.386 .Model Flat ,StdCall extrn ExitProcess : PROC ;procedure to shut down a process extrn MessageBoxA : PROC ;procedure to show a MessageBox extrn GetCurrentThread: PROC extrn GetThreadContext: PROC extrn SetThreadContext: PROC mb_ok equ 0 ;mb_ok gets the value "0" hWnd equ 0 .Data cx_ContextFlags DWORD 0 ;context flags cx_Dr0 DWORD 0 ;debug register #0 cx_Dr1 DWORD 0 ;debug register #1 cx_Dr2 DWORD 0 ;debug register #2 cx_Dr3 DWORD 0 ;debug register #3 cx_Dr6 DWORD 0 ;debug register #6 cx_Dr7 DWORD 0 ;debug register #7 space_1 db 0100h dup (00h) caption db "DAEMON",0 text db "TRACE ME FUCKER, TRACE ME!!!",0 text2 db "BAD BOY!!! breakpoint found @ " eip_found dd ?,?,? threadid dd ? .Code Main: push offset handler push dword ptr fs:[0] mov dword ptr fs:[0],esp ; set-up new exception handler call GetCurrentThread mov threadid,eax mov cx_ContextFlags,07ch ; modify context_flags! ; this is necessary!! otherwise ; we won't be able to read ; the context structure push offset cx_ContextFlags push dword ptr [threadid] call GetThreadContext ; read context mov cx_dr0,offset stop_here_soft_ice ; kill dr0 mov cx_dr1,offset stop_here_soft_ice ; kill dr1 mov cx_dr2,offset stop_here_soft_ice ; kill dr2 mov cx_dr3,offset stop_here_soft_ice ; kill dr3 ;------------------------------------------------------------------------------------- ; DEBUG REGISTER 6 ; ; this debug register is sticky! that means it doen't clear itself.... and so ; we must clear it on our own... if we want to check the conditions ; ;------------------------------------------------------------------------------------- mov cx_dr6,0 ; kill dr6 ;------------------------------------------------------------------------------------- ; ; DEBUG REGISTER 7 ; ; LEN3 R/W3 LEN2 R/W2 LEN1 R/W1 LEN0 R/W0 0 0 GD 0 0 1 GE LE G3 L3 G2 L2 G1 L1 G0 L0 ; ; 00 00 00 00 00 00 00 00 0 0 0 0 0 0 0 1 0 1 0 1 0 1 0 1 ; ; we enable here all "local-breakpoint-enable" bits ; and the "local-exact-breakpoint-enable" bit ; ;------------------------------------------------------------------------------------- mov cx_dr7,0155h ; modify dr7 mov cx_ContextFlags,018h push offset cx_ContextFlags push dword ptr [threadid] Call SetThreadContext ; Set new context ;---------------------------------------------------------------------------- ; ; @ THIS POINT YOU AREN'T ABLE TO TRACE IT ANY LONGER !!! ; ; ;---------------------------------------------------------------------------- stop_here_soft_ice: nop ; soft-ice will popup here ; and generate a single ; step exception which ; will be catched by my ; handler ; you won't be able to trace ; the following code! ; no chance!!! \tracex won't ; help you.... push mb_ok push offset caption push offset Text push hWnd call MessageBoxA ; give out MsgBox call ExitProcess ; and exit my Process ;---------------------------------------------------------------------------- ; ; HERE IS MY EXCEPTION HANDLER ; ;---------------------------------------------------------------------------- handler: mov eax,[esp+04h] cmp dword ptr [eax],080000004h ; single step ??? jne int_3_catched mov ebx,[esp+0ch] ; get context struc pointer lea edi,dword ptr [ebx+04h] ; point edi to debug registers mov esi,3*4 scan_bpms: cmp dword ptr [edi+esi],offset stop_here_soft_ice ; compare debug registers jne debugger_found ; found a difference ?? sub esi,04h jnz scan_bpms xor eax,eax ; eax = 0 stosd ; kill dr0 stosd ; kill dr1 stosd ; kill dr2 stosd ; kill dr3 stosd ; kill dr6 !!!! very important! stosd ; kill dr7 !!!! very important! mov dword ptr [ebx+0b4h],'BCHK' ; disable bpx ; this is another trick used ; in k-kryptor to disable your ; bpx.... ; explanation is simple: ; soft-ice doesn't popup ; if it detects boundschecker ; detection and this simulates ; it... with 'EBP=BCHK' and an ; int 3 inc dword ptr [ebx+0b8h] ; increase eip ret ; return from exception handler int_3_catched: mov eax,[esp+0ch] mov eax,[eax+0b8h] ; get eip! mov edx,offset eip_found call convert jmp give_out debugger_found: mov eax,dword ptr [edi+esi] mov edx,offset eip_found call convert give_out: push 0 push offset caption push offset text2 ; debugger detected !!!! push 0 call MessageBoxA call ExitProcess ; put sucker back to windoz! convert: mov ecx,08 rol eax,04h here: ror eax,04h push eax and eax,0000000Fh add eax,030h cmp eax,03ah jae ahh write:mov byte ptr [edx+ecx-1],al pop eax loop here ret ahh: sub eax,030h sub eax,0ah add eax,041h jmp write End Main ;End of code, Main is the entrypoint