;
; DETECTING \TRACEX
; IN ICEDUMP VERSION: 6.0.2.4
;
; idea in here is simple! \tracex command
; sets up a fake idt and this is what we use
; to detect it!
;
; muzic: Pasquale Maassen - Destruction
; coder: daemon
; lang : assembler
; os   : w9x ONLY!

.586p
.Model Flat

extrn ExitProcess     : PROC
extrn MessageBoxA     : PROC
extrn LoadLibraryA    : PROC
extrn GetProcAddress  : PROC



.Data
caption db "daemon",0
text    db "ran normal!",0
text2   db "bad boy! u've used \tracex command!",0

.Code
main:
      push offset handler
      push dword ptr fs:[0]
      mov  dword ptr fs:[0],esp             ; set-up new exception handler

      push edx
      sidt [esp-2]                          ; Interrupt table to stack
      pop  edx
      add  edx,1*8+4                        ; Get interrupt vector

      mov  si,[edx+2]
      ror  esi,16
      mov  si,[edx-4]
      lodsb
      mov  byte ptr [esi-1],0cfh            ; put an iret @ it (int 1 handler)
      call cant_trace
      pushfd
      or   byte ptr [esp+1],01
      popfd
      nop                                   ; trap flag
      mov  byte ptr [esi-1],al
      xor  eax,eax
      push 0
      push offset caption
      cmp  byte ptr [esi],00
      jne  not_traced_1
      push offset text2
      jmp  _boy
not_traced_1:
      push offset text
_boy: push 0
      call MessageBoxA
      call ExitProcess


;-----------------------------------------------
;
; and here is the exception handler
;
;
;-----------------------------------------------

handler:
      mov  ebx,[esp+0ch]                        ; get context struc pointer
retu: xor  eax,eax
      ret                                       ; return from exception handler

cant_trace:
      xor  ebx,ebx
      ret
End Main                        ;End of code, Main is the entrypoint