; ; a ring0-tracer ; ; with api-skipping! or to be more exactly it skips the calls by putting ; an int 3 @ next eip catches the exception and reenables the trapflag ; in eflags :) ; .586p .Model Flat extrn ExitProcess : PROC extrn MessageBoxA : PROC extrn GetTickCount : PROC .Data caption db "daemon@I.LOVE.YOU.COM",0 text db "You have traced me!",0 text3 db "traced successfully!",0 text2 db "sorry i wasn't able to install my tracing engine",0 bad_setup dd ? counter dd ? .Code Main: push edx sidt [esp-2] ; Interrupt table to stack pop edx add edx,5*8+4 ; Get interrupt vector mov ebx,[edx] mov bx,word ptr [edx-4] lea edi,setup mov [edx-4],di ror edi,16 mov [edx+2],di push ds push es int 5 pop es pop ds mov [edx-4],bx ror ebx,16 mov [edx+2],bx ;----- correct installed the engine - last check! cmp bad_setup,1 jne okay push 0 push offset caption push offset text2 push 0 call MessageBoxA call ExitProcess ;----- enable now trapflag to turn on tracing engine! okay: pushfd or byte ptr [esp+1],1h popfd nop ; cause single step exception ;----- from here, everything is getting traced! mov edx,010h again: mov ecx,02000h first_one: loop first_one dec edx jnz again ; damn long loop to show u how ; fast this tracing engine is lea edx,text xor eax,eax mov eax,dr7 cmp eax,0 jz it_doesnt_worx lea edx,text3 it_doesnt_worx: push 0 push offset caption push edx push 0 call MessageBoxA ;----- test if engine is getting reenabled correct! mov edx,010h again2: mov ecx,02000h first_one2: loop first_one2 dec edx jnz again2 ; damn long loop to show u how ; fast this tracing engine is lea edx,text xor eax,eax mov eax,dr7 cmp eax,0 jz it_doesnt_worx2 lea edx,text3 it_doesnt_worx2: push 0 push offset caption push edx push 0 call MessageBoxA call ExitProcess free_space db 0100h dup (00h) ;----------------------------------------------------------------------------- ; ; and here comes my ring0 tracer ; ;----------------------------------------------------------------------------- int1_tracer: pushfd pushad inc counter mov eax,[edi+04ch] mov ebx,[eax+024h] cmp word ptr [ebx],0210fh ; mov ?,dr7 jne no_dr mov ebx,dr7 mov [eax+01ch],ebx no_dr: cmp byte ptr [ebx],0e8h jne no_api mov ecx,offset main mov edx,offset free_space cmp ebx,ecx jb no_api cmp ebx,edx ja no_api mov al,byte ptr [ebx+05h] mov save_code,al mov byte ptr [ebx+05],0cch no_api: popad popfd ret int3_tracer: pushfd pushad mov eax,[edi+04ch] mov ebx,[eax+024h] dec dword ptr [eax+024h] ; dec cs:ip or byte ptr [eax+02dh],01h ; enable trap flag mov al,save_code mov byte ptr [ebx-1],al popad popfd ret save_code db ? ;--------------------------------------------------------------------------- ; ; install tracing engine! ; ;--------------------------------------------------------------------------- setup: mov eax,1 ; for which fault ?!?!? mov esi,offset int1_tracer ; point to my tracing engine call hook_it_now mov eax,3 ; for which fault ?!?!? mov esi,offset int3_tracer ; point to my tracing engine call hook_it_now iret ; and return! error_on_setup: mov bad_setup,1 ; arrgghh an error occoured! iret ; return now hook_it_now: db 0cdh,020h,080h,00h,01h,00h ; VMMCall Hook_PM_Fault jc error_on_setup ; installed correct ? ret End Main ;End of code, Main is the entrypoint