Just a short tut on Anti-Debuging tricks.Most programmers will but in some code that will stop the program running if a debugger is detected. The most common way of detecting a Debugger is to find certain files (VXD, DLL) that a debugger uses when its running.

If the program finds any of these files it will try open them.The most common strings to look out for in a program is the following :

\\.\NTICE
\\.\SIWDEBUG
\\.\SIWVID
\\.\ICEDUMP
\\.\TRW
\\.\TRW2000
\\.\TRWDEBUG
\\.\TRACKIT
\\.\BW2K
\\.\SUPERBPM

If you come across any of these in Memory at run-time then zero them out.And the program should continue to run.I say in memory because sometimes you cant find these strings in the program till run-time.The BreakPoint to use when doing this is 'BPX CreatefileA'.Below is some ASM code to detected Softice to give you a idea of how it works. The way it works is very simple: It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for WinNT) with the CreateFileA API.Its easy to follow.

;****************************************
;* hEYWIRE'S Ant-SICE *
;****************************************

.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib


.data
FileName db "\\.\SICE",0
AppName db "Anti-SICE by hEYWIRE",0
Foundsice db "SoftICE is detected!",0
Nosice db "SoftICE was not found",0

.data?
hInstance HINSTANCE ?
CommandLine LPSTR ?
hwndname HWND ?
hFile HANDLE ?

.const

.code
start:

invoke GetModuleHandleA, NULL
mov hInstance,eax

invoke CreateFile,ADDR FileName, GENERIC_READ OR GENERIC_WRITE, FILE_SHARE_READ or FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL

.IF eax!=INVALID_HANDLE_VALUE
push MB_OK OR MB_ICONINFORMATION
push OFFSET AppName
push OFFSET Foundsice
.ELSE
push MB_OK or MB_ICONINFORMATION
push OFFSET AppName
push OFFSET Nosice
.ENDIF

push NULL
call MessageBox
invoke CloseHandle, hFile
invoke ExitProcess,eax

end start

;****************************************
;* END hEYWIRE'S Ant-SICE *
;****************************************


This is just for debugers, what about all the other tools you have on you computer.. Like SmartCheck,W32DSM89.EXE,RegMon,FIleMon etc... The above code is very simple, it does not detected SICE if ICEDUMP is runing.

For smartcheck programs tend to look for the string : NMSCWM50 or look for 'NuMega SmartCheck' in the window task List. You should get the idea of how programs are detected. This is just one method,There are loads of way to detected debugers,Dissamblers etc.. This is the most common.

Well Thats it for this small tut and remeber there is no law against people debugging and reversing software! (not that I know off)

Peace hEYWIRE.