.586p .Model Flat extrn ExitProcess : PROC extrn MessageBoxA : PROC extrn GetTickCount : PROC .Data caption db "daemon@I.LOVE.YOU.COM",0 text db "You have traced me!",0 text3 db "good boy!!!!",0 text2 db "sorry i wasn't able to install my tracing engine",0 text4 db "second msg",0 old_fault_handler dd ? bad_setup dd ? counter dd ? .Code Main: push edx sidt [esp-2] ; Interrupt table to stack pop edx add edx,5*8+4 ; Get interrupt vector mov ebx,[edx] mov bx,word ptr [edx-4] lea edi,setup mov [edx-4],di ror edi,16 mov [edx+2],di push ds push es int 5 pop es pop ds mov [edx-4],bx ror ebx,16 mov [edx+2],bx cmp bad_setup,1 jne okay push 0 push offset caption push offset text2 push 0 call MessageBoxA call ExitProcess ;----- enable now trapflag to turn on tracing engine! okay: pushfd or byte ptr [esp+1],1h popfd nop ; cause single step exception ;----- from here, everything is getting traced! lea edx,text xor eax,eax mov eax,dr7 cmp eax,0 jz it_doesnt_worx lea edx,text3 it_doesnt_worx: push 0 push offset caption push edx push 0 call MessageBoxA call ExitProcess free_space db 0100h dup (00h) ;----------------------------------------------------------------------------- ; ; and here comes my ring0 tracer ; ;----------------------------------------------------------------------------- tracer: pushfd pushad inc counter stop: mov byte ptr [stop],090h mov eax,[edi+04ch] mov ebx,[eax+024h] cmp word ptr [ebx],0210fh ; mov ?,dr7 jne no_dr mov ebx,dr7 mov [eax+01ch],ebx no_dr: popad popfd ret ;--------------------------------------------------------------------------- ; ; install tracing engine! ; ;--------------------------------------------------------------------------- setup: mov eax,1 ; for which fault ?!?!? mov esi,offset tracer ; point to my tracing engine db 0cdh,020h,080h,00h,01h,00h ; VMMCall Hook_PM_Fault jc error_on_setup ; installed correct ? iret ; and return! error_on_setup: mov bad_setup,1 ; arrgghh an error occoured! iret ; return now End Main ;End of code, Main is the entrypoint