount-as-anti-debugging-trick.html
more here...........http://waleedassar.blogspot.com/2014/06/sharecount-as-anti-debugging-trick.html